- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Wed, 31 Dec 2014 16:23:19 -0500
- To: Web Payments CG <public-webpayments@w3.org>
Hi all, We've had a security compromise of one of our systems and as standard procedure, we notify the affected community as soon as we find out about the issue and fix it. Summary/Analysis of Attack -------------------------- Brian Sletten noticed that web-payments.org was attempting to serve a strange iframe recently. The iframe would try to take you to a malware site called film24-online. Since we keep the entire site in source control, we were able to see that only a single file was affected (header.inc). Unfortunately, this file is used on many of the pages on the website, so the exploit was widespread. The latest file modification timestamp for header.inc states that the change was made on 2014-11-14, but a few of us had hit the site since then and had not experienced the attack (the attacker probably covered their tracks well by changing the file modification timestamp). We believe that an old version (v1.19 - 2012) of mediawiki provided the security hole, but that's speculation. We have upgraded mediawiki to the latest stable LTS release (1.23.8) in the event that it was the culprit. If you have visited the site since 2014-11-14, your browser most likely protected you from the attack by refusing to load the iframe, which was loaded over http instead of https, causing browsers like chrome to refuse to load a non-https served script. In addition, browsers like Safari and Chrome identify the film24-online site as a malware site. Still, if you hit the site in the last 2 months, do a malware/rootkit scan just to be safe. What we have done to mitigate the attack now and in the future -------------------------------------------------------------- We have taken the following steps to mitigate this attack: 1. Rolled the website back to a known good version (destroying the exploit in the process). 2. Performed a rookit/malware scan using several different tools. Nothing out of the ordinary was detected. 3. Applied the latest OS security fixes/patches and performed a reboot. There were no critical vulnerabilities, and only a few updates to packages that are disabled or ports that are inaccessible on the machine. We believe that this will address the problem. There is still the slim chance that we missed something. If you notice anything strange on the website please be sure to report it to the community or support@digitalbazaar.com. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) Founder/CEO - Digital Bazaar, Inc. blog: High-Stakes Credentials and Web Login http://manu.sporny.org/2014/identity-credentials/
Received on Wednesday, 31 December 2014 21:23:42 UTC