NAVIGATION: Main Page

BAND

Resources

Linux

---

PROGRAMS:

Conductor's Beat: The Metronome that can count time changes as good as you (and keeps time better)

GBHS Marching Band 2008: Pandora's Box

Programs

The Conspiracy

This site has been victimized by a global conspiracy orchestrated by South Korea and some French guy. Their goal is to destroy the internet, sending the world back to the dark ages of the 1970's.

Okay, not quite. It is pretty intriguing, though. I'll try to document everything here so other webmasters can help themselves. Maybe we can even work together and figure it all out. I've tried to make this page as Google PageRank-friendly as possible, to aide in others finding this.

Text Ads I Didn't Consent to

The problem was first brought to my attention when I tried to access the Interval Page for AP Music Theory at school. The site was gone, buried under mounds of text ads that I didn't consent to. I was enraged. I checked it at home (under Firefox with AdBlock+ running on Linux) and didn't see anything. I assumed something wrong on the school's network, which isn't that surprising. A few days later, on a whim, I decided to check it using Chromium and realized the problem wasn't just with the school computers--AdBlock+ did its job and blocked them. I looked at the files on the server and saw that there was a significant size difference between that file and my local copy. I uploaded my local header file, and it looked like everything was fixed. I thought it was maybe a mistake on Bluehost's part (my host) and I didn't think anything more of these unconsented ads.

Coppermine XSS Vulnerability

A week or so later (today, 11/29/08) a friend emailed me saying that my Faith Page still had ads on it. I took a look and realized that this wasn't over. I took a look at the code. Someone or something had somehow edited the body portion of my site, right after the php header file. They were a bunch of travel ads, it looked like, which was much better than porn or Viagra ads on my faith page. I opened the source and copied/pasted some of the sites into my browser so they wouldn't know where I was coming from. My intent was to run a whois and a few other queries to see how they were all related. They were all legitimate sites, though. They ranged from fringe clothing to an ADHD Summer Camp. One thing they all had in common, though, was a Coppermine image gallery. XSS immediately came to mind, but there's no image gallery on Patent to Conform. But, there is one on my church's website which is hosted on the same account. It turns out Bluehost doesn't automatically update things like that. You have to do it in the cPanel. I ended up removing it entirely, since the pictures were outdated anyways. When I did, the ads went away from everywhere. There. Problem solved.

kladas3ss and johannstra

Problem solved for normal people. I couldn't just let it go. There was too much going on that I didn't know about. So, I decided to poke around even more. Knowing the issue was with Coppermine, I checked the security.log.php file located in the logs directory under Coppermine root. Here's the contents: (usually when IPs are posted, the last few digits are starred to protect their privacy. I think by doing this, he's forfeited all rights to privacy. So, Storm and other botnets, here ya go)

	Failed login attempt with Username: johannstra from IP 78.157.142.11 on Sep 17, 2008 at 02:46 AM
	Failed login attempt with Username: kladas3ss from IP 78.157.142.11 on Sep 17, 2008 at 07:27 PM
	Failed login attempt with Username: kladas3ss from IP 78.157.142.11 on Sep 18, 2008 at 04:42 PM
	Failed login attempt with Username: kladas3ss from IP 78.157.142.11 on Sep 18, 2008 at 05:01 PM
	Failed login attempt with Username: kladas3ss from IP 91.121.120.173 on Nov 02, 2008 at 01:52 AM
	Failed login attempt with Username: kladas3ss from IP 91.121.120.173 on Nov 02, 2008 at 02:26 AM
	Failed login attempt with Username: johannstra from IP 91.121.120.173 on Nov 05, 2008 at 07:43 PM
	Failed login attempt with Username: kladas3ss from IP 91.121.120.173 on Nov 05, 2008 at 11:34 PM

Cool. Now there was some IPs and stuff to Google. WhoIs queries showed the IPs to be from Lativa and Paris, respectively. So, either one hacker who moves around, a proxy, or a botnet. I Googled the two usernames and found solely sites with Coppermine image galleries. On one site, they had posted comments in typical forum spambot fashion. I'm assuming these failed login attempts have something to do with it.

