Hard to Detect Exploit in the Wild

I posted this on a couple forums I frequent and thought I would also post it here. While I run Windows servers I keep up with all web server security. As an admin I couldn’t afford not too.

I am sure most of you by now know there is a LKM (Loadable Kernel Module) exploit that is nasty and hard as heck to clean.

Read this thread at Webhosting Talk. Make sure you read it through as there is a users there that has investigated several boxes.

The original story first broke a week or so ago at TheRegister and then again a couple days ago at TheChannelRegister.

Now it seems this problem is not easily fixable yet it is very easy for your server to be infected if you are targeted.

Here is where Windows comes into this. The injected javascript looks for exploit, some already patched and one that is new. If you run any of the vulnerable software on your home computer you could be exploited and not even know it.
The vulnerable lie in these components and software

MSIE ADODB

VML

MSIE WebViewFolderIcon

MSIE RealPlayer

QuickTime

AOL Superbuddy

The first 4 are directly related to IE and were patched a while ago. Although patched some people don’t keep up so they’ll get infected.
I’m not familiar with AOL SuperBuddy so I don’t know if it is patched.

The QuickTime exploit is new as of Jan. 10TH and the alert was revised today, Jan 18TH. and affects the QuickTime Updater as well as Qucktime.

In conclusion if you have a server check the sites on it for inclusion of random javascript. Read the article or thread at WHT so you’ll know what to look for. If you’re on a shared host make sure your site isn’t serving the js.

For people using IE, I’m not sure if Firefox will make you vulnerable and from what I’ve read no one knows, make sure you either shutoff javascript or make sure all exploits are fixed. Uninstall Quicktime and QuickTime Updater. If you have it installed and make sure QuickTime is patched with the patched with the newest versions.

I hope no one that reads this is exploited.

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz