Once in a rare while in a world replete with hack attacks, a single computer hack manages to stand out of the crowd. Such is the case with the hack against mit.edu, the web infrastructure of one of the world’s most prestigious universities.
It’s been weeks of talks on technical forums with respect to relentless attacks against websites built atop the PHP-and-SQL technologies – vulnerable sites that are turned into tools for malware dissemination or “brute-force” attacks. This type of campaign alone is estimated to claim 100,000 or more victims.
Judging by initial data, one MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites. It is currently unknown how the crawler bot was planted on the MIT server, but it is certain that it probes the web for hosting accounts that come with a vulnerable version of PHPMyAdmin, the popular database frontend for MySQL servers.
PHPMyAdmin is used by web developers and site administrators to connect and perform specific SQL operations over the web, such as creating, reading, updating and deleting information from the database. Our information shows that the vulnerable versions of PHPMyAdmin range from 2.5.6 to 2.8.2.
When the crawler located on the MIT infrastructure finds a vulnerable version of PHPMyAdmin, it tries to gain administrative privileges to inject a SQL query into the database. If the website has been successfully compromised, the crawler leaves behind a folder called “muieblackcat” – a mutex that acts as a mark of infection. This is not the only damage to the attacked server. Depending on how solid the attacked server is, the multitude of GET requests per second might grind it to a halt.
As a top level reliable domain, .edu is primarily used by educational institutions in America and other trustworthy organizations. A trackback from such a domain is a vote of confidence for an article, a blog, an entire site, or even an institution. In short, an infrastructure the size of MIT.edu is not only guaranteed to have huge bandwidth to carry thousands of malicious requests per second, but is also a good way to evade firewalls that obviously accept traffic from MIT.edu as legit.
This explains the interest crooks have always shown in redirecting attacks towards sites registered in this domain or other trusted ones to involve them, for instance, in promoting illegal merchandise or dubious content.
This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender VirusAnalyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.