Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Web Application Vulnerability
Vulnerability Web Application Vulnerability

Honeypot Alert: Hackers attempts to exploit PHP-CGI vulnerability

Few days back, Dutch Security experts released information about a vulnerability in PHP-CGI code that allows a remote attacker to pass command line arguments in a query_string that will be passed directly to the PHP-CGI program.

Today, Security researchers from Trustwave, have noticed that their web honeypots has caught a number of attempts to exploit the PHP-CGI vulnerability.

"Notice that while some of these are simply probes to see if the application might be vulnerable, there are also two RFI attempts to execute remote PHP code." Researcher said.

They also provide some mitigation for this vulnerability. You can find the details here.


Read more »
Malware Report
Malware Report

Ransomware targets Switzerland, Germany And Austria

If you are one of regular visitor of EHN , then you might aware of Ransomware. Ransomware is one of old method used by cybercriminals. These kind of malwares locks victim's system and ask user to pay some amount in order to unlock the system.

Security researcher from abuse.ch blog, discovered a new Ransomware that targets Swiss, German, and Austrian internet users.

As usual, the Ransomware threatens victim that they violated the copyright law and locks the system. It demands ₤50 in order to unlock the system. "Failure to adhere to this requeset could involve criminal charges and possible imprisonment" Threatens user.


According to his research report, the infection vector is a well known drive-by-download exploit kit called "Blackhole". It exploits the vulnerability in the victims web browser (or a third party plug-in like Adobe Flash Player, Adobe Reader or Java) and infect user system with Trojan.

The ransomware carries a further payload in the form of a trojan called Aldi Bot, which steals banking information, abuse.ch added.
Read more »
Database Leaked
Breaking News Database Leaked

#ProjectGhostShell: Hackers leaked confidential data from Forex Traders


A Hacker group called #TeamGhostShell has started a campaign, ProjectGhostShell. Hackers claimed the operation is to pay back the police, the informants, the snitches, the politicians, the stupid and the corrupt.

"Hello again, did you miss us world governments? We've made you guys a promise a while back, that, as long as hackers from all around the planet are getting arrested, we'll also appear, paying you all back ten-fold. Own us and we own you. Seems fair enough, don't you think?" Hackers said .


The first victim of this campaign is The European Forex Traders(www.fxtraders.eu) .  Hackers leaked confidential data including username, email address, encrypted password and more information.


" 'Every action has a reaction'. But don't worry, it's not the only project we have to offer. You can expect more of them to pop-up in the near future. Or you can look forward to this one. " Hacker said in the pastebin leak.

Read more »
Breaking News
Accounts Hacked Breaking News

Avengers: "The Hulk"(Mark Ruffalo) Twitter account hacked

The twitter account belong to actor Mark Ruffalo, who plays 'The Hulk' in the Avengers Movie, has been hacked by an unknown hacker.

The hacker took over the account, started to sending out crazy messages and post a link to who has the best booties in Hollywood, a link to which women in Hollywood have the best breasts, and how to have mind blowing sex.

"It's kind of hilarious me getting hacked today. I got to hand it to the hacker. Kind of genius." Tweet from Mark_Ruffalo reads.

After being accused of being the hacker, he wrote, “Giving up answering Tweets. Last word on the matter. Mark's account was hacked, and the hacker renamed it, so this username became free. I registered the name so Mark could get it back if he wanted it. I'm happy to hand it over, or e-mail the password to him. End of story.”

“Dude, You are my hero. Thanks for giving me back my identity. Thanks for thinking to save it. Best to you,” Ruffalo responded.

Twitter transferred the followers and the old tweets to Hulk’s new account, @Mark_Ruffalo.


Read more »

Virginia man accused of threatening to kill Obama

A Virginia man has been charged with threatening to kill President Obama.

A criminal complaint filed in federal court in Harrisonburg said Christopher Hecker of Waynesboro made death threats against the president and threatened to bomb the White House, hotels and other places, including Philadelphia City Hall andthe site of the former World TradeCenter. An affidavit said the threats were emailed to various media outlets.

Media outlets report an email sentApril 19 to a Roanoke radio station threatened the president'slife. The FBI traced the email to Hacker's account.

The affidavit said four days later, Hecker allegedly sent an email to another media outlet that threatened more violence.

"Sooner or later I will grab someone, maybe in the woods, onthe trail, and beat the life out of them," the email said.


The writer also said Obama "is theone that is destroying patriotism in the U.S.A."

On April 25 a Secret Service agent began exchanging emails with Hecker, who allegedly continued to send out more written threats.

After it was determined last week that Hecker had signed on to a computer at the Waynesboro Public Library, Secret Service agents arrested him on the side of a street.
Hecker refused to be sworn in during an appearance Friday in federal court in Charlottesville. He told a magistrate judge he didn't want an attorney, wanted to be sentenced immediately and is seeking the death penalty.

Hecker was ordered to undergo a psychological evaluation from the Valley Community Services Board.
Read more »
Mass Injection
Breaking News Mass Injection

uhjiku.com injection rate is increasing day by day :150+ sites compromised



I have been tracking a new SQL injection attack that started on May 5,2012.  On May 6, the number of sites compromised is around 10.  Today, more than 150 websites have been compromised with  uhjiku.com injection.


