Technical Tidbits™

Posts Tagged ‘hacker’

Here at MICE, we don’t publicly advertise our security clients because it’s an open invitation to hackers.

However, I do need to tell you that I was recently hired to look over a self-hosted WordPress blog site that had been hacked.  I didn’t get to see the actual hacked message, but the client described it as a defacement of the main blog page saying, “You’ve been hacked.”

I am still trying to find out from the blog owner a few minor details to determine how it was actually done, but the .htaccess file had been modified giving the hacker permission to rewrite to all the files on the blog.

As soon as I find out the remaining information, I will post more details including screen shots of the website that the file redirected to.

I am blocking the actual redirect website with Xs in the line I found in question in the .htaccess file because I don’t want anyone going there, but if you see this code, delete it and re-upload the file.

RewriteRule .* http://xxx-xxxxx.xx/xx.cgi?4&parameter=ku [R,L]

The R stands for Redirect and the L means Last so it stops processing the rule after the condition is matched.

You can open the .htaccess file in a textpad or notepad document if you right mouse click and choose open with.

More later but this your heads up!

Over the past several days, I’ve received phone calls and requests for assistance because of some new mal-ads pushing yet another drive-by download.

Based on the discussion with one of these callers and their cry for help, I was able to get at some of the underlying script which was a PHP redirect.

Now for those of you who are unfamiliar with what that is, the simple explanation is that the page or ad being served up, has a code in it using PHP language (my WP blog is written in PHP language) that rotates what is displayed in the ad. I guess you could call it an ad rotation script.

What causes the problem is that when the rotation script calls up an ad that actually redirects you to a file that downloads into your temporary Internet files and launches a pop-up or pop-under page.  Once you click the pop-up/pop-under page, you’ve launched the malware.

I described in a previous post: How To Stop The New Malware, the steps to take to stop this from happening.  But like anything else security related, no one listens until they are infected!

So let me remind you one more time! First, go to this post and change your settings according to the browser you are using.  (It covers IE and Firefox. If you want Safari and Chrome settings, leave a comment and I’ll post those too!)

Next,  if the pop-up/pop-under appears, hold down the Control (CRTL) key, then the ALT key (hold it down too), and then the DEL (delete) key to bring up your Task Manager. Just do that once, because doing it twice will cause your machine to reboot!

Click to view Larger Image

When the Task Manager appears, click the Applications tab (if it’s not already on it) and click on the Internet Explorer or Firefox (whichever applies to your browser) and then click the End Task button on the bottom.

Note: You will lose your entire browsing session but it’s better to lose your browsing session then to get hit with this horrible malware right?

If you end task the way I described here, for now, the malware software will not be able to launch.

The biggest offender is still the FAKEAV (fake AV) malware, this includes the Antivirus 2009 malware. Trend Micro reports the loss to victims in an article:  Rogue AV Scams Result in US$150M in Losses

“November marks the official start of the holiday shopping season as millions of Americans search for gifts and deals both online and in stores,” said Jack Flanagan, executive VP of comScore Media Metrix, in a statement. “With nearly 4 out of 5 Americans online visiting a retail site during November, the Internet clearly represents an increasingly important channel for retailers during the holiday season and beyond.”

I am shocked, nay appalled, that I’ve been out doing repairs, maintenance, and just overall visiting with friends and I see that they have NOT updated their JAVA and ADOBE Acrobat or Reader!

It’s not like I don’t have a Weekly Security Digest that tells you to update your Adobe. And it’s not like Java doesn’t pop up with its “Update Available” icon and reminder. But are you updating? NO!

And the two updates are related as there are public exploits available to take advantage of these flaws!

For those of you who are newer to the whole security thing, let me explain what I’m saying to you.

In layman’s terms, a vulnerability is a flaw or hole in a software.

An exploit is a way (method) to use that flaw or hole to gain access to a persons computer.

A public exploit means that a bunch of bad guys posted the way or method (exploit) on a public website where any hacker (bad guy) can see it and use it!

Now, put this all together and if you do not update your Java and Adobe products, you are subject to being a victim to these bad guys who learned how to get into your computer using a method they’ve gotten off a website and using it to access the flaw or hole in your software.

You maybe wondering how they do this?

They are doing it through a specially written (crafted) Adobe PDF. You may download it from a website that you think is legitimate. You might get it in an e-mail. You might even pay for it from a site that’s selling ebooks!

I can hear some of those more advanced readers saying, “WHAT?”

That’s right! Many of these Internet Marketer’s and fly-by-night affiliate marketer’s are using very unsecured sites and web hosts to host their make-on-the-fly websites! It is very easy for someone to hack the site and replace the e-book with a bad one! Think about that!

And if you’re in doubt, and want to see some of the more recent vulnerable (has a hole or flaw) scripts that are out there right now, visit our archive of the most recent Security Digest and view the “Other Vulnerabilities” section! Trust me when I say that this was a very mild week for web applications!

And while you’re looking it over, click the Join Our Mailing List button in the left sidebar toward the top, and sign up for the free month’s trial of the Digest! (There’s other FREE newsletters available there too!)

There is absolutely no reason why you should fall victim to these morons out there! We let you know what you need to do in our Security Digest and we even provide the link to the upgrades, patches, or fixes!

And for those of you who are more technical, or are the guru in your office or family, you’ll find the majority of the information very valuable because we put all the vulnerabilities in one place!

Did I also mention there is a section on current technical recalls?

Sales pitch done.

SIGN UP NOW and Update your JAVA and ADOBE READER NOW!

You can do this yourself!