Friday, 6 July 2012

You entered a bike race.... and got a Russian bride?

Svetlana.... needs a shave!
Here is why. Tonight I was alerted to an issue the Cycling Victoria online entry system. I distance myself from most IT support issues... but the word 'malware' was mentioned so I took notice. Typically these end up being warnings or reports from sites that have been compromised in the past and have since been cleaned up..... false positives after the threat has been removed. This case ended up being a little more interesting... and still active!

Rewind only 12 months and a few people will remember the SBS Cycling Central website was compromised and infected a large number of 'le Tour fans at the most popular time of the year for them. Google Safe Browsing picked up on this and saved a few people from disaster, but not everyone. SBS fixed their server, issued an apology, ra ra ra..... a lot of people were infected by simply visiting this site.  (AV/patching levels aside.... the was bad news!)




In short: The site used to host entry lists for Cycling Victoria (and possibly others) has been compromised and is attempting to infect you.

The breakdown....

The CV online entry/payment system links off to server "wic021v.server-secure.com" where your race selection is made and credit card payments are processed. (The name secure-server.com does not mean it is secure, this is just a name.....). Once your entry is processed, race entry lists are now accessible via another server name.

A familiar site for racing cyclists....

The "ENTRY LIST" URL takes us to another site.... http://www.cyclingnsw.org/  The name is again misleading, it isn't just NSW. I'll assume a legacy server that kept the same name. A quick report says it is a Windows 2003 server running IIS 6.0, and ColdFustion given the file names. This is only what the server reports from a public query, actual accuracy may vary....

The issue detected tonight was that every page hosted on this site has a little script linking off to another site.....

That URL stands out from the ordinary......
tcpdump of a curl query... confirms what Firefox saw too...

Same story for every page hosted on this site/server..... Lights out for the security of this server. Long gone.

The referred script:

Here is a really basic query trace from the site:

The script at relatedtothestars then redirects you to metippolo.... down the rabbit hole we go!

The script currently links to another URL that is not active...... at this point in time. It may have been, it could be soon. The URL could also change at any point, to point to any exploit they'll think will work. Scary stuff.

The current domain it is pointing to has detailed registration information....

The domain name is three days old.... dodgy-o-meter 10/10.

So - The race entry list server has been compromised. The admins will need to review (read: rebuild!) the server to clean up the mess.... and also review all the other systems to see how far the hack went.

Clean? So why is this CA site linking to a hidden JavaScript that is attempting to infect users?
ok, so they're hacked.



"But the site works for me" - The hack isn't meant to stop the page from working. They are designed to infect you without any notice. Ever wonder how people get their credit card details stolen? This is how.

"So only riders need to worry?" - Anyone who's loaded that page was/is a target. Riders, admin staff, anyone who has accessed that URL.

"Works on my iWhatever"  - See above. Your iDevice might be safe today. Tomorrow, who knows?

"My AV/Webscan software doesn't detect a threat" - These systems will detect KNOWN threats. The inserted HTML isn't malicious, the script that runs isn't malicious, it is the payload that is linked to down the chain that will do the damage.
  
"Svetlana is knocking on my door calling me 'new' husband!" - Congratulations to you both!



How do this happen to servers? Not by mistake.

Most commonly for blanket server-wide html/code injection like this, the attack is pretty simple. Compromise the site via FTP, obtain read/write access, run a script to blindly insert the code into every htm/html/cfm/etc file.

If we knock on the door of the www.cyclingnsw.org server to see if they have FTP open.....

ftp 210.247.175.24
Connected to 210.247.175.24.
220 Net Administration Divisions FTP Server Ready...
Name (210.247.175.24):

They do........

4 comments:

The Climbing Lama said...

Faxing entry the way to go then?

Shane Miller - GPLama said...

It is only the 'list' server that I see the issue with. It is different to the payment/entry server.... but...

compass2k said...

Thanks Shane, our present ISP didnt step up so we are moving to a more proactive hosting company.
Shouldnt be any disruption to riders.
Might get you to cast your professional eye over our new subsite when moved.
Thanks again - great catch.
Dan (CNSW/CVic support)

Shane Miller - GPLama said...

Dan - If you can get a hold of the FTP logs, I'm super keen to review them to see the pattern/technique that was used. The more we know about these guys the more we can defend against them. Shoot me an email if you can grab 'em. Cheers!