phpbb and sql errors

Today´s Diary

If you have more information or corrections regarding our diary, click here to contact us.

Published: 2009-07-03,
Last Updated: 2009-07-03 21:26:39 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s) Facebookacebook witter

Question, what do Bing.com and Authorize.net have in common? Who would have guessed that they both have servers located in a data center that has had a fire? Or that they may have to put more into the planning portion of Disaster Recovery and Business Continuity? Authorize.net has been completely down for several hours now. Bing.com/travel had this to say: "A fire occurred at Fisher Plaza in downtown Seattle just after midnight on Friday morning. The blown transformer knocked out power to the entire building, which is home to the Bing Travel servers. We're hard at work to restore service following this unexpected event. Our current estimate for re-establishing Bing Travel functionality is 5pm PST, July 3rd." Perhaps they should have read one of our SANS papers on BCP/DRP planning.  Reading room link is here. More information is available at this twitter http://twitter.com/authorizenet where Authorize.net are tweeting. The media are also following the story, KOMO a local station was knocked offline but are broadcasting from a backup site. 

 Update: Authorize.net appear to be at least partially back up and running.

Keywords: bcp drp fire
0 comment(s) Facebookacebook witter
Published: 2009-07-03,
Last Updated: 2009-07-03 18:47:18 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s) Facebookacebook witter

Celebrate, watch fireworks, but don't click on links in emails or surf to sites with Fourth of July, Independence day, or Fireworks as key words. Websense is reporting that Waledac will be using the above subjects in emails with links to sites that appear to be a video, but instead downloads malware. Their alert is here. More information is also available at the ESET blog here.

0 comment(s) Facebookacebook witter
Published: 2009-07-03,
Last Updated: 2009-07-03 17:25:35 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s) Facebookacebook witter

"FCKeditor, a web based open source HTML text editor, suffers from a remote file upload vulnerability." The advisory is here. CVE-2009-2265 has been assigned to the vulnerability. The patch and a new version of the editor will be available next week (06 July). Keep a close eye on any system with this package installed on it, it is recommended to follow mitigation steps in the advisory in the meantime. A number of compromises have been reported as a result of the exploit being used prior to now. Thanks Andrea.

Keywords: coldfusion fckeditor
0 comment(s) Facebookacebook witter
Published: 2009-07-03,
Last Updated: 2009-07-03 16:50:12 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s) Facebookacebook witter

The credit card payment gateway authorize.net is currently down. A fire at their data center is apparently the cause.  Thanks to Joey, Tommy, and Jonathan for writing in.

Keywords: fire
0 comment(s) Facebookacebook witter
Published: 2009-07-02,
Last Updated: 2009-07-03 09:35:14 UTC
by Bojan Zdrnja (Version: 2)
2 comment(s) Facebookacebook witter

There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this.

It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server.

The attacks we've been seeing in the wild end up with inserted <script> tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients.

What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March. I wrote several diaries about them – see http://isc.sans.org/diary.html?storyid=6001 and http://isc.sans.org/diary.html?storyid=6010

Back in March, once they gained access to the server, they used a local privilege escalation exploit for a vulnerability that was, at that time, unpatched. If your servers are up to date with Microsoft patches, the vulnerability has been patched but they still can modify local web site files in a lot of cases (and sometimes even more, depending on Cold Fusion's configuration).

We'll be carefully monitoring the situation with this, of course. In the mean time, make sure that all applications you are running are up to date and fully patched. Another thing you might want to do is check for any old software you might have on your servers – it is very common for applications to leave old, vulnerable parts that are not used any more hanging around. And such applications are just waiting to be compromised.

Thanks to Adam for giving us an early heads up.

UPDATE

We received some additional information about this whole case with ColdFusion. It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting.

First, version 8.0.1 of Cold Fusion installs a vulnerable version of FCKEditor which is enabled by default. This is very bad news, of course, since the attacker can just directly exploit FCKEditor to upload arbitrary files on affected servers. Information on how to disable this is available on the ColdFusion web site at http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat

The second attack vector is again through vulnerable FCKEditor installations, but which are this time dropped through 3rd party application. One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion. Older versions of CFWebstore used vulnerable FCKEditor installations -- if you are using CFWebstore make sure that you are running the latest version and that any leftovers have been removed.

--
Bojan
 

Keywords: cold fusion malware
2 comment(s) Facebookacebook witter

If you have more information or corrections regarding our diary, click here to contact us.

Diary Archive

DateAuthorTitle
2009-07-03Adrien de Beaupre Authorize.net down
2009-07-03Adrien de Beaupre BCP/DRP
2009-07-03Adrien de Beaupre FCKEditor advisory
2009-07-03Adrien de Beaupre Happy 4th of July!
2009-07-02Daniel Wesemann Getting the EXE out of the RTF
2009-07-02Daniel Wesemann Time to update updating on PCs for 3rd party apps
2009-07-02Joel Esler Internet Storm Center Podcast Episode Number Fifteen
2009-07-02Daniel Wesemann Unpatched Bloatware on new PCs
2009-07-02Bojan Zdrnja Cold Fusion web sites getting compromised
2009-07-01Bojan Zdrnja New VMWare Security Advisory
Complete Archive
Search Diaries:

StormCast


last update 04 hrs 57 min ago.

Featured Event

Latest Reading Room Papers

Inside a Phish
Scanning Windows Deeper With the Nmap Scanning Engine
A Virtually Secure Browser
Incident Handlers Guide to SQL Injection Worms
Building an Automated Behavioral Malware Analysis Environment using Open Source Software

Poll

Trial software and Bloat pre-installed on new PCs...
... I uninstall/remove right away
... gets overwritten anyway when I install Linux or BSD
... gets overwritten anyway with a fresh install of Windows
... I actually like to try out and sometimes buy
... I keep installed but actually never use

Trends

trends more details

World Map

Worldmap