Forth Road Bridge Website Hacked
John A Thomson, MD of Roundtrip Solutions, has just finished investigating a reported issue with the website of the Forth Estuary Transport Authority (FETA), otherwise known as the Forth Road Bridge website. This blog post will make for interesting reading, highlighting the changing nature of the web and how legitimate websites can be compromised to serve nasties to visitors.
Photo by Martin Third
One of our customers phoned to ask about an adult themed pop-up that appeared when visiting the Forth Road Bridge website. Unfortunately, we were unable to confirm they had actually visited the website and hadn’t mistakenly went to some porn website in the first place, but what we could confirm was an alarming situation with the FETA website at that time.
Upon visiting the website our security systems immediately alarmed off with reports of the website serving a MDAC-RDS exploit using the Neosploit Hacking Toolkit – see the image below for more details.
LinkScanner Pro, a product from Exploit Labs (recently bought by AVG), also reported a problem when it was used to evaluate Google search result for FETA – see below.
The exact wording used by LinkScanner Pro in its Exploit log was:
NeoSploit
This is an MDAC-RDS exploit, wrapped in an attempted polymorphic script generator.
Yikes! Sounds pretty nasty, doesn’t it? There is more detail here.
The Google cached page seemed to be unaffected initially, but then Google’s bots came roaming past and now it is also showing an exploited website.The conclusion from all this: the hack took place sometime late January, early February.
Next check was to ensure the domain was indeed owned by FETA by doing a domain lookup. Although the actual result was inconclusive, enough information could be surmised to say with a reasonable level of certainty that it was indeed the legitimate website. They obviously had Concillium UK as the supplier involved with the delivery of the website way back in 2003. We do wonder why the registrant details aren’t an address somewhere close to the bridge!
Whois Record
Domain:
feta.gov.uk
Registered For:
Forth Estuary Transport Authority
Domain Owner:
Forth Estuary Transport Authority
Registered By:
Lumison Ltd
Servers:
ns0.lumison.net
ns.as12703.net
Registrant Contact:
Richard Abrams
Registrant Address:
Consilium UK Ltd
Mirren Court One
119 Renfrew Road
PA3 4ED
United Kingdom
+44 1418471545 (Phone)
+44 8703305882 (FAX)
Entry updated:
Friday 11th May 2007
Entry created:
Wednesday 17th September 2003
It was worth checking the IP address was assigned to FETA in case the problem was down to some kind of DNS issue.
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html% Information related to ‘87.246.98.144 – 87.246.98.151′
inetnum: 87.246.98.144 – 87.246.98.151
netname: LU4682
descr: Internal infrastructure
country: GB
admin-c: LUMH-RIPE
tech-c: LUMN-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
mnt-by: EDNET-RIPE-MNT
changed: dns@ednet.co.uk 20051111
source: RIPErole: Lumison Hostmaster
address: Lumison Ltd
address: 12 Dock Place
address: Edinburgh
address: EH6 6LU
address: UNITED KINGDOM
remarks: trouble: For customer support please email support@lumison.net
remarks: trouble: or call +44 (0)845 1199 999
remarks: trouble: For abuse reports please send to abuse@lumison.net
remarks: trouble: For peering requests please send to peering@lumison.net
mnt-by: EDNET-RIPE-MNT
e-mail: hostmaster@lumison.net
admin-c: GA8874-RIPE
tech-c: GA8874-RIPE
nic-hdl: LUMH-RIPE
changed: neil.saunders@lumison.net 20040816
changed: neil.saunders@lumison.net 20040908
source: RIPE
abuse-mailbox: abuse@lumison.netrole: Lumison NOC
address: Lumison Ltd
address: 7 Claylands Road
address: Newbridge
address: EH28 8LF
address: UNITED KINGDOM
remarks: trouble: For customer support please email support@lumison.net
remarks: trouble: or call +44 (0)845 1199 999
remarks: trouble: For abuse reports please send to abuse@lumison.net
remarks: trouble: For peering requests please send to peering@lumison.net
mnt-by: EDNET-RIPE-MNT
admin-c: GT73-RIPE
admin-c: GA8874-RIPE
admin-c: IM1814-RIPE
tech-c: RM7978-RIPE
tech-c: GT73-RIPE
tech-c: IM1814-RIPE
nic-hdl: LUMN-RIPE
source: RIPE
abuse-mailbox: abuse@lumison.net
changed: ian.mackinnon@lumison.net 20060727
e-mail: noc@lumison.net% Information related to ‘87.246.64.0/18AS12703′
route: 87.246.64.0/18
descr: Lumison Limited IP allocation.
origin: AS12703
mnt-by: EDNET-RIPE-MNT
changed: dns@ednet.co.uk 20050908
source: RIPE
Again, we had to surmise this was indeed the IP address of the FETA website! The FETA domain is pointing at Lumison’s name servers and Lumison owns the IP address range that contains the FETA website server. The bits of the puzzle kind of link up.
Now it was worth sniffing the website traffic to see where the compromise was occuring. After a little digging around, the exploit code was found fairly easily: the obfuscated Javascript made it stand out like a sore thumb. Very nasty indeed!This code made the browser connect to a server in Turkey with an IP address of 88.255.90.130. Most of the time this server returned instructions to look at the BBC website, but occasionally it delivered another Javascript payload, which could have done anything it liked!
To confirm the problem was indeed a genuine website compromise we referred the incident to Roger Thompson over at AVG. He’s the person with all the experience in dealing with LinkScanner Pro detected exploits. In fact, he got a mentioned in a Baseline Magzaine 2006 article that detailed this very same exploit when it was first being seen in the wild. Expect to see a blog post from Roger very soon on his findings for this incident. We expect he will have completed the last piece of the puzzle and know the particular nasties being pushed out by the Turkish server.
Once the compromised website had been confirmed, we immediately informed FETA IT management about this incident. They took down the website within minutes, no hanging around waiting for any third party supplier to confirm the compromise. Kudos to them.
Our guess at this point would be one of the following:
1. A server patch hadn’t been applied allowing the full server to be compromised. This could potentially be very painful for the web server supplier if it turns out to be the case.
2. The website is built using a content management systems called “Joomla“. It is possible it is using an older insecure Joomla core or an older insecure module. Maybe someone has forgot or neglected to patch the Joomla files.
3. Something else on the web server has been compromised allowing access to the FETA website files.
4. One of the website developers has a compromised workstation computer that allowed hackers to gain the FTP username and password directly using a key logger.
Only the hackers know the exact nature of the compromise, but the FETA IT team should be able to investigate the nature of the compromise using a good forensics specialist and be able to evaluate the scale of the problem, thereafter putting in place the necessary fixes to ensure better security of the website in the future!
People who’ve visited the website over the last week need only panic if they are running a version of Microsoft Windows that hasn’t been patched or a version before Windows 2000. Security products may also have caught this nasty and blocked it from gaining a hold. This exploit was addressed in Microsoft Security bulletin MS06-014, released 11 April, 2006, along with updates to the affected MDAC versions. Customers running Windows Vista are unlikely to have been affected by this exploit.
Our advice to anyone who has visited the FETA website since about the 1st February is to run a variety of security products including antivirus, antispyware and