+ Post New Thread
Results 1 to 12 of 12
General Chat Thread, HEADS UP : Fake drug scam in General; BBC News - Fake drug scam hijacks UK college websites I've already found 1 school in Kent who have been ...
  1. #1
    theeldergeek
    Guest

    HEADS UP : Fake drug scam

    BBC News - Fake drug scam hijacks UK college websites

    I've already found 1 school in Kent who have been affected, Longfield Academy

    Just do a UK search on Google for something like "cialis professional" and you'll see .sch.uk and .ac.uk addresses in some of the results, although there are in actual fact not just academic sites that have been hit.

    I have no idea what the vulnerability is, or how it is being planted within the PHP.

  2. #2
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    PHP injection technique could be almost anything but most likely something that allows files to be written to a publicly writable folder/file

    For anyone looking into this I highly recommend mod_security (for Apache web servers) along with Suhosin to detect and intercept most attacks. There is also a service from Atomicorp that provides updated rulesets and/or a hardened Linux distro...

  3. #3

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,701
    Thank Post
    1,783
    Thanked 2,168 Times in 1,603 Posts
    Rep Power
    769
    Looks like it's more than college websites too. Daily Telegraph website, Isle of Wight Council Job Vacancies, Pershore High in Wilts, Purbeck school in Dorset...

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,627
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    I see BBC IT reporting is up to its usual standards. "Security firm respins story about something that's been going on for years, news at 11."

    http://www.edugeek.net/forums/securi...rnography.html

    If you don't keep up to date with patches on a public-facing webserver (or leave unmoderated comments turned on), you'll be pushing penis pills before you know it. This is basic, noob-level IT skills.

  5. #5
    theeldergeek
    Guest
    Quote Originally Posted by pete View Post
    I see BBC IT reporting is up to its usual standards. "Security firm respins story about something that's been going on for years, news at 11."

    http://www.edugeek.net/forums/securi...rnography.html

    If you don't keep up to date with patches on a public-facing webserver (or leave unmoderated comments turned on), you'll be pushing penis pills before you know it. This is basic, noob-level IT skills.
    Shame I can't delete my original post; pointless of me to post any info when something that is apparently 9 months out of date is remembered by someone else and plucked from the archives.



    Nonetheless, here's a page that really does demonstrate the level to which this vulnerability can be exploited.
    Last edited by theeldergeek; 5th March 2010 at 05:03 PM.

  6. #6


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,627
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Quote Originally Posted by theeldergeek View Post
    Shame I can't delete my original post; pointless of me to post any info when something that is apparently 9 months out of date is remembered by someone else and plucked from the archives.

    Sorry dude, I wasn't having a go at you - the BBCs habit of believing any old IT PR crap they're fed just annoys me.

    In .sch.uk it's much cleaner than it was back in May/June last year. Brum was especially noticeably bad, purely because they'd slapped cms installs randomly around their infrastructure and hadn't bothered to patch (or decommission abandoned ones). This can be solved by sacking the negligent, but it's local government so it's epicly hard to get fired for incompetence.
    Last edited by pete; 5th March 2010 at 05:21 PM. Reason: typo

  7. #7
    theeldergeek
    Guest
    Quote Originally Posted by pete View Post
    Sorry dude, I wasn't having a go at you - the BBCs habit of believing any old IT PR crap they're fed just annoys me.
    Oh, it's OK, I know you weren't having a go at me, I was highlighting (badly) the quality of BBC journalism, in that if something that is 9 months old can be found in a forum archive, it just goes to show how poor their resources are at getting up-to-date news.

    I think equally worrying however, is that whilst educational establishments were clearly targeted, there are an awful lot of privately run web sites in the link I posted who (for one reason or another) won't have a clue about vulnerabilities.

    How can someone who runs a small business website on, say, Joomla, be expected to ensure it is secure when all they do is press the "Fantastico" button and the site is installed for them?

  8. #8


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,627
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Quote Originally Posted by theeldergeek View Post
    How can someone who runs a small business website on, say, Joomla, be expected to ensure it is secure when all they do is press the "Fantastico" button and the site is installed for them?
    Realise their strengths and weaknesses and hire a professional. I use an accountant for sorting out earnings for contract work because he's better at it than me (and he saves me money) - an accountant should hire a web designer if they want a new website.

    They could use a host who's prepared to do it for you (and commits to an SLA for patching within $days of fix available).

    If they want to do it themselves (assuming shared hosting), all they really have to do is rtfm and subscribe to the Joomla security mailing list. Those two things alone will put him head and shoulders above most small business owners from a security perspective.

  9. #9
    theeldergeek
    Guest
    Quote Originally Posted by pete View Post
    Realise their strengths and weaknesses and hire a professional. I use an accountant for sorting out earnings for contract work because he's better at it than me (and he saves me money) - an accountant should hire a web designer if they want a new website.

    They could use a host who's prepared to do it for you (and commits to an SLA for patching within $days of fix available).

    If they want to do it themselves (assuming shared hosting), all they really have to do is rtfm and subscribe to the Joomla security mailing list. Those two things alone will put him head and shoulders above most small business owners from a security perspective.
    Trouble is, many small businesses (and certainly private individuals who run web sites) don't have the budget for a professional to come in and do their sites, so they do it themselves, or get it done on the cheap. A website is a website is a website as far as they are concerned - security? what security?

    How many of us fix our own cars, or do our own DIY? Why don't we get the 'pros' in?

    Because we can do just as good a job, and aren't as aware of building regs or safety issues that the pros would perhaps be?

  10. #10
    SteveBentley's Avatar
    Join Date
    Jun 2007
    Location
    Yorkshire
    Posts
    1,429
    Thank Post
    119
    Thanked 262 Times in 188 Posts
    Rep Power
    72
    Surely the fact that the sites use PHP is irellevent? Any server side language (ASP, Perl etc) would be equally vulnerable to SQL injection?

  11. #11
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    It may have been an old thread but it bears repeating that security is not an "as and when" deal... It needs to be looked at regularly...

    Given up on the number of numpties who do the fantastico installs... Like placing a gun in a toddlers hands and expecting them to be safe...

  12. #12
    theeldergeek
    Guest
    Quote Originally Posted by contink View Post
    Given up on the number of numpties who do the fantastico installs... Like placing a gun in a toddlers hands and expecting them to be safe...
    Hmmm, not entirely sure I agree with the people using "Fantastico" and such like as being numpties in respect of the pitfalls of using such. Surely some responsibility lies with the hosting provider?

SHARE:
+ Post New Thread

Similar Threads

  1. Gumtree Scam?
    By joe90bass in forum General Chat
    Replies: 3
    Last Post: 21st February 2009, 10:23 PM
  2. IT pros drug abuse
    By blacksheep in forum General Chat
    Replies: 26
    Last Post: 16th April 2008, 09:06 AM
  3. Replies: 7
    Last Post: 14th February 2008, 08:18 AM
  4. Scam!
    By laserblazer in forum General Chat
    Replies: 0
    Last Post: 25th December 2007, 01:13 PM
  5. VISA/Mastercard SCAM
    By DaveP in forum General Chat
    Replies: 9
    Last Post: 1st December 2007, 06:59 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •