back to article Nasty IE 0day exploit hosted on Amnesty International site

Visitors to Amnesty International's Hong Kong website are being bombarded with a host of lethal exploits, including one that attacks an unpatched vulnerability in Microsoft's Internet Explorer browser, researchers at security firm Websense said. The injected IE attack code resides directly on the pages of amnesty.org.hk, an …

COMMENTS

This topic is closed for new posts.
  1. heyrick Silver badge

    Something missing from this article...

    "an indication that the perpetrators were able to penetrate deep into the website's security defenses."

    And the web server is...?

    1. Roger Greenwood

      Netcraft says:-

      http://amnesty.org.hk was running Apache on Linux when last queried at 11-Nov-2010 06:16:06 GMT

    2. Cunningly Linguistic
      Boffin

      Superfluous title

      11/11/10 07:44:04 Browsing http://amnesty.org.hk/

      Fetching http://amnesty.org.hk/ ...

      GET / HTTP/1.1

      Host: amnesty.org.hk

      Connection: close

      User-Agent: Sam Spade 1.14

      HTTP/1.1 302 Found

      Date: Thu, 11 Nov 2010 07:43:30 GMT

      Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b PHP/5.2.6

      X-Powered-By: PHP/5.2.6

      Status: 302 Redirected

      Location: http://amnesty.org.hk/html

      Content-Length: 66

      Connection: close

      Content-Type: text/html

    3. Blofeld's Cat Silver badge
      Boffin

      Web server

      Well the headers say:

      Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b PHP/5.2.6

      1. heyrick Silver badge

        Thank you everybody.

        So it is Apache 2.2.9 on Unix with PHP 5.2.6. Both are not exactly new. Do we know how this was compromised? I'll scream if it was the good ol' SQL walk-in.

        I am asking... because... to be honest, I think the compromising of a major site is somewhat more newsworthy than (yet another) IE exploit.

  2. Anonymous Coward
    Grenade

    Wow

    "bombarded with a host of lethal exploits"

    Lethal? Blimey.

  3. piffle

    Well, have a look...

    Netcraft, he say:

    Linux Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8a DAV/2 PHP/4.4.7

    ...at the time of the compromise. Now updated, and secured, presumably. I trust you weren't looking for a MS IIS dig?

  4. Anonymous Coward
    Anonymous Coward

    Who could be behind this I wonder

    Hmm, Amnesty HK, Nobel Peace Prize targeted within a very short timescale. Anyone care to speculate that a certain large country in Asia with a not very good human rights record might have something to do with it?

  5. LINCARD1000
    Black Helicopters

    Just out of curiosity

    ...which group would be the most likely to target the site of an organisation that does so much good in the world? Generic hackers? Possibly if they were complete bastards. Or perhaps governments that have come under criticism for various human rights violations...?

    Dammit, the man in the black helicopter stole my tin-foil hat.

  6. BristolBachelor Gold badge

    Amnesty international == "Malicious website"

    Perhaps from now on the writers of the alerts (especially MS) will not say that the exploit only works if the user is co-erced into visiting a malicious website.

    I would not describe the nobel prize foundation or Amnesty international as malicious. Given that these exploits can be hosted on almost _any_ webserver, the alerts should say that they can be exploited by visiting _any_ website.

    1. Octopoid

      While I agree

      While I agree that MS, Mozilla, et al. should try to patch up this 0day stuff a bit (well a lot) quicker, I don't agree with your reasoning here.

      Of course the Nobel Peace Prize lot or Amnesty International do not have any kind of malicious intent, but they are clearly at fault for putting together yet another swiss cheese website. At a guess, they simply failed to sanatise their inputs or outputs properly, to the effect that SQL commands could be injected through the querystring, and then the site would happily render script tags back out. Of course, it may have been that the sites were more secure, and this was a "proper" hack, but if world goverments can't get it right, it wouldn't surprise me if a club and a charity couldn't either.

      Patching 0day holes in browsers without break loads of legitamite stuff is often hard, a fact often overlooked by whinging pundits. Writing a website properly is not, hence I'd blame the site operators more here.

  7. yossarianuk
    Linux

    Well

    Windows users are like people who accept inefficient, tyrannical regimes and go along with them.

    1. Panix
      FAIL

      What?

      I know everyone here loves their 'kool' Linux, *BSD, etc but that statement is a bit over-reaching. It may be hard to believe that there are people who use the computer that just wants it to work, kinda like most people (myself included) don't know the ins and outs of their vehicle. I just want it to get me to A and B.....

  8. J Lewter

    websploit

    Well, I visited a page last week with ie8 and my virus scanner went off the chart...

    The page I visited (a popular forum, safe for work and nothing illegal) managed to change a regkey, install a proxy server, and change ie8's proxy configuration..

    3 instances of the program was running, all from the temp directory, and the reg key would have seen it install another bit of software had I rebooted.. There was also a bit of script added for firefox so once it started it would have been comprimised too...

    I submitted the virus for online scans and a few sites said the file was fine, so some people would have been caugh out..

    DEP is enabled, but I cant rule out it loading as java or flash or something else of the ilk...

    Sadly, the site I think it was doesnt seem to be installing again and I couldnt replicate it (I cleared cache and history as part of the cleaning process).

  9. Someone
    Joke

    @garethfcompton

    Can someone please DDoS Amnesty off line? I shan't tell Yasmin Alibhai-Brown if you don't. It would be a blessing, really.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021