Mass phpBB attack free.hostpinoy.info and xprmn4u.info

Another injection attack reported by the ISC, and this time it appears to be using one of many potential flaws in phpBB. Injected code points to free.hostpinoy.info/f.js and xprmn4u.info/f.js, and a Google search of these two terms currently comes up with 858,000 matches between them indicating that this is a very large scale attack.

phpBB is a great bit of software, but sadly it is riddled with security holes and requires constant updating. If you're running a phpBB forum then you need to patch it as a matter or urgency. If you don't run phpBB and are looking at running a forum then I've got to say.. try something else.

It looks like some version of the Zlob trojan is being served up, see here and here for more details. (Thanks sowhatx). Detection rates seem to be patchy. It's possible that the injected code is using some sort of geotargetting as the destination sites are not consistent.

free.hostpinoy.info is 209.51.196.254 (XLHost.com)
xprmn4u.info is 217.199.217.9 (Mastak.ru)

Updated: A brief analysis of some of the impacted sites shows a mix of high traffic forums and long-dead ones. Some of these forums are hit with multiple exploits and massive amounts of spam, which indicates that they are running a very out of date version of phpBB.. so folks, if you have a forum which you don't use any more, do everyone a favour and delete it.

Rock Group plc / rockdirect.com in administration

UK notebook manufacturer Rock Group plc has gone into administrator (i.e. bankruptcy). A well-regarded supplier of high end notebooks, Rock's financial difficulties are rather unusual.

You might expect that a combination of the "credit crunch" and depressed sales due to the unpopularity of Windows Vista might be to blame, but it appears that the root cause of the problem was sales director Paul Bicknell who stole a staggering £200,000 from the company which led to serious cashflow problems. Bicknell squandered the money on online gambling sites and fast cars and was subsequently sentenced to three years in prison. More details here and here. Perhaps Bicknell took Rock's "change your life" slogan rather too seriously.

Deloitte & Touche LLP are the administrators, customers and trading partners should read the Rock press release and check the company web site for more details.

It's a shame to see a good company go under in such circumstances, but what is even more bizarre is that an employee's gambling addiction cause the problem.

(Tip: if you like a flutter rather too much and live in the UK, try talking to a counselling service such as GamCare). There are other similar services worldwide.

winzipices.cn and bbs.jueduizuan.com - another SQL injection attack

The ISC has warned about another SQL Injection attack, following on from this one a few weeks ago. This time the injection is inserting a script pointing to the winzipices.cn and bbs.jueduizuan.com domains.

The malicious script is pointing to winzipices.cn/1.js, winzipices.cn/2.js, winzipices.cn/3.js, winzipices.cn/4.js and winzipices.cn/5.js and also bbs.jueduizuan.com/ip.js. As ever, don't visit these sites unless you know what you are doing.

Right at the moment, winzipices.cn is coming up with a server error, but bbs.jueduizuan.com is functioning just fine. This tries to attack visiting systems using the MS07-004 vulnerability, a RealPlayer vulnerability plus it attempts to download an executable from www.bluell.cn/ri.exe possibly using a shell vulnerability (VirusTotal analysis here, mostly detected as Trojan.Win32.Agent.lpv, Trojan.MulDrop.origin or TR/Dropper.Gen).

Some IP addresses:
www.bluell.cn is 60.191.239.219
winzipices.cn is 60.191.239.229
bbs.jueduizuan.com is 60.191.239.219

My recommendation is to block access to the entire 60.191.239.x range if you can.

The the moment, a Google search for winzipices.cn shows 1790 matches, for jueduizuan.com it is 1640 matches. Expect those figures to climb sharply.

If you are running an impacted SQL server, then you need to secure it and perform better validation, else the problem will happen again. Client machines should be protected if they are fully up-to-date on patches, if you have been infected then use the excellent Secunia Software Inspector to check your system for vulnerable apps.

As always, there are some high profile sites that have been compromised. They may well have been cleaned up by now, so inclusion here does not mean that they are unsafe or safe to visit.

bbs.jueduizuan.com

• safecanada.ca (Canadian Homeland Security again).
• breastcanceradvice.com, arthritisissues.com, menssexhealth.com, www.bipolardepressioninfo.com (Health)
• dubaicityguide.com (Travel)
• classicdriver.com (Motoring)

winzipices.cn

• imo.org (International Maritime Organisation)
• cifas.org.uk (Fraud Prevention)
• hmdb.org (Historical Marker Database)
• abbyy.com (OCR software)
• cancerissues.com, adhdissues.com, depressionissues.com, diabeticdiets.org, erectilefacts.com, prostatecancerissues.com, digestivefacts.com (Health)
• www.asiamedia.ucla.edu, www.international.ucla.edu, www.asiaarts.ucla.edu, www.isop.ucla.edu (UCLA)
• newmarket.travel (Travel)
• discoverireland.ie (Travel)
• gay.tv (Lifestyle)

Some of these sites are regularly infected with SQL injection attacks, and safecanada.ca was infected with the last major outbreak. The problem is that once a site has been attacked and enumerated, then it will be attacked again and again until it is fixed.

As mentioned before, there is no such thing as a safe site.