A Soholaunch exploit has been found and there have been some problematic issues in dealing with the exploit. We don’t have much information, and some of what we do have is a bit confusing, so we’re going to try and break it down for you.

In a Nutshell: The exploit has been actively exploited for about a week. We cannot craft a signature to filter out this attempt without also breaking all Soholaunch installs (if someone has come up with a mod-security rule for it, email me. I’ll pay you. Seriously.) We can detect the exploits once found and clean them once found, though see the caveat below. We were given two patch scripts by Soholaunch and ran them on all servers. The first one didn’t work, the second one appears to potentially have worked as we did not pick up active infections last night.

We’re hopeful, at this point, things are secure from an injection standpoint. We are not comfortable assuring you of that, however.

207 of you are currently using Soholaunch licenses. We had about 125 infections, across all servers. This was a widespread exploit that was actively used, and it was more than just here.

Ok, so what’s the caveat?

The caveat is your passwords to your Soholaunch install were able to be gleaned, so even if we patch the hole and clean the infections, if your login information is not changed your site is still at a high risk of exploitation.

We are suggesting the following for all Soholaunch installations:

1. All installations should be updated. v4.9.3 r42 (which includes additional security patches) has been re-released as a “latest” build. It is highly recommended that you install it. If for some reason it breaks, simply log-in to sohoadmin and “update” to the previous build (r41), which is still listed as the “stable” build.
2. All sohoadmin logins and passwords should be reset. Logins and passwords. If you saved FTP passwords in the program, change those as well.
3. If you saved any kind of secured information in the program, like logins shared between colleagues, go change those.
4. If you do not run a firewall/virus scanner, you got notice from us that you were actively infected, and you visited your own site, go get your computer scanned.

If you leave logins and passwords the same, your site is potentially at risk. I cannot stress that highly enough.

Malware Detection by Google

We are beginning to see notices from Google that sites have been picked up by them as Malware infected. Google will send notifications to:

abuse@yoursite.com, admin@yoursite.com, administrator@yoursite.com, contact@yoursite.com, info@yoursite.com, postmaster@yoursite.com, support@yoursite.com, webmaster@yoursite.com

and as all abuse notifications come to us, so we will get the notification as well if you miss it. Once Google pegs you as dangerous, people coming from Google to your site will see the following notice in the search results:

And the following when they click through (if they click through):

If we get the email, we will send you the notification after individually scanning your site. If you do not have a WebMaster account and you have a Soholaunch site, we would suggest that you go ahead and get one now, before you potentially get the notice so that you can have your site un-pegged as soon as we’re all sure the issue is passed.

We have set up a special email for this issue so if you have any questions, email security@drak.net.

Lecturing, begging, and pleading has done no good, so now we’re taking the next step.

Ok, it’s not really all your fault – sites are such a target these days that malware attempts are becoming ridiculously common, and while you sometimes (ok, a lot of the times) make it easy for them, sometimes it’s the software developers that miss a great big hole that you could drive a truck through. Once the truck’s parked, it’s sometimes hard to find – though Google’s getting good at it.

By the time Google finds it, you’re out of the search engine, we’ve suspended you, and frankly we’d like to help you all avoid those little “all stops” to your business, or those little infections you pass on to your visitors before we’re aware.

Last night, DrakNet installed a Malware Scanner on all servers. The malware hit management is a very simple anti-virus like quarantine system that moves offending files to a quarantine container and logs the exact source path and destination file name in quarantine locker in case we need to restore any data due to false positives (though this should never happen since we are using hashed detection). In addition, the quarantine function can search the process table for running tasks that contain the file name of the offending malware and stops any processes it may be running.

The scanner will scan daily all files changed on the server within the last two days ensuring that we get a look at any file that’s been changed whatsoever. It will let us know what it found, and what it did. It is programmed to automatically quarantine the file and infection, returning the file to its original location only if the infection was able to be removed and isolating the infected version of the file in a container so we can take a look at it. Not all infections will able to be cleaned and if that’s the case, the file will simply be removed and quarantined.

Currently, we’re running scans on every server, which we started last night. This could take a few days because of the sheer number of files on each server and depending on the number of infections, it could take us a bit to contact everyone who was found to be compromised.

Simultaneous to the full scan we began, last night’s daily scan ran as well. Each morning as we go over what was found, we will prepare emails to site owners who’s sites were found with Malware outlining what was done and general steps we recommend to check to avoid infections in the future. Those who had malware installed within the past two days are already in receipt of emails outlining the issues found.

We’re hopeful that by implementing this, we can avoid automatic suspensions and catch malware before it breeds like a cell dividing on your site, as once an entry point is established, infections tend to expand exponentially as the hacker realizes the infection has gone undetected.

You can, at any time, email support for a scan on your site if you are concerned or worried that something is going on with your site. In addition, as opposed to passing the cleaning of the infections back to you, we will run the automated quarantine and cleaning scan at no charge to you hopefully securing the site and passing it back to you without malware (though some files that may be unable to be cleaned will need to be reinstalled or rebuilt by you).

Please let us know if you have any questions about this new policy.

Trend Micro is reporting that a massive attack has been launched against web sites using old or poorly configured PHPBB installations.

This compromise is almost similar to the mass compromises that they and others have reported on earlier this year — visiting a compromised site leads to a series of redirections, which eventually causes the downloading of malware.

In this particular case, TROJ_ZLOB.CCW is on the tail-end. “In true ZLOB fashion, this variant poses as a video codec installer”, and appears as the graphic at left.

For more information, check out the Trend Micro Blog.

If you have PHPBB installed on your web site, take action now to make sure that it’s up to date and patched, and not being compromised. We seem to have a particular issue at times with folks trying out the software, and not using it – leaving it hanging out in an ignored subdirectory mis-configured, un-patched, and totally vulnerable because it’s still public and malicious folks can still find it. Unpatched and unused bulletin board systems often become a playground for hackers as they post spam after spam in your forgotten board, taking up resources on the server as well as putting your account and anyone who stumbles onto the unused software at risk.

Never leave unmaintained software hanging out in a public directory – if you are going to periodically play with new software but can’t give it adequate attention frequently or immediately, put it in a password protected directory so that it’s not available to the general public just in case you forget about it.

If anything in your directories are public, always make sure that they are patched, current, and maintained – and if you can’t use the most current version of a software for compatibility issues, make sure that the version you are using is not compromised. A simple Google search for the software name, version, and security advisory is usually enough to turn something up if there is one.

We will be doing an audit of the servers to find PHPBB versions subject to this risk, and will take them offline if we find them, so if you’re using it, get there before us and patch it.