This is not a surprising finding, I realize, but how should it be addressed? That is:
- How does a person protect themselves from being redirected to a malicious web site in this way?
- How does a person protect their mother from being redirected to a malicious web site in this way?
- How does a person who has noticed a specific instance of this attack respond?
- How does a person whose web site has been compromised recover?
- How does a person prevent their web site from being compromised?
I stumbled across a pattern of malicious web links on otherwise trustworthy sites. The commonality: website//.php. PHP, up to and including PHP 5.2.10, was found. There may be other commonalities, such as weak passwords. These appear to be exploits of “PHP Include” vulnerabilities (CWE-98, #13 on the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors). Specific examples (with spaces for legibility and to prevent inadvertent access):
andrisoft.com/ ckggi/ picture.php
anthonydeturck.com/ gnelo/ frame-42203.php
battleground.hu/ kkg/ show.php?p=3429910
betterforbrian.com/ caira/ digital.php
coduglass.co.uk/ iscgk/ pocket-10084.php
curadeslabire.biz/ mbsew/ digital.php
docscosmetics.net/ kcjkq/ show.php?pg=611956611956
h20swimweardallas.com/ rbaxo/ viewer.php
jeffweninger4chandler.com/ oxcyu/ ughd.php?q=608917
krushallnighter.net/ wring/ viewer.php
hai.kam.fi/ moodle/ m1o/ yrmxgw/ digital.php
marquitosweather.com/ fbyer/ ekkqy.php
marshallfolk.com/ oaginjwmb/ 9485-digital-17.php
micronetsoftware.com/ nzwyx/ nikon.php
mygtime.com/ imzxm/ viewer.php
myworldprints.com/ hbotl/ eegsiq.php?q=561898
naturalwalls.com/ qdfoe/ picture.php
novabrazilandia.com/ gxiqy/ tzqmk.php?q=173278
paisbuilt.com/ fjkmi/ snohomish.php
parentingperspectives.com/ reoax/ pocket.php
pennlaserengraving.com/ swaty/ digital.php
siliconpetal.com/ tcadn/ dual.php
uptownstl.com/ qttzj/ frame.php
wce.je55e.net/ ssaa/ cpm/ meningitis.php
worldarrow.com/ zcnys/ ilxnap.php?q=418098
http://www.romeroesteo.es/ ~moodle/ moodle/ 6oa/ lsn/ archive.php
http://www.sidimurcia.org/ formaciononline/ u/ p/ 2065815122.php
Other examples can be found by searching for phrases, such as “snohomish county justice viewer” “digital decor” “nikon viewer vista driver” … pretty much any of the phrases within these web pages. You should expect other phrases as well. Open the web page and you are redirected to a rogue anti-virus web site (such as clean-your-pca1.com or goodstats1.net/ in.cgi?11) the first time you visit it, and only text the second time it is visited.
This situation is concurrent with “Operation Aurora,” which also uses web search poisoning. That does not mean that they are related. (See ‘Vulnerability-based Protection and the Google “Operation Aurora” Attacks’ from NSS Labs [pdf].) Web search poisoning is a technique to force users to visit a web site. Bear this in mind when Microsoft lists a mitigating factor, as in this paragraph from the 979352 security advisory:
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
Convincing a specific, arbitrarily selected person to visit a malicious Web site can be a challenge. Enticing a large number of randomly selected persons to visit a malicious Web site through search engine poisoning is not such a challenge.
I would speculate that someone is searching for vulnerable servers and running PHP file include attacks (Tipping Point explanation: part 1, part 2, part 3, part 4). The included code adds these web pages for the sole purpose of collecting search hits. The search hit redirects to a rogue anti-virus web site.
How does a person recover a compromised web site?
- Restore web site.
- Review code for configuration errors. Misconfigured software allowed this attack to occur.
- Update software to mitigate known vulnerabilities.
How does a person prevent their web site from being compromised?
- Review code for configuration errors. Misconfigured software allows this attack to occur. Securing PHP: Step-by-Step Checklist for Securing PHP Configuration
- Update software to mitigate known vulnerabilities.
Look at the risks: At a minimum, you can become a malware distributor and risk a bad reputation. The bad reputation translates to blacklists and lost visits. Getting off a blacklist can be difficult, since copies of the blacklist are not under a central management mechanism. Alternatively, you could lose ownership of your server and all it contains.
How does a person who has noticed a specific instance of this attack respond?
- Note that malware is not required, a Trojan horse is not required. If there is malware, forward a malware sample to … your vendor, certainly, and VirusTotal.
- Report Malicious URLs
- Notify the compromised web site technical contact.
- Notify the compromised web site owner.
- Warn potential victims by posting a list of Search Engine Poisoning Phrases, in the hope that this page would compete with the malicious pages.
How does a person protect their mother from being redirected to a malicious web site in this way?
I would have expect “in the cloud” measures to be effective. To be effective the mechanism must intercept the redirection, recognize that it is not the same source and verify the reputation of the new destination or evaluate the new destination’s content. Netcraft offers a moderated web rating toolbar. The free AVG LinkScanner seems to do the job, and you can hide its toolbar. K9 Web Protection (free from Blue Coat) would also do the job. Not K9 Site Rating, however, since you would ask about the site you intend to visit, not the site you will be redirected to.
