Poor configuration of Apache servers allowed multiple websites hosted on the same physical server to become infected in last month's Mpack compromise.

An analysis (http://isc.sans.org/diary.html?storyid=3078) by security researchers at the SANS Institute's Internet Storm Centre reveals that only one of the websites hosted on a machine needed to contain a vulnerable PHP script to infect all the sites hosted on systems, in cases where Apache permissions were improperly configured. Often the root cause of the problem is when hosting firms skimp on hardware needed to add an extra layer of protective virtualisation.

Thousands of websites (mainly in Italy) were recently compromised using the MPack malware kit. This contained iframe tags that pointed surfers towards hacker-controlled websites.

"The main reason why this attack was possible was the fact that Apache’s process must be able to read all files (in order to serve/process them) and that the file system permissions were not correctly set. It remains questionable how many big hosting sites are affected with this (poor) setup," SANS Institute researchers conclude. "Check if your hosting company uses chroot and/or suExec because that is the only way to make sure that your own web site will not be compromised by other users sharing the same physical server."

MPack is a malware kit, sold online to hackers at prices ranging from $500 to $1,000. The application is offered with modular extras, maintenance updates and what amounts to support contracts that in many ways rival or surpass those offered by legitimate software suppliers. ®

Related stories

Cybercrooks plant phishing scam on crime reduction website (3 June 2008)
http://www.channelregister.co.uk/2008/06/03/home_office_crime_reduction_hack/
Browser vulns and botnets head threat list (14 January 2008)
http://www.channelregister.co.uk/2008/01/14/sans_threat_list/
Attackers turn Bank of India site into malware bazaar (1 September 2007)
http://www.channelregister.co.uk/2007/09/01/bank_of_india_website_takeover/
Shark 2 dumbs down Trojan creation (15 August 2007)
http://www.channelregister.co.uk/2007/08/15/shark_trojan_creation_kit/
MPack developer on automated infection kit (23 July 2007)
http://www.channelregister.co.uk/2007/07/23/mpack_developer_interview/
Psst - wanna buy a pirate MPack toolkit? (6 July 2007)
http://www.channelregister.co.uk/2007/07/06/pirate_mpack_toolkit/
Rival malware gangs wage turf war (1 July 2007)
http://www.channelregister.co.uk/2007/07/01/malware_gang_war/
Unwanted e-card conceals a Storm (29 June 2007)
http://www.channelregister.co.uk/2007/06/29/ecard_storm_trojan/
Bush on cyber war: 'a subject I can learn a lot about' (26 June 2007)
http://www.channelregister.co.uk/2007/06/26/bush_soothes_estonians_on_cyber_war/
Phishermen, not zombies, causing biggest security woes (20 June 2007)
http://www.channelregister.co.uk/2007/06/20/mcafee_security_trends/
Cyber crooks hijack 10,000 websites (18 June 2007)
http://www.channelregister.co.uk/2007/06/18/hijacked_sites_install_malware/
FBI logs its millionth zombie address (13 June 2007)
http://www.channelregister.co.uk/2007/06/13/millionth_botnet_address/
PHP security from the inside (7 February 2007)
http://www.theregister.co.uk/2007/02/07/stefan_esser_interview/
PHP apps: security's low-hanging fruit (11 January 2007)
http://www.channelregister.co.uk/2007/01/11/php_apps_security/
Tackling Apache zombies (1 August 2006)
http://www.theregister.co.uk/2006/08/01/apache_undead/