By PatB
Contributing Writer, [GAS]
Gamers in China, desperate to get their powerups by cheating, are seeding Microsoft IIS servers with exploit code that will steal game logins. So far the mass attack has hit over 500k webservers.
Brian Krebs has the details, including some of the high-profile webservers affected at his blog on the Washington Post here.
Hundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.
On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they’d heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn’t offer much more information.
According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.
All of the hacked sites appear to have Javascript coding adding to their page source that silently pulls down malware from a few domains in China, namely nihaorr1.com, and haoliuliang.net.
F-Secure says this is due to SQL injection and provides the details here:
So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There’s a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you’re a firewall administrator we recommend you to block access to them.
The bad news is your webserver could be hacked. The good news is right now, users visiting your site won’t get pwn3d because of your webserver. Now is the time to harden your databases to make sure no one can inject code onto your webserver. Do it before the attackers come up with a new domain to host their malware.