The risks presented by unsupported operating systems are being called out in a large-scale attack on hundreds of websites.

Hackers have hit web servers running a version of the Linux 2.6 kernel released seven years ago. The result is a multistage attack where compromised websites are spiked with JavaScript that redirects users to a second site where additional malware is served.

“It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators,” said Martin Lee, a researcher with Cisco, who wrote about the compromises.

The second malicious site in this attack, Lee said, is serving up a click fraud scam where the victim’s browser displays a number of ads. He also suspects the attackers are loading a Trojan on compromised machines at this point as well.

The attack ramped up Monday and Tuesday of this week, Cisco said, noting that 400 distinct hosts were infected on each day and more than 2,700 URLs have been used in the attack, some of them legitimate websites that have fallen victim. Most of the web servers hit in this campaign were in the United States, Germany and Spain.

“This large scale compromise of an aging operating system highlights the risks posed by leaving such systems in operation. Systems that are unmaintained or unsupported are no longer patched with security updates,” Lee said. “When attackers discover a vulnerability in the system, they can exploit it at their whim without fear that it will be remedied.”

Lee also points out there are similarities to this attack and some used by the defunct Blackhole exploit kit, but it’s unlikely these are Blackhole compromises. Instead, he said, they could be part of a Mesh Network attack described by Sucuri in January.

Coincidentally, Cisco’s report comes a few days after research published by Imperva about exploits surfacing a few months ago for a two-year-old PHP vulnerability. Close to 20 percent of sites on the web are vulnerable to the bug in PHP versions 5.4.x, 5.3.x before 5.4.2 or 5.3.12.

“Not only are we seeing a vulnerability used after it was released so long ago, but what we’re seeing is attackers and professional hackers understanding what vendors understand—people just don’t patch,” Imperva director of security research Barry Shteiman said. “They can’t or won’t or are not minded to fix these problems.”

PHP is found on nearly 82 percent of websites today; these attacks target sites where PHP is running with CGI as an option, creating a condition that allows for code execution from the outside. Shteiman said the vulnerability affects a built-in mechanism in PHP that protects itself from exposing files and commands. A configuration flaw allows hackers to first disable the security mechanism, which in turn allows a hacker to run remote code or arbitrarily inject code.

These two attack campaigns should put system administrators on notice about inventorying unsupported operating systems and bringing patch levels up to par.

“Large numbers of vulnerable unpatched systems on the internet are tempting targets for attackers. Such systems can be used as disposable one-shot platforms for launching attacks,” Cisco’s Lee said. “This makes it all the more important that aging systems are properly maintained and protected.”

Categories: Malware

Comments (3)

  1. Fadi (itoctopus)
    1

    I wonder whether the number that Cisco has is realistic – I suspect the number of compromised servers and websites is much more than that.

    Many sys admins have really no idea how it’s important to keep their servers patched – some are aware of the importance, but they are afraid that they can break things by patching the server up.

  2. me
    2

    Or the SysAdmin knows the systems need to patched, but also knows it will break the things. Everyone seems to leave out that its management that gets to allocate development time, not sysadmins.

  3. Daryl Giles
    3

    The author is mistaken and did not read the article very well as it is clearly stated in the article that:

    “The observation of affected hosts running Linux kernel 2.6 is anecdotal and in no way reflects a universal condition among all of the compromised websites.”

Comments are closed.