Australia's Leading Computer Emergency Response Team

A lower total cost of 0wn3rship
Date: 24 April 2008
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=9174

G'day

You might have noticed in recent times there's been a lot of talk around mass
web defacements or malicious code injection - and Australian sites are no
exception.

Now for those who manage their own hosting infrastructure, this is usually
easy enough to deal with, but when you outsource your hosting - be it due
to cost, time or expertise things can get a little more interesting.

Very recently we dealt with an incident which involved a particular
Australian web hosting company - let's call them SlowResponseToSecurity.com.au.

Making a long story short - we received about 1000 sets of ftp credentials
to give back to the affected parties, and we did our best to contact them.

While investigating the sites who's credentials were stolen we found that
20% of them had links to this Australian hosting/registration provider, they
were either hosted on the providers infrastructure or registered through this
provider.

Here's the kicker - 50% of the sites whose credentials were stolen were
infected and being used to infect others. In most cases, the sites had
been compromised at least twice.

Perhaps all the compromises were done via ftp - more likely it was a
combination of ftp and sql injection, one of the sites in particular has over
6 unique iframe and malicous javascript fragments.

Now 20% is a pretty big number to be clustered together - and while I have no
proof it makes me wonder whether there is a compromise a little deeper
within the hosting providers systems.

After repeated attempts by AusCERT and many customers to have some action
taken we are yet to receive a single response from the web hoster, clearly
they're unconcerned with what happens to their customers - or yours.

Often a responsible web hoster will take a look for similar holes and
plug those as well as contacting their affected customers.

As a business customer of such a provider I would be very concerned about
the impact of the malicious code on my business, particularly when my
customers receive warnings from their AV software.

So If you're a customer of a company like this I suggest you voice your
concerns in a way that will make them listen, use your feet, and find
someone else to provide hosting.

Thats it from me, have a great long weekend.

MacLeonard