Web host serverpro.com hacked, couple hundred thousand customers left hanging

The guys over at Sucuri have reported that web hosting company ServerPro has been hacked and their site defaced.

Before:

After:

Here is the traffic log when connecting to their site:

serverpro.com/
apprendre-le-hack.webobo.biz/haut/a/p/p/imghaut_apprendre-le-hack.jpg
www.youtube.com/v/2vz8LqWEjx4&feature=related&autoplay=1&loop=1
serverpro.com/favicon.ico
www.topcities.com/404.shtml

As far as I can tell, there is no malicious code.

The pic with the “pirate computer” is hosted on a French website which can be translated to “learn to hack” (apprendre le hack). Given the hackers’ signature, I have a feeling they may be from North Africa (and possibly Tunisia).

The hackers also embedded a YouTube soundtrack:

This sort of hack says a lot about web security… Even large companies with the proper resources can still fall to script kiddies exploiting known vulnerabilities or insecure passwords.

 

It’s quite easy to find out what this web server is running by looking at the HTTP header response:

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 
X-Powered-By: PHP/5.2.9

 

Both Apache and PHP are out of date!

The latest Apache stable release is 2.2.22 (2.2 branch). The latest PHP version is 5.4.0 or (5.3.10 for the old stable release).

The version of Apache HTTP Server running on this host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild (CVE-2011-3192).

As if this was not enough, Apache 2.2.17 is also affected by these: CVE-2011-3368, CVE-2011-3607, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053.

As far as PHP 5.2.9 goes, the list of CVEs is quite long and scary (59 in total).

 

Vulnerability scanning and patch management are not a panacea but have their place in making it more difficult for hackers to break into servers.

Do you own a website? Have you ever checked what software is running on it? Try SparkTrust’s web vulnerability scanner and fix potential issues before it’s too late!

 

Jerome Segura

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>