Square Galaxy

On February 15th, BYU will launch a new look and feel for its various websites including the BYU homepage, Route Y, and department and college sites.  The administrators for BYU’s webpages have nicknamed this new look and feel Collage.  The Collage theme sports new colors and new methods for user interaction, but will increase a hacker’s ability to steal student’s identities.

An essential component to Collage is a login form on the top of every page.  Students can type their username and password into the form to be shown a custom set of Internet links.  Webpage administrators expect that students will frequently enter their password to gain access to their preferred links.  Students will then be trained to frequently type their password on top of any page with the Collage theme.

Within a matter of minutes, anyone with a technical background can set up a page using the Collage theme.  They can make it look like a genuine and legitimate BYU site.  In particular, hacker’s can create a fake site that looks like a BYU site, but it really just a technique to trick student users.  Many student users could be tricked into giving their username and password to a fake site created by a hacker.  The hacker could then gain access to the student’s personal information, email, and financial accounts.  Once the hacker has access to the student’s information,

I got this phishing attach in my inbox.  You know, one of those that look like they are from paypal or someone, but they really aren’t.  They give you links that they ask you to click on, except that the links don’t go to paypal’s server, they go to some other site that looks like paypal and tricks you into providing your login credentials.  None of this is new.

What is new is how they are providing the address in the link.  They provided the IP address in hex.  So if I were to represent the address to my server, it would be: http://0xcf.0×2d.0×41.0×24/

I thought this was very interesting, so I tried it in Firefox and Opera on my mac, and neither were tricked.  Both browser’s didn’t convert the hex to the real IP address, so it didn’t work.   But it makes me wonder if there are browsers out there that might be tricked by such IP address encoding.

I was looking through my live bookmarks on Firefox, which is simply the titles of RSS feeds (or in this case, the Atom feed), and I found something unusual.

Where I usually find the latest posts to the Official Google Blog I found instead a title that read:

Google, fix your blog pleeasssee! <3 (P.S. Just t…

That was all I could see. When I clicked on the live bookmark, I was taken to the following URL:

http://googleblog.blogspot.com/2006/03/google-fix-your-blog-pleeasssee-3-p.html

which turns out to give a “Not Found” error. Furthermore, the Offical Google Blog and its Atom feed also return 404 errors.

So what happened to the blog? Was it hacked?

The webserver for radioclub.byu.edu recently got hacked through a php exploit in urldecode. I’m not exactly sure how this all worked, but I found that an irc bot was running on my server, and looking through the apache logs, I found that the exploit recently described as the howdark exploit. What is left to be determined is if the hacker got root access. In which case, I would have to reinstall the entire system and examine any migrated files. If I can determine that he did not get root access, then I can simply delete the files and fix the whole and hope other things like it don’t happen again.

I’ve also made sure that any other installations of phpBB2 hanging around on my other servers are either upgraded or deleted.

If anyone is running phpBB2 with a version less than 2.0.11, you really should upgrade immediately.