Web host serverpro.com hacked, couple hundred thousand customers left hanging

The guys over at Sucuri have reported that web hosting company ServerPro has been hacked and their site defaced.

Before:

After:

Here is the traffic log when connecting to their site:

serverpro.com/
apprendre-le-hack.webobo.biz/haut/a/p/p/imghaut_apprendre-le-hack.jpg
www.youtube.com/v/2vz8LqWEjx4&feature=related&autoplay=1&loop=1
serverpro.com/favicon.ico
www.topcities.com/404.shtml

As far as I can tell, there is no malicious code.

The pic with the “pirate computer” is hosted on a French website which can be translated to “learn to hack” (apprendre le hack). Given the hackers’ signature, I have a feeling they may be from North Africa (and possibly Tunisia).

The hackers also embedded a YouTube soundtrack:

This sort of hack says a lot about web security… Even large companies with the proper resources can still fall to script kiddies exploiting known vulnerabilities or insecure passwords.

 

It’s quite easy to find out what this web server is running by looking at the HTTP header response:

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 
X-Powered-By: PHP/5.2.9

 

Both Apache and PHP are out of date!

The latest Apache stable release is 2.2.22 (2.2 branch). The latest PHP version is 5.4.0 or (5.3.10 for the old stable release).

The version of Apache HTTP Server running on this host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild (CVE-2011-3192).

As if this was not enough, Apache 2.2.17 is also affected by these: CVE-2011-3368, CVE-2011-3607, CVE-2011-4317, CVE-2012-0021, CVE-2012-0031, CVE-2012-0053.

As far as PHP 5.2.9 goes, the list of CVEs is quite long and scary (59 in total).

 

Vulnerability scanning and patch management are not a panacea but have their place in making it more difficult for hackers to break into servers.

Do you own a website? Have you ever checked what software is running on it? Try SparkTrust’s web vulnerability scanner and fix potential issues before it’s too late!

 

Jerome Segura

One comment

  1. I have been with ServerPro since March 2007. Tried and am still trying to get ServerPro to fix my web site ever since this happened. Their servers were actually hit in December 2011 and the situation progressed from there. ServerPro does not reply to any support tickets…auto closes most of them. After months of submitting support tickets and the tickets being closed I got a reply in September because they issued an invoice. Last contact with ServerPro was October 22, 2012 and they were still working on it. No communication from them since. In the meantime my web site is destroyed. I am sure many of their other clients have fell in the same position. ServerPro even went so far as to disconnect their phone number. Now I have to figure out how to get my files because ServerPro will not send me my backup files, access to the CPanel or valid URLs to even try and work the problem through my web master. I wish luck to any of their other clients that are in my position.

Leave a Reply

Your email address will not be published. Required fields are marked *