ATTENTION!!!

 

This website (Go Texas Soccer) was hacked.  Worst of all, the hack caused the website to try and attack visitors.

Around 7 pm CT on Fri 22 Sep 2006, I happened to notice something wrong with the site, and I immediately shut it down.  The hack probably started sometime on Thursday 21 Sep, although it is possible that it started sometime earlier.  The hack may have been intermittent.

The hackers attacked the web host service that I used (HostGator), hacking hundreds of the sites that they host, including this one, to make those sites attack visitors.  If you visited this site when it was hacked, and you used Internet Explorer on Windows, it tried to attack you.  It tried to attack me, and successfully attacked one of my friends.

I do not know details of exactly when the hack started, what attacks the hackers tried to perform, and how any of you can fix a corrupted system.  The best advice I can give is to update your virus and spyware checking tools, scan your system, and generally to keep updating them.  (This is good advice in general.)  Some of the malware programs are new and would not be detected by out-of-date scanners.

I am particularly disturbed that HostGator kept their websites running after it was clear that they were attacking visitors.  Of course, they could not realize, when the first reports of problems came in, exactly what was going on.  However, they almost certainly figured out that an attack was underway before I did.  While the attacks were underway, HostGator was trying to fix the problems, so the attacks were probably intermittent, but the problems kept coming back.

However, I believe that the break-in at HostGator is now fixed, and the webpages are safe, so I have put the website back up with this host.  I will keep evaluating the situation over time.

If you wish to email me, I can be reached at mkness21@yahoo.com.  I can also be sometimes found as pantone159 on HornFans and BigSoccer.


Details of the Hacking Attack

The attackers took advantage of three new security problems to make their attack.  This was a sophisticated, organized, and dangerous attack.  The attack on this particular website is only a very tiny part of the entire thing.

First, there was a problem with the account configuration system (something called 'cPanel') on the HostGator webservers.  cPanel is used by many other web hosts other than HostGator.  This problem allowed someone with access to an account on the web host (either an actual customer or someone who had hacked into a customer account) to take full control of the web servers.  They apparently managed to do this about a month ago, but they (apparently) did not immediately use their power to attack, but instead waited until around Thursday 21 Sep.

Second, there was a problem with Internet Explorer on Windows, known as the VML Exploit.  This problem meant that a website could send malicious data to make your computer execute 'arbitrary code', which is the technical term for 'God Knows What'.  With this power, the hackers could potentially install viruses, pop-up ads, keystroke loggers, or hooks to allow them to control the computer at a later date.  These kinds of nasties are generically called 'malware'.  The first attempts, anywhere in the world, to exploit this IE flaw happened around Tuesday 19 Sep.  Microsoft had no patch for this problem.  Originally, they were not expected to release one for about a month, but Microsoft did release a patch earlier than scheduled.

There are a number of recent news stories about this exploit.  Almost all of the attacks with this exploit involved disreputable websites that were intentionally attacking visitors.  The HostGator attack is one of the only situations where normally well-behaved websites were hacked to attack visitors.

Third, many the malware programs that were sent out were new, and so were not detected by most virus/adware scanners.  At this point, many of them may still be undetectable, so it is important to keep updating these tools for new definitions.

Sometime around Thursday, the hackers used the control they got through the first problem, to corrupt the webpages that came from HostGator, including this one.  The corrupted webpages sent visitors to another website, which used the second problem to install malware, some of which was new and undetectable, the third problem.  Supposedly some other web hosts were attacked as well.  HostGator may have been chosen since they are a fairly large web host, (and well respected, at least until now), I do not know.

A number of malicious programs may have been installed.  One user was infected with the viruses EXPL_EXECOD.A and TROJ_AGENT.EXI.  Trend Micro has an online scanner, http://uk.trendmicro-europe.com/consumer/housecall/housecall_launch.php, that claims to detect these viruses.  This user also started to get pop-up ads for some strange virus scanner.  Other things may have tried as well.

Some News Stories About the Attacks

http://www.securityfocus.com/news/11415?ref=rss - Tag-team attack exploits IE flaw

http://www.eweek.com/article2/0,1759,2020889,00.asp?kc=EWRSS03119TX1K0000594 - Article about the Microsoft patch for Internet Explorer

http://www.thewhir.com/features/092906_HostGator_Recovers_From_cPanel_Flaw.cfm - Story about the HostGator attack

http://forums.hostgator.com/showthread.php?t=10939 - HostGator support forum with information (sort of) about the attack

http://news.netcraft.com/archives/2006/09/22/hacked_hostgator_sites_distribute_ie_exploit.html - A news article about that attack on HostGator.

http://news.netcraft.com/archives/2006/09/23/hostgator_cpanel_security_hole_exploited_in_mass_hack.html - A story about the details of the attack on HostGator.  According to this, the attacks started late on Thu 21 Sep, and involved a customer of HostGator in the attacks.  Other web hosts may be vulnerable.

http://www.nytimes.com/cnet/CNET_2100-1002_3-6118672.html?_r=2&oref=slogin&oref=slogin - A story about the VML exploit that briefly mentions (not by name) the HostGator attack.