Actu
Comment from Imperva CTO Amichai Shulman on compromised MIT Server
November 2011 by Imperva
Below is a comment from Imperva’s CTO Amichai Shulman on the recent discovery of a compromised MIT server which was used to scan the internet for vulnerable web applications:
“The act of searching for such sensitive online information via search engines is called “Google Hacking”. And although the name emphasizes Google, this type of search engine abuse pertains to all search engines. Automating the search queries and result parsing enables the attacker to issue a large number of queries, examine all the returned results and get a filtered list of potentially exploitable sites in a very short time and with minimal effort.
In order to block automated search campaigns, today’s search engines deploy detection mechanisms which are based on the IP address of the originating request. For example, they restrict the number of search queries from a single source, they test the frequency of the queries from a single source and also restrict massive retrieval of results from a single query.
This finding is quite interesting as it is another example of how hackers are increasingly employing new means which allow them to bypass these detection techniques. In this case, the hackers used a compromised MIT server for their search activity. Search engines are less likely to identify the suspicious queries coming from sources known to have a good reputation - such as MIT.
Although we cannot guarantee this is the case, it is also likely that the MIT server is one compromised machine out of a network of machines under the attacker’s control (i.e. a “botnet”). The reason being is that we increasingly see how hackers employ botnets in their Google Hacking campaigns. This way, the hackers can distribute the query across different machines which defeat the search engines’ automated queries detection mechanisms.
Another interesting aspect in this story is that it also shows how servers are increasingly becoming hacker targets. One compromised server is roughly equal in bandwidth to 3000 compromised machines. As such, hackers find servers more attractive targets. For example, IRC chat logs of LulzSec – the hacktivist group which went on a 50 day hacking spree during the summer – showed how they used servers to carry out some of their attacks. Here is the chat extract:
“lol - i used to load about 8,000 RFI with usp flooder crushed most server :D”
This snippet tells us that lol – a LulzSec member - had 8,000 infected servers (not PCs!) to conduct the DDoS attacks. Given the estimation that one infected server is equal to 3,000 infected PCs, then 8,000 servers would be like 24M PCs. “
