MetService Hacked – How it Happened

By now, most of you should be aware of the recent attack on the MetService website that hit in a very busy period and infected many visitors computers. It was noticeable in the form of fake virus scanner alerts on infected computers.

Everything that I have read so far explains what the trojan virus does (see this blog post) and the type of vulnerability:

We now know that the ad server was compromised by a malicious attack, through a vulnerability which allowed someone to upload a binary file into the database. This file contained JavaScript code which redirects the browser to a website which downloads malware files to the client machine.

What these sites don’t tell us is what applications on MetService’s ad server resulted in them being compromised.

I decided to do a little poking around while sitting outside in the sun on a quiet Friday.

Firstly, I used the chrome debugger to find out details about their ad server.

Turns out that the address is simply: ads.metservice.com.  With all the magical (php) scripts living in ads.metservice.com/openx-2.6.3/www/delivery. Please turn off directory indexing MetService developers (we really don’t need to see this information).

From this we can see that they are running ‘openx-2.6.3’

So a quick search at on the web for exploits on this version of the ‘OpenX’ ad tool comes up with exploits-7883. This exploit works simply by using the following url to return passwords:

http://ads.metservice.com/openx/www/delivery/fc.php?MAX_type=%20../../../../../../../../../../../../../../../etc/passwd%00

This exploit is a mix of ‘Poison Null Byte‘ and ‘Local File Inclusion‘.

This is most likely how the hacker forced their way through MetService’s security although there are more exploits found in this list which are also possible. Or perhaps I am being too harsh and this is a zero day exploit.

If we assume that it is the security vulnerability mentioned above, then this could have been avoided by keeping OpenX up to date with patches.

MetService does not appear to be keeping their PHP scripts up to date if we go by the folder naming conventions. The OpenX website tells me that the latest version is ‘2.8.7’ while it looks like they are only sitting on ‘2.6.3’. It does apear that another development team has fallen victim to a PHP application vulnerability.

But lets not forget that ultimately it was the hacker initiated this attack on MetService users.

Time for me to uninstall wordpress yet?

The Best Email Management Tip

This subject has been discussed quite a lot in the internet community such as here, here and here.

I had followed a lot of the tips that I found in the articles around the web. These articles often include many small tricks such as labeling, message rules and immediate replying etc.

But undoubtedly, the single and most effective method I have come across is this:

Unsubscribe, unsubscribe, UNSUBSCRIBE!

I had to actually try this for myself to see how effective it was. It does take time. In my case it was a few months until the last of my unnecessary inbox clutter stopped arriving. Just take it day by day, thinking about every automated email you receive, and unsubscribe if it is not something that requires your guaranteed attention.

The problems with email subscriptions

  1. They trickle in at an often constant rate throughout the day, week or month.
  2. A constant email flow creates distractions throughout the day
  3. The email flow requires sub-daily checking to keep on top of your inbox
  4. They add up over time, often without you realising
  5. Emails are not the most efficient method of digesting subscription style information

This is a rule of thumb. There are certain mission critical services that require your guaranteed attention. For all of those messages that are just interesting and/or not critical, I would advise sticking to feeds and other information collaboration tools.