Bot Authors Targeting phpBB Forums

Bots are registering user accounts on thousands of phpBB forums across the Internet, raising concerns that the bot's authors are laying the groundwork for mass exploitation down the road. The activity of a bot named FuntKlakow was discussed in a Digg thread Sunday, with many forum owners confirming that FuntKlakow had created accounts and even posted simplistic messages ("O How nice" and "Wow that is cool").

FuntKlakow's post signatures have included links to proxy surfing and "traffic generator" services, raising the prospect that its goal may be spam rather than exploits. But as noted on a German site that issued an early warning about the bot's behavior, "the next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums." Google searches suggested the bot may have created accounts on as many as 33,000 forums.

Continue reading

Chinese Bank’s Server Used in Phishing Attacks on US Banks

A web server belonging to a state-operated Chinese bank is hosting phishing sites targeting U.S. banks and financial institutions. Phishing e-mails sent on Saturday (March 11) targeting customers of Chase Bank and eBay were directed to sites hosted on ip addresses assigned to The China Construction Bank (CCB) Shanghai Branch. The phishing pages are located in hidden directories with the server's main page displaying a configuration error. This is the first instance we have seen of one bank's infrastructure being used to attack another institution.

The attack on Chase offers recipients the chance to earn $20 by filling out a user survey which presents a series of questions about the usability of the Chase online banking site, followed by a request for user ID and password, so the $20 "reward" can be deposited to the proper account. The form also requests the victim's bankcard number, PIN number, card verification number, mother's maiden name and Social Security number. Any data submitted is then sent to a free form processing service (free.allforms.mailjol.net) operated by an Indian company but hosted in the U.S. at NetAccess.

Phishing Page on China Construction Bank Web Server

Continue reading

Hackers Targeting Mambo Security Holes

Hackers are actively seeking out unpatched versions of the Mambo content management system, which recently repaired a serious security hole. The latest exploit attempts target a different vulnerability than the Mare.D worm, which grabbed headlines last month but apparently did limited damage to Mambo sites. Sites running on Mambo should upgrade to the latest version as soon as possible.

On Feb. 24 James Bercegay of GulfTech Security Research announced vulnerabilities in Mambo that could allow a server compromise by a remote attacker, including several methods of an SQL injection attack. Bercegay also found a way for attackers to use Mambo's file inclusion features to breach system security. Last July Bercegay discovered a weakness in XML-RPC libraries used by numerous PHP-based blogging and content management apps.

Continue reading

March 2006 Web Server Survey

In the March 2006 survey we received responses from 77,568,868 sites, an increase of 1.38 million from February 2006. This month's hostname growth has a somewhat speculative flavor, as the survey found nearly 2.8 million new hostnames this month, but just 237K new active sites. That ratio of one active site for every 12 hostnames is much lower than in recent months (in September 2005 the ratio was one in five).

That means a larger percentage of new domains are being parked, rather than used on active web sites. The trend is likely connected to media coverage of domain investing, which appears to have prompted a surge in speculative buying. That means more domains are being bought for resale or ad revenue, rather than for use with web sites.

Infrastructure changes at huge hosting providers once again influence web server market share. Apache gains 1.5 million hostnames this month, including more than 950K at Go Daddy which had been reclassified in January to "Unknown" due to changes in the front-end system used in Go Daddy's bulk hosting service. That shift helps Apache regain 0.7 percent market share, with other servers showing little change this month.

Total Sites Across All Domains August 1995 - March 2006

Total Sites Across All Domains, August 1995 - March 2006

Graph of market share for top servers across all domains, August 1995 - March 2006

Top Developers
DeveloperFebruary 2006PercentMarch 2006PercentChange
Apache5181067668.015328729868.700.69
Microsoft1566670220.561591242720.51-0.05
Sun18803132.4718815872.43-0.04
Zeus5791980.765746070.74-0.02

Continue reading

New Reseller Service Offers Utility Computing for $100 a Month

Mosso Inc. wants to bring affordable utility computing to the masses - or at least to web designers and developers. The start-up, which is backed by Rackspace Managed Hosting, has just launched an innovative reseller hosting service that offers unlimited websites, databases and e-mail accounts in a turnkey service for just $100 a month.

Mosso uses a "hosting system" of clusters of specialized servers, an approach typically seen in enterprise hosting, which can offer advantages in redundancy and performance. The company was built from the ground-up as an alternative to discount dedicated servers, which have been enormously popular with hosting resellers and power users.

Mosso's $100 a month reseller account comes with 80 gigabytes of storage space and 2,000 gigs of monthly data transfer. Customer support and billing are available as paid add-ons, allowing customers to outsource both services for just $5 per domain per month. Traffic load balancing and mitigation of denial of service attacks are included in each account, along with the ability to combine Windows and open source technologies on a web site, running ASP and PHP pages from the same web directory. There are significant differences with dedicated server solutions as well, as Mosso offers FTP uploads but not shell or root access.

Continue reading

DDoS Attacks Target Prominent Blogs

Several prominent weblogs have been hit with distributed denial of service (DDoS) attacks in recent weeks, as the target list for digital attackers continues to broaden. While some of the attacks appear to be politically motivated, on Monday a DDoS struck one of the blogosphere's most financially successful bloggers.

Australian Darren Rowse confirmed that an outage Monday on his ProBlogger weblog was caused by a DDoS, but provided no details about the attackers or their motives. Rowse gained international attention last year when he revealed that he would make more than $100,000 as a solo blogger in 2005, primarily through earnings from Google AdSense advertising and commissions from affiliate referral programs.

Has the success of professional bloggers made them viable financial targets for professional DDoS attackers? Sites with large volumes of transactions are the primary targets for a cottage industry of digital extortionists using DDoS attacks, usually launched through large botnets of compromised computers. These attacks have previously targeted online betting sites, payment gateways, domain parking services and even online games.

Continue reading