Unknown Query String and Yeti/1.0 (NHN Corp.; http://help.naver.com/robots/)

I took a look at my "Latest Visitors" page in cPanel. Most of the hits in the last few weeks were going to my intervals page...with a twist. Appended to the end was a PHP query string that I never put in: item-page. All of these weird hits were coming from a user agent "Yeti/1.0 (NHN Corp.; http://help.naver.com/robots/)". Some searching showed it to be a South Korean search portal. 20% of hits this past week came from these guys, all trying to pull URLs using a query string that I never used.

Link Farm Network

I went back and looked at my site's source. All of those links pointing to Coppermine sites also had the item-page query string with seemingly random numbers. Went to a few of them--their root index pages, not their Coppermine pages (to see the gallery, I had to remove the query string sometimes, for those of you trying it yourself). Viewing them under Chromium, they looked fine. It wasn't until I saw the source that the ads showed up. I checked my church's site--same thing. No ads, just under the hood. So why'd they show up on my site? I think it has something to do with my CSS position attribute. So, we have a whole bunch of sites linking to each other against the owner's will. Okay, pretty simple spam plot. But hidden ads? What's the point? Each of the links is prefaced by a comment, containing a number. Looks like an ID of some sort, somehow tying everything together.

Purpose of the Query String

Puzzled by the weird query string, I did some more browsing. On most sites, the query string didn't make a difference. But on one it did. Check out http://scottandkendra.net/photo/displayimage.php/. It's a broken photo gallery. Okay, that's normal. But, add in a query string of "?pill-info=455" (or any other number) and it changes to a typical spam site. I didn't try this on my site before I got rid of Coppermine, so I don't know if it works everywhere. But it's confirmed on at least two sites. Without the query string, it's fine. But add it in, and some spammer gets free space on your website without you knowing.

Putting it all Together

So what's going on? Here's the picture as I see it. Someone found an XSS vulnerability in Coppermine, allowing them to inject arbitrary code. They got a network of these infected sites and made them link to each other, but positioned the div it was in to be unseen (unless your site's weird and poorly constructed like mine). They injected some PHP code handling an arbitrary query string and changing the content accordingly. They had the infected sites linking to other infected sites with this query string--and the webmaster wouldn't even notice unless he looked at the source. So how do those infected sites generate revenue if they're all hidden in the source? That's where Naver fits in, somehow. I imagine it's a botnet spoofing the user agent.

Hits from Naver are really taking up bandwidth in an eerily Denial of Service type fashion. The bandwidth itself isn't a big deal--it's barely taken a chunk out of my monthly allotment. But, if this is just a test run from kladas3ss/botnet, who knows what might happen? I highly doubt that Yeti is the real user agent--it's elementary to change it. Even after removing Coppermine, I still get hits from it. All of the hits were to pages with the item-page query string, so I wrote some PHP code (below) to put in my header to catch it and stop it from taking up too much bandwidth. If you're a webmaster affected by this, I suggest the same thing. Just put this in your header or at the top of every page (or, if they're only visiting one page, put it there) if you can use PHP. ASP should be about the same. This will stop the entire page from being loaded when you're visited by Naver (or any other person/bot accessing your site from another infected site), saving you bandwidth.

<?php 
      if(isset($_GET["item-page"])) // replace item-page with whatever query string they visit
      { // your bandwidth saving message (if any) below
?>
	If you got here via a link farm, sorry. Check out the Conspiracy Page to find out why.
	Otherwise, if you're a bot (who's apparently developed sentience and can understand this), you fail.
<?php
	     exit();
?>

Disclaimer

I am not a security expert. I haven't even gone to college yet. But, I know a few things about computers and know how to figure a few things out. I think I have a pretty accurate representation of what's going on. And this might be old news, an old trick the spammers did, with some script kiddie trying to be cool. If so, oh well. It was fun figuring out what was going on. But if not, this could be fairly widespread and you wouldn't even know about it unless you looked at the source. Contact me at ZZZcory.mead@gmail.comZZZ if you're a victim of this too, or have any more information (just remove the ZZZ's)