You can find the details about uhjiku.com injection here:
http://www.ehackingnews.com/2012/05/uhjiku-com-injection-nikjju-sql.html

We have reported about this injection to some security vendors, but there is no response from them.  I think they will respond to this after mass injection :)

[UPDATE] May 8, a number of compromised increased to 200.
Read more »
Mass Injection
Breaking News Malware Report Mass Injection

Uhjiku. com Injection: Nikjju SQL Injection attack



CyberCrimals behind the Nikjju Mass injection attack, continue their SQL injection attack against ASP/ASP.net websites.  Last month, Sucuri reported that more than 180,000 websites compromised.

Hackers compromised vulnerable sites by injection the following malicious script:
    <script src=[Malware_Domain]/r.php ></script>

It seems like hackers registering new domains every week for this attack.  Recently, F-Secure discovered a new domain 'njukol[dot]com'.  The domain is registered on April 28 .

While analyzing one of the compromised websites, i found that there is new fresh domain has been used in this attack, 'Uhjiku[dot]com/r.php'. The Uhjiku is registered on May 5,2012(Yesterday).

The list of Malicious Domains:
  • Nikjju.com
  • hgbyju.com
  • njukol.com
  • Uhjiku.com
All domains are hosted at 31.210.100.242 and has same registrant details.


Read more »
null
Hackers Meeting null

Null Chennai Chapter monthly meet on 19th May ,2012

Hey Guys ,

We have scheduled our null+g4h Chennai Chapter Monthly Meet on 19th May,2012.

Topics:
1) Exploits - Ahmed
2) IronWASP - Lava Kumar
3) News Byte & Symbolic Linking - Santhosh Kumar


Date :
19th May,2012 (Saturday).

Time :
4:00 - 7:00 p.m

Venue:
OrangeScape,
No.305, D-Block, North Wing,
Tidel Park, Dr.Rajiv Gandhi Salai,
Taramani, Chennai- 600113
044 3068 6500

For any issues regarding Venue or Meet Contact :niteshbetala [ at ] gmail [ dot] com or Call @ 9941576747
Read more »
Exploits
Breaking News Exploit Kits Exploits

RedKit: a new private exploit kit spotted in the wild

Trustwave security researchers have spotted a new private exploit kit in the wild. The new kit has no official name, so the researchers dubbed it'Redkit' due to the red bordering used in the application's panel.

The developers promote the kit with a standard banner, the buyers are required to share their Jabber username by filling the online form hosted on a compromised site of some unsuspecting Christian church.

"Logging to the admin panel presents you with options which are typically used by other exploit kits.The panel allows you to check the statistics for incoming traffic, upload a payload executable and even scan this payload with no less than 37(!) different AV’s." Trustwave researchers said.

As each malicious URL gets blocked by most security firms after 24 to 48 hours, the Redkit's author have provide a new API which will produce a fresh URL every hour, so that customer of this exploit kit can now set up an automated process for updating the traffic sources every hour or so to point to the new URL.

The kit exploits two of the most popular vulnerabilities but the authors probably will add more exploits soon in order to catch up with the “industry leaders” such as BlackHole and Phoenix exploit kits.

The first exploit is a fairly obfuscated PDF file that exploits the LibTIFF vulnerability (CVE-2010-0188) and the second one is Java AtomicReferenceArray vulnerability (CVE-2012-0507).

Read more »
Mobile Malwares
Malware Report Mobile Malwares

Hacked sites distributes Android malware(NotCompatible) using drive-by downloads



A Reddit user Georgiabiker discovered a new drive-by malware attack that targets Android users who visit hacked sites.

The hacked websites have been injected with malicious iframe that looks at the User Agent string sent by the browser to see if it contains the string "Android" and if so directs the device to download a malicious Android package (APK) , otherwise it will returns a NOT FOUND error.


After downloading the file, the device will display a notification prompting the user to click on the notification to install the downloaded app.

In order to actually install the app to a device, it must have the “Unknown sources” setting enabled . If the device does not have the unknown sources setting enabled, the installation will be blocked.

"NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy " Lookout researchers said.

Read more »
Spam Report
Spam Report

spam mail claiming to come from BBB serves malware


A spam mail claiming to come from the Better Business Bureau (BBB) infects recipients with malware, warns Sophos security researchers.

The emails vary in their wording, but all claim that a consumer has complained about the company receiving the email. The details of the complaint, naturally, are contained inside the attached "BBB Report.zip" file (which, of course, contains malware).

One of the spam mails:
Dear Sirs,

The Better Business Bureau has got the above mentioned complaint from one of your clients regarding their business relations with you.
The details of the consumer's concern are presented in enclosed document.
Please review this issue and let us know about your point of view.
Please open the ATTACHED REPORT to respond this complaint.

We look forward to your urgent attention to this matter.

Sincerely yours,

[name]

Dispute Counselor
Better Business Bureau

Sophos security solutions detect the malware as Mal/BredoZp-B and Troj/Zbot-BUS.
Read more »
Subscribe to: Comments (Atom)