Web Of Trust is nearly useless in the “how do you protect your Mother?” scenario. A review of a URL may give the impression that the site is trustworthy. You need the Web Of Trust browser plugin to notify you that the site you were diverted to has been rated untrustworthy. Web Of Trust is a community-based rating system, and the community has very little agreement about how to do ratings. In Web Of Trust, many web sites are listed as SPAM sites even though they do not send unsolicited commercial email. Web Of Trust is useful for its comments, but that is not a “how do you protect your Mother?” mechanism.
Where is the centrally managed (collect alerts, distribute updates) product you want for a corporate environment?
How does a person protect themselves from being redirected to a malicious web site in this way?
What can a paranoid person who doesn’t trust a link do?
So how well did the “Can You Trust This Website?” services do? I wasn’t fast enough to test “clean-your-pca1.com”. The domain name no longer resolves to a host. Google Safe Browsing now reports:
Of the 20 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-11, and the last time suspicious content was found on this site was on 2010-01-11.
Malicious software includes 12 trojan(s).
This site was hosted on 2 network(s) including AS29550 (EUROCONNEX), AS34305 (EUROACCESS).
An alternate web site is being used: goodstats1.net/ in.cgi?11
In most cases, the tools report about the site itself and any pages it traverses; that is, they are appropriate for sites and their expected pages. A specific, orphaned page will be ignored. In this case, it is a specific, orphaned page that we wish to learn about.
| Site | Result for PHP links | Result for goodstats1.net/in.cgi?11 |
|---|---|---|
| Google Safe Browsing http://www.google.com/safebrowsing/diagnostic?site=%5Bappend site here] | Not an appropriate tool.This site is not currently listed as suspicious.Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-11, and suspicious content was never found on this site within the past 90 days. | This site is not currently listed as suspicious. Google has not visited this site within the past 90 days. Over the past 90 days, goodstats1.net did not appear to function as an intermediary for the infection of any sites. No, this site has not hosted malicious software over the past 90 days. |
| Clean MX | Ambiguous | Ambiguous |
| Trend Micro Secure Cloud | Unrated, This web site has not been analyzed by Trend Micro. Please check back soon. | Virus_Accomplice. This web site is known to Trend Micro to be a malicious web site. |
| AVG Online Web Page Scanner | Congratulations! LinkScanner Online did not find any exploits. | DANGEROUS: LinkScanner Online has detected a malicious site: (goodstats1.net : Exploit server) |
| Finjan URL Scanner | (Ambiguous) The requested URL was analyzed and found legitimate. | Error: The requested URL is currently unavailable. |
| hpHosts Online | Not an appropriate tool. | |
| KnownSec | Not an appropriate tool. | |
| BFK DNS Logger | Not an appropriate tool. | |
| Malware Domain List | Not an appropriate tool. | |
| PhishTank | Not an appropriate tool. | |
| SudoSecure | Not an appropriate tool. | |
| Malware URL | Not an appropriate tool. | Submitted |
| robtex | Not an appropriate tool. | Not an appropriate tool. |
| showsiteinfo | Not an appropriate tool. | Not an appropriate tool. |
| siteshakedown | Not an appropriate tool. | Not an appropriate tool. |
| spyonweb | Not an appropriate tool. | Not an appropriate tool. |
| push2check | Not an appropriate tool. | Not an appropriate tool. |
| ProjectHoneyPot Report | Ambiguous. | |
| McAfee SiteAdvisor | Not an appropriate tool. | This site has been queued for testing. Please come back soon for automated results. |
| McAfee Trusted Source | Minimal risk. | Service currently not available (3), please try again later! |
| Web of Trust | Ambiguous. Since entries are generally manually, someone may have something to say about some subject related to the web site. | Malicious content as long ago as October 8, 2009 |
Offline utilities
Perhaps a table is not the best approach to presenting this information. The finding is similar to the online tools: when asked about the PHP links, no approach saw anything suspicious. When asked to open the PHP link, AVG LinkScanner intercepted the redirection and reported malicious code. This is to be contrasted with other approaches, which do not suggest that redirection would occur. Once given the explicit redirected link, approaches recognize malware.
| Tool | Result for PHP links | Result for goodstats1.net/in.cgi?11 |
|---|---|---|
| AVG LinkScanner | Safe: This page contains no active threats. | Danger: AVG Search-Shield has detected active threats on this page and has blocked access for your protection. |
| curl | Looks like text, nonsense but harmless. No link to malware. | |
| Fiddler | ||
| Malzilla | Looks like text, nonsense but harmless. No link to malware. | |
| vURL Desktop Edition | ||
| wget | Looks like text, nonsense but harmless. No link to malware. |
Links have been removed from this list now that they return generic “page not found” messages. (Good job.) Links have been added. I do not pretend that this is an exhaustive list; perhaps one hundredth of a percent. As I said, I stumbled across these and have not rigorously pursued an inventory.
Aggressive Virus Defense 
[…] Further information (that I hope you don’t need) is at Somewhat Widespread Web Hacking. […]