Cryptome.Org Hacked- Hosted Scripts for Drive-By Malware UPDATE! Javascript Captured

Cryptome.Org was compromised by some type of PHP vulnerability, adding a download script to each of its pages on the webserver. The compromised pages produced the following AV alerts to visitors- click the photo to embiggen:

Cryptome confirmed each page had been modified here:

(13 Feb 2012) 5,000 more files found infected, still checking, but it looks as though every HTML file on Cryptome was infected. Sneaky: files inside directories and sub-directories were changed to add the SCRIPT with date of change but without changing the directory date. Not clear how access was gained through our ISP. Access logs do not show the infection activity. Any ideas how that was done and how to prevent recurrence: cryptome[at]earthlink.net

ArsTechnica goes on to report that Cryptome seems to think they were breached via the PHPmyadmin configuration page on their server.

A breach that caused Cryptome.org to infect visitors with virulent malware was one of at least six attacks reported to hit high-profile sites or services in the past few days. Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.

Cryptome, a repository of leaked documents and other information concerning free speech, privacy and cryptography, was attacked by hackers who left code on its servers that attempted to infect visitors using Windows PCs with a trojan spawned by the Blackhole Toolkit, the website reported on Sunday.

Cryptome founder John Young said in an e-mail that he believes the attackers were able to infect his website with a poisoned PHP file by exploiting a weakness in security or server software provided by Network Solutions, which hosts the Cryptome website.

If Cryptome was running a standard type of PHP enabled blog, such an attack would be a bit easier- a PHP based attack can compromise the mysql database and the malcode could be easily injected onto each page. But Cryptome doesn’t use PHP. Perhaps they actually do have PHP, but only as an addon available via their webserver administration console software.

The last time Cryptome was hacked, the name of Justin Perras came up- he was jailed for the Lexis Nexis hack back in the day.

Thanks to @AoSHQ Doom.

UPDATE!!

Coincidentally enough, I began to receive AV popups of my own related to the Blackhole malware. My AV of choice is the excellent Microsoft Security Essentials.

I examined the details and found out that one of my RSS feeds that I track was prepending a malicious script to RSS feed page that is served by Internet Explorer. I carved out the script and submitted it to Jsunpack. As is often the case, jsunpack didn’t detect the decoded javascript as malicious, but reading through the eval commands, it is clear that the software attempts to insert an iframe and create a drive-by download. Below is the decoded javascript. Click the image to embiggen.

It is also worthy to note that this threat employs dynamic DNS to prevent anyone from simply blackholing the IP address. And if the threat is widespread enough to begin to infect the RSS feeds of popular blogs, this one is going to be a big deal in the security sector in the next several weeks.