This is a message I have just seen when I went to ynet.co.il, the most popular website in Israel.
Isn’t it funny that such a popular site is exposed to vulnerabilities so easily?
In any case, IE users don’t get any warnings and so does Firefox. Chrome does something different, not sure exactly what but I guess in some way it is better than the others.
Google up inurl:wp-content/1/ [Warning: just google it up, don’t visit any of the site in the search results. They are full of activeX viruses!]. This is what I see now:
What you see is a list of sites that were hacked through the latest WordPress Vulnerability that allows hackers to insert spam into your blog.
This is just great. WordPress is the most common blog software out there, and at this minute there are over 90,000 website that were spammed (still counting…) I’m sure that most of these sites owners never heard of this exploit and some of them will probably never will. The damage is enormous. This exploit made them look like spammers in Google eyes, and Google like Google - She never forgets anything. If you are a spammer, you are out of the index in one second.
In my opinion, the best way to deal with these hacks is Active Network Scanning. This kind of services are usually provided by an external company that scans your site for vulnerabilities on a daily basis (like Hacker Safe, but better). Once a new vulnerability is discovered to the world, it is automatically added to their scanning system and is tested on your site. This can definately help you sleep better.
Life shows that there is no way your web site can be safe. It is just the nature of software that it is full of holes. If only you scan your website for vulnerabilities, at least you know about it on time and hope there is something you can do about it…
Important comment: if you are not in this list, it does not mean that you are safe. There are lots of other URLS that were used for this attack… This IS fun!
update: (April 12 2008): Checked again the list, and it seems like most of the hacked pages were removed from Google’s index. It DOES NOT mean that the vulnerability is fixed, it just means that Google had identified that these pages as pages that should be ignored and removed from the index. This is semi good news for those that were hacked and afraid their ranking will go kaput. Just semi because they are still vulnerable and will surly be attacked again in the next wave…
It seems like the number of WordPress vulnerabilities is growing constantly. The most popular blogging software that exists is becoming a huge security hole. In fact, this post is written with Wordpress and it feels less secure than ever. This makes me think about moving my blog to blogger or wordpress hosting site, instead of fighting the patches on my own server.
I guess you all heard about goolag, the new Vulnerability Scanner that uses Google as their engine. I think it is fantastic. There are very creative people out there, Very. The thing is, I’m not so sure if I would trust them to keep me safe. I think that if you are looking for a commercial service, you should look for a vulnerability scanner that is running by a commercial company that is working for this only. I can’t depend on volunteers that update the open source software, to wake up in the morning, clean the empty cokes and pizza trays off their keyboard and keep me safe. For a personal family site, or for a non commercial site, this is fine, but if you need a real vulnerability assessment I think you should pay for your pleasure and have your network scanned by people that do that for living.
I found this excellent piece of art that made me smile…
In case you were wondering what SQL Injection means, it is a trick to inject SQL command as an input possibly via web pages.
As seen above, the kid’s name is Robert’);DROP Table STUDENTS;–
Now, if you run a login form that has a user name and a password, usually the sql query behind this login form looks like that:
SELECT * FROM STUDENTS WHERE NAME=’$name’ AND PASSWORD=’$password’
Now, if someone is trying to perform an SQL Injection attack, take Robert’s name and put it as $name, and the SQL query will look like that:
SELECT * FROM STUDENTS WHERE NAME=’Robert’);DROP Table STUDENTS;–‘ AND PASSWORD=’$password’
It is quite easy to protect your system from SQL Injection on the coding phase but usually web programmers tend to do a bad job regarding security.
I’ll write some more about this issue soon…
Al Gore’s website was hacked by spammers that added outbound links from his site to other sites they wanted to promote.
apparently, the new type of hackers, the SEO hackers constantly look for high ranking sites, (Al Gore’s site has PR7) just for adding outbound links. It is clear that this is happening a lot, and Al Gore’s site is just one of many sites that were hacked.
It seems like a vulnerability in WordPress has left many bloggers open to attack by the same method.
This is a new era of hacking. They didn’t come for money, credit card numbers, nor user passwords. They came for Link Juice!
How exciting is that!
Wouldn’t that be funny if this page also has hidden links to some extremely disrespected sites? 
Long time ago, I have started working on a tool that will scan a given website for all outbound links, will check the PR of every outbound link domain, and will compare the results to the previous scan.
The original purpose was finding outbound links to bad neighborhoods, like sites that lost their ranking due to illegal activity. This tool will easily detect seo hacking on our customers websites.
Stay tuned!
Google is an amazing search engine, we all know that, right?
So how about searching for passwords of people that left their passwords exposed on the internet, just for the sake of I don’t know what.
some of the nicest examples that I tried:(click on the links)
It is very important to keep your web server secured. There are ways to do things right, so that you won’t appear on those funny lists…
update:
I wrote this post few months ago and checked again to see whats happening here. I looked again for passwords and for classified documents and found lots of them . It seems to me that this is only a matter of security awareness and security education. If your emplyees will be aware of their document classification , this is a huge step to make them keep the company’s information safer. There are excellent ways to prevent this kind of information leak, and the biggest challenge for an CSO is making his employees think about security. Once they do that, there is a much higher chance that their documents won’t appear in Google.