The guys over at Sucuri have reported that web hosting company ServerPro has been hacked and their site defaced.
Here is the traffic log when connecting to their site:
As far as I can tell, there is no malicious code.
The pic with the “pirate computer” is hosted on a French website which can be translated to “learn to hack” (apprendre le hack). Given the hackers’ signature, I have a feeling they may be from North Africa (and possibly Tunisia).
The hackers also embedded a YouTube soundtrack:
This sort of hack says a lot about web security… Even large companies with the proper resources can still fall to script kiddies exploiting known vulnerabilities or insecure passwords.
It’s quite easy to find out what this web server is running by looking at the HTTP header response:
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/126.96.36.19935
Both Apache and PHP are out of date!
The latest Apache stable release is 2.2.22 (2.2 branch). The latest PHP version is 5.4.0 or (5.3.10 for the old stable release).
The version of Apache HTTP Server running on this host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild (CVE-2011-3192).
As far as PHP 5.2.9 goes, the list of CVEs is quite long and scary (59 in total).
Vulnerability scanning and patch management are not a panacea but have their place in making it more difficult for hackers to break into servers.
Do you own a website? Have you ever checked what software is running on it? Try SparkTrust’s web vulnerability scanner and fix potential issues before it’s too late!