Nasty IE 0day exploit hosted on Amnesty International site
Visitors to Amnesty International's Hong Kong website are being bombarded with a host of lethal exploits, including one that attacks an unpatched vulnerability in Microsoft's Internet Explorer browser, researchers at security firm Websense said. The injected IE attack code resides directly on the pages of amnesty.org.hk, an …
This topic is closed for new posts.
Something missing from this article...
"an indication that the perpetrators were able to penetrate deep into the website's security defenses."
And the web server is...?
Netcraft says:-
http://amnesty.org.hk was running Apache on Linux when last queried at 11-Nov-2010 06:16:06 GMT
Superfluous title
11/11/10 07:44:04 Browsing http://amnesty.org.hk/
Fetching http://amnesty.org.hk/ ...
GET / HTTP/1.1
Host: amnesty.org.hk
Connection: close
User-Agent: Sam Spade 1.14
HTTP/1.1 302 Found
Date: Thu, 11 Nov 2010 07:43:30 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b PHP/5.2.6
X-Powered-By: PHP/5.2.6
Status: 302 Redirected
Location: http://amnesty.org.hk/html
Content-Length: 66
Connection: close
Content-Type: text/html
Web server
Well the headers say:
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b PHP/5.2.6
Thank you everybody.
So it is Apache 2.2.9 on Unix with PHP 5.2.6. Both are not exactly new. Do we know how this was compromised? I'll scream if it was the good ol' SQL walk-in.
I am asking... because... to be honest, I think the compromising of a major site is somewhat more newsworthy than (yet another) IE exploit.
Wow
"bombarded with a host of lethal exploits"
Lethal? Blimey.
Well, have a look...
Netcraft, he say:
Linux Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8a DAV/2 PHP/4.4.7
...at the time of the compromise. Now updated, and secured, presumably. I trust you weren't looking for a MS IIS dig?
Who could be behind this I wonder
Hmm, Amnesty HK, Nobel Peace Prize targeted within a very short timescale. Anyone care to speculate that a certain large country in Asia with a not very good human rights record might have something to do with it?
Amnesty international == "Malicious website"
Perhaps from now on the writers of the alerts (especially MS) will not say that the exploit only works if the user is co-erced into visiting a malicious website.
I would not describe the nobel prize foundation or Amnesty international as malicious. Given that these exploits can be hosted on almost _any_ webserver, the alerts should say that they can be exploited by visiting _any_ website.
While I agree
While I agree that MS, Mozilla, et al. should try to patch up this 0day stuff a bit (well a lot) quicker, I don't agree with your reasoning here.
Of course the Nobel Peace Prize lot or Amnesty International do not have any kind of malicious intent, but they are clearly at fault for putting together yet another swiss cheese website. At a guess, they simply failed to sanatise their inputs or outputs properly, to the effect that SQL commands could be injected through the querystring, and then the site would happily render script tags back out. Of course, it may have been that the sites were more secure, and this was a "proper" hack, but if world goverments can't get it right, it wouldn't surprise me if a club and a charity couldn't either.
Patching 0day holes in browsers without break loads of legitamite stuff is often hard, a fact often overlooked by whinging pundits. Writing a website properly is not, hence I'd blame the site operators more here.
Just out of curiosity
...which group would be the most likely to target the site of an organisation that does so much good in the world? Generic hackers? Possibly if they were complete bastards. Or perhaps governments that have come under criticism for various human rights violations...?
Dammit, the man in the black helicopter stole my tin-foil hat.
Well
Windows users are like people who accept inefficient, tyrannical regimes and go along with them.
What?
I know everyone here loves their 'kool' Linux, *BSD, etc but that statement is a bit over-reaching. It may be hard to believe that there are people who use the computer that just wants it to work, kinda like most people (myself included) don't know the ins and outs of their vehicle. I just want it to get me to A and B.....
websploit
Well, I visited a page last week with ie8 and my virus scanner went off the chart...
The page I visited (a popular forum, safe for work and nothing illegal) managed to change a regkey, install a proxy server, and change ie8's proxy configuration..
3 instances of the program was running, all from the temp directory, and the reg key would have seen it install another bit of software had I rebooted.. There was also a bit of script added for firefox so once it started it would have been comprimised too...
I submitted the virus for online scans and a few sites said the file was fine, so some people would have been caugh out..
DEP is enabled, but I cant rule out it loading as java or flash or something else of the ilk...
Sadly, the site I think it was doesnt seem to be installing again and I couldnt replicate it (I cleared cache and history as part of the cleaning process).
@garethfcompton
Can someone please DDoS Amnesty off line? I shan't tell Yasmin Alibhai-Brown if you don't. It would be a blessing, really.
This topic is closed for new posts.
