| FREE NEWSLETTERS |  |
IT DIRECTORY | |
NEWS ALERTS | |
RSS | |
NEWS TIP-OFFS | |
ADD TO FAVOURITES | |
| VIRTUAL PRESS OFFICESTM |  |
(011) 807 3294 |  |
itnews@itweb.co.za | Advertise on ITWeb | Wed, 4 Jun 2008 |
Worm hits several SA sites
- Read in this story
- The right steps
Many South African Web sites hit by a SQL worm last month are still not safe to visit.
Dino Covotsos, CEO of penetration testing and security company Telspace Systems, says the sites include MNet, MWeb, 702, Highveld, Piggspeak, News24, Private Property and SABC.
“The sites were not infected by a virus, but rather exploited by an automated SQL attack from compromised computers.”
He says the worm exploits bad coding techniques in Web pages. “The problem is, if the developers do not fix the core issue, their Web site just gets re-infected, and that is exactly what is happening in the ZA domain space.”
The different variations of the worm at the moment do different things, he adds. “Some exploit ActiveX vulnerabilities, while others backdoor computers and send out passwords. The biggest problem is every visitor to the worm-infected site will get infected by the malicious JavaScript.”
Covotsos says Telspace Systems contacted several local sites to warn them about the infection when it was first identified, yet most sites are still infected. “Many companies don't realise what the implications of the worm are. Awareness is the key issue.
“This SQL worm has been circulating the Internet for some time now. Our first serious dealings with it were around 15 April, but some say it could have started before that,” says Covotsos.
None of the companies have posted warnings on their Web sites to notify visitors of the potential danger.
An anonymous spokesman for the SABC confirmed its Web site was infected. “We are dealing with the problem,” he says. The team had already identified and neutralised the problem, he adds. “However, they are still trying to identify the source of the problem.”
Despite these initiatives, a string search using Google continues to warn users that the SABC's Web site could harm their computers.
A spokesman for Media24 acknowledged its site had also been infected. “The portion of the site that was compromised was based on code that was written four to five years ago. The hackers took advantage of the vulnerability.”
While Telspace Systems identified the site in April, the Media24 spokesman says the company only became aware of the infection the week before last. “They [the hackers] went systematically through the Web site and took advantage of the vulnerability,” he adds.
He says Media24 has run intrusion tools on the site and has taken steps to ensure the problem does not recur.
However, Covotsos says intrusion tools may not be enough to repair an infected site. “Immediate procedures should be to take the site offline, cleanse the database and source code. Then companies need to figure out where the infection points are and fix those. To reinstall the Web server is also recommended so that clean code can be included on the fresh installation.”
In addition, he recommends companies complete a penetration test and vulnerability assessment. “While it may be costly, it's more costly to have your database compromised and to reimburse all your clients for losses.”
Piggspeak and Primedia had not commented by the time of publication.
POST YOUR COMMENT
Comments (19)
bob
said:
|
I have been a fan of 24.com for last year and a half. I have their main page as my home page and I read news24 on a daily basis so I was rather upset when I read this article. I immediately did a scan of my PC to see if I had been infected by any viruses and it seems I wasn’t, which got me thinking. I did a search of the cached pages as suggested by the “Actually…” comment and I did come across the virus string, but when I viewed the source I saw that it was from a feed they were receiving. I decided to do some investigating and this is where the person who researched this should pay attention. I called Media24 only to find out from the receptionist that Media24 and 24.com are completely separate companies although they are both owned by Naspers. What’s even more interesting is that I found out that Media24 also have absolutely nothing to do with the IT support for 24.com, so the comments from the “Media24 spokesman” could have at best been pure speculation. I then contacted 24.com (the guys who actually host and maintain the sites. – ITWEB!!) who confirmed that the worm had never infected their servers and that the infected code came from a 3rd party, which was blocked the moment they detected it. What was even more interesting, was that intrusion tools and hacking attempts are mentioned. A quick Google search confirmed that these statements are typical of SQL Injection type attacks and not the worm virus as stated in the article… Good going ITWeb! It seems that you didn’t even speak to the correct company. How many other articles have been this poorly investigated? |
|
Harm
said:
|
