ScamBustersPosted by NeverShaveYourDuck Mon, January 18, 2010 22:15:18
When the site was last hacked, the download torrent file for UnZixWin was tampered with. It seems that a few extra trackers were inserted in the end of the chain.
As a result, downloading anything from this torrent file may have resulted in the user receiving a compromised download. I cannot verify this, since my bittorrent client at present doesn't work properly.
Therefore, I have for the time being removed this torrent file from the site and from the download page. But for some users, the damage may have already been done.IF YOU HAVE DOWNLOADED THIS TORRENT FILE
sometime between November 30th, 2009
and January 10th, 2010
, you should treat the download as suspicious.WHAT YOU SHOULD DO:
Check your download(s) against these MD5 checksums:
If the MD5 checksum for any file you've downloaded matches, then the file is as I presented it on the site. Otherwise, it may have been compromised.HOW TO CHECK MD5 CHECKSUMS:
Several tools are available for download from the Internet. I recommend hkSFV from http://www.big-o-software.com
Install the tool, run it on a specific file or a whole folder from the right-click context menu (select hkSFV -> Create MD5), and then open the resulting md5 file and compare the sums.WHAT DO I DO IF MY FILES MAY BE COMPROMISED?
* Stop seeding the file immediately! How to do this depends on your bitTorrent client of choice.
* Delete the downloaded file from your system.
* Run a full system scan with your Antivirus / Antispyware package of choice.
My sincere apologies for any inconvenience.
ScamBustersPosted by NeverShaveYourDuck Thu, January 07, 2010 20:46:43
Well, over the holidays, my website was hacked once again. This is the third time in as many months this has happened.
Apparently, I wasn't the only one affected. My hosting company, who this time were kind enough to warn me about the issue, maintains that the hacker somehow obtained my FTP password. Myself, I'm beginning to suspect that there's a vulnerability in Apache Server which has yet to be addressed. The nature of the hack suggests that a kind of worm, or other unintelligent automated process, was to blame for the attack. It acted much like the "F*ck PoizonBox" worm which struck millions of websites a few years ago. It only targeted a certain kind of files, rewriting them in a manner that suggests very clumsy automation.
Nevertheless, I changed the password and replaced the affected files. For now, the ScamWatch blog will have to act as the front page for my website, which is maybe just as well, since the old one was, frankly, embarrassing.
What did the hack do?
It did two things: rewrite certain HTML files so as to inject a hidden IFRAME into the document, one which loaded a parameterized URL to a known hacker site.
The second thing it did was to tamper with the default actions of the site, so that any broken URL's would cause a redirection to aforementioned site. This is more nefarious, since for example trying to browse any unindexed folder via a raw URL would cause a 403 error, which would send you to the malicious site.
Once there, you would be subjected to false alerts about a possible infection, and offered to download a solution... which, naturally, woúld have flooded your system with spyware. Sigh!
Why did they do it?
At first, I suspected a case of retalliation. Fighting the crooks who spread spyware and malware makes me and my site a natural target for certain kinds of payback attack. It was naive of me not to expect it. I'm just surprised it didn't happen sooner.
However, the nature of the attack, and the fact that I'm not alone to have suffered, suggest that it wasn't personal. It seems that the script kiddies (read: stupid hacker snotnoses) are having a harvesting contest to count how many sites they can compromise. It's one of the many ways they have of comparing their tiny penises.
Have any visitors been affected? Is there a risk coming here?
Fortunately, no. The hacks were so blatantly stupid and badly written that they couldn't have worked in any browser. Cleaning them up is a nuisance, but they aren't dangerous to visitors. Not ones who know what they're doing.
The broken URL hack, however, would have worked. I tested it myself on a sandboxed computer to see what would happen in certain scenarios. It has now been fixed.
Has UnZixWin, or any other software, been compromised?
Nope. None of the downloads have been tampered with. They are still safe to download and install.
What are you going to do about it?
On the bright side, it has rekindled my faltering interest in online security once more. After a post-mortem analysis of their tricks, I'm considering a multi-pronged defence mechanism constituting of the following:
* A daily, scheduled, automated system to check the health of my sites to detect and repair any tampered files
* A script, included everywhere, to automatically detect and remove hostile IFRAMEs before they have any chance of triggering.
* A new article, detailing the hacks in technical detail
And, while I'm in the process of doing all that,
* A major overhaul of the whole site. It has been long overdue.
Watch this space.