Posted on

Do I have SoapSoap in my WordPress?

Apparently, 100,000 WordPress sites have been compromised by this nasty. It injects redirect code in to WordPress themes.

According to an analysis posted by  Tony Perez on his blog, it’s going to be easy to spot if you’re a server administrator as in injects the code:

php function FuncQueueObject()
{
wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

In to wp-includes/template-loader.php

So,

find / -name template-loader.php -exec grep {} swfobject \;

should do the trick. I’m not a PHP nut, but I don’t think swfobject is common in that file.

Update: 06-Jan-2015

The web site linked to above has an on-line scanner that’s supposed to check for this problem, so I’ve just run it against this blog. It found something here. False positive, methinks! I’ve written to them pointing out that the search may be a little naive given the subject matter of that post! Fair play for providing such a tool free of charge though. It’s a little hard to see how such a scanner could work at all, but not pick up text lifted from a compromised site.

 

Posted on

Sony and Microsoft games network hack

Both the Sony an Microsoft games network servers have been badly disrupted from Christmas day. The cyber vandals Lizard Squad have admitted responsibility.

This outage has nothing to do with millions of new games consoles being unwrapped and connected at the same time. Oh dear me no. Their network servers would have taken the huge spike in workload in their stride. This is definitely something to blame on those awful hactivists, and any suggestion that it was teetering on the brink and all it needed was a little push is a foul slur on the competence of Microsoft and Sony.

The extent to which Lizard Squad was involved may be in question, but major respect for the expert way they’ve played the media. Again.

Posted on

BT Parental Controls Hack

In a move of spectacular incompetence, BT Broadband has hacked the HTTP data stream to customers in order to pop up a message concerning it’s “Parental Controls”. It’s done this without seeking any permission from the customer, and to add insult to injury, the code they’re injecting is buggy.

The injected popup  says “How to protect your family online with BT Parental Controls”, with an “Are you keeping your family safe?” online in order to worry the ignorant. It goes on “Safeguard all the computers, tablets and phones(sic) connected to your Home Hub”. The “Home Hub” is the weak and feeble excuse for a router they send you “free” when you sign up, and which anyone who knows anything about networking will have kept in the shrink wrap.

BT Parental Controls Popup
The popup you can’t kill. BT appears to be injecting this in to the HTTP stream of unsuspecting customers

As you can see from the pop-up above , there is a “No thanks” option, but it simply doesn’t work. Several commonly used websites such as Amazon have become unusable as a result – you just can’t get rid of the BT popup. Even clicking on “Yes please, Set it up” leads you nowhere except to a login to which the credentials are a mystery. Quite possibly because I’m not one of the lusers with a “Home Hub” (or business hub).

And this is on a standard Windoze 7 PC running the current version of the Chrome browser. And no software firewall to blame it on.

I called BT to complain and ask for it to be removed. They don’t even know what I’m talking about, which is odd because there was a spate of this stupidity earlier in the year. Fortunately they stopped before a full roll-out, but you can’t keep a good idiot now – the same idiot has resurrected the idea and rolled it out, possibly wholesale this time. Whoever it was should be publicly named and sacked.

Posted on

Sony Hack – whodunnit?

Details are starting to emerge about how Sony was compromised. Sagie Dulce from Imperva reckons he’s seen the Destover back-door software used before, in 2012 in Saudi and then again in the 2013 Dark Seoul.

A few days ago Jaime Blascoof AlienVault Labs sent me a note about malware samples he’s got hold of, with the following comment:

“From the samples we obtained, we can say the attackers knew the internal network from Sony since the malware samples contain hardcoded names of servers inside Sony’s network and even credentials – usernames and passwords – that the malware uses to connect to systems inside the network. The malware was used to communicate with IP addresses in Europe and Asia, which is common for hackers trying to obscure their location. The hackers who compiled the malware used the Korean language on their systems.”

I’ve had other reports that the malware was compiled using a Korean language development environment. This means nothing to me – a lot of these generic malware kits are.

To me, this is looking more and more like the work of the usual suspects. An inside job – not a sudden and spontaneous lashing out by the North Koreans. This kind of attack requires time to put together.

 

Posted on

North Korea Refuses to Deny Sony Cyber Attack

The popular media is in a frenzy – those dastardly North Koreans have launched a cyber-attack on Sony, pinched a lot of films and posted them on-line in revenge against the company for a disrespectful comedy making fun of their glorious leader. According to the BBC, they have refused to deny the attack, with a spokesman saying “Wait and see.”

The north Koreans must be loving this – they were, apparently, pretty hacked off about the depiction of Kim Jong-un. They have no sense of humour as far as he’s concerned. However, this bears all the hallmarks of a bunch of script kiddies ripping off a load of films to add to the pirate haul. The North Korean’s response, when doorstepped about the incident, suggests to me that they think their “enemy’s” predicament is hilarious, but stops well short of taking credit for it. Why would they be so coy? Because when the real culprits break cover they’d look stupid.

Yes, it could have been the North Koreans, but they’re not exactly high-tech. As far as I can tell there are only about a thousand IP addresses for the whole country. If it were China in the frame, I could believe it. Would the Chinese pull a stunt in support of their southern “friends” – I somehow doubt that; not over a film.

Given the extensive nature of the compromise, I wouldn’t be surprised if it was an inside job. Did the people involved set out to purpetrate the hack of the decade? There’ll be trouble now.