Great groundwork, and research, very interesting. The only problem and worrying issue is that 24.com and news24.com did both get hit by the worm, really, do you really think a company would admit to that? Yes, they both might have separate IT support, but they both have been hit, and they are both owned by Naspers who should have issued a press release warning their users. Thats worrying. None of them notified their users, even if it was from a 3rd party. It always takes a while to get cached on google and yahoo.. so it wasn`t immediate. Even more worrying I think. Multiple people have confirmed it and even have screenshots on record I`m sure of the multiple hundred sites that were hit. I personally saw not only news24, but 24.com, women24 and other 24 related sites all hit. I don`t think 24 would ever admit to this, much like the other companies in the article. I also know , that a lot of antivirus software will not actually pick this up, so, you could still be infected - just be careful. What can you do? I do understand your comment about "intrusion tools", whats that got to do with SQL injection attacks, who knows! I suppose , thats why they got hit in the first place right? :) In any event, I think its about time that SA companies wake up and see that they are vulnerable to serious attack, I mean, these SQL injection techniques are YEARS old. It` also about time the companies started doing something about it and start living up to international standards, notifying their users of a breach and possible information leakage. Why should the public suffer and be kept "in the dark" because leading companies did not secure their networks properly? SA information security is still very far behind international standards, this kind of thing should have never taken place on any of those sites in the article. |
|
Dopie
said:
|
You know what would have been really great in this article? If the writer actually mentioned the name of the worm? Don’t you think that would have been usefull.... |
|
Sneakie
said:
| How do we check our home PC’s to see if they have been compromised? | |
Mr Cleen
said:
|
For this worm - 100% sure - the machines were compromised using SQL injection code - and most of the above websites are still open to be compromised. |
|
Mr Cleen
said:
|
Howdy, this was a SQL bug - reinstallation of webservers is a bit of an overkill - Just fix your code and clean the db. Mweb MNET 24.com and a couple sites were hit- you could search for google and pickup those sites till now. |
|
Chris
said:
| It must be a pretty slow news day for this to make the lead on the e-mail newsletter and from a previous post it seems some pertinent information is incorrect. | |
Frikkie
said:
|
Media24 had only one site infected and it is only because web developers are Idiots, and so is the person who gave you the information on what was done to remedy the problem. Please get your facts in order before you publish rubbish. Or get someone who know something about websites and security to help you. |
|
Rick
said:
| Sounds like someone has lots of time on their hands and is trying to drum up some business. | |
Hmmm
said:
| Don't know where you got your info from, but neither News24 nor MWeb were hit by this. Who is this 'Media24 Spokesperson'? News24 is run by 24.com and MWeb's website is also run from 24.com - so who did you speak to at 'Media24' about this? | |
Ss
said:
|
Maybe... But I think the awareness is a good thing. Might get a few web developers / owners to check their websites. And thus maybe stop someone`s PC getting infected. |
|
Harm
said:
|
Actually, take a look at yahoo.com, search for the terms: script src=http or netAfrikaans + script src=http netAfrikaans, which is under News24 is still cache`d as being hit by the SQL worm. In fact, 24.com was also hit with the initial worm, as indexed by Google. |
|
Doe
said:
|
Mweb was hit :) I saw it myself -- The actual bug hit the database servers - reinstalling webserver is a bit of an overkill -- just fix ur code :p |
|
Steven
said:
|
Interestingly enough, those companies should be protecting their users and their users information anyway? So, whatever the case is, at the end of the day, due to this, the sites will be more secure now. A few search engine searches to sum up some worm hit websites isn`t exactly much work! |
|
factis
said:
|
Still those sites reported above are taken straight off a search engine, so in terms of facts its all true that those sites were hit. I see no half truths. In terms of credible sources, are you saying that Google and Yahoo do not index sites correctly? - that Google and Yahoo are not credible? I find it hard to believe that you are more credible and factual than them. I guess, you are insinuating that Google and Yahoo do not do a proper job of indexing sites, and obviously, according to you, provide fake information. Interesting. I`m not sure who you are informing or who is informing you but, you should be more aware - obviously if you don`t know how to do a Google/Yahoo/other search to check if your site or clients sites have been hit, then yes, you are deaf and dumb and certainly do not know the industry. As far as I am concerned, you are just trying to cover up something that has happened, but in a lame way. |
|
0x41414141
said:
| lol do you even know what this article is about? the attack only targets asp scripts (which Telspace doesnt run). Rather go talk about something you have a mild understanding of. | |
mh
said:
| This seems like dangerous advice. Unless you are 110% sure that the db compromise can not lead to an OS compromise (which sounds likely if its so vulnerable that even a worm could take it out), the best reaction actually will be to flatten and re-install.. | |
Best read Security
RELATED ARTICLES
Industry news
SecureData updates BEE status:
In November 2009, Secure Data commissioned Honeycomb to conduct a BBBEE verification of the organisation. The BBBEE rating is based on the Codes of Good Practice on Black Economic Empowerment released by the DTI. Based on this, Secure Data is a Level Four Contributor, allowing a recognition level of 100%.
Magix empowers clients to fight against fraud with continuous, non-invasive auditing and monitoring solutions designed to take the hard work out of risk management. Visit our website to see the various solutions we specialise in.
|
Unravel the complex broadband packages and technologies now on offer. Find out what broadband can do for your business. Analysts and key players discuss where we’re at and where broadband is going at the ITWeb Broadband 2010 Conference.Publications
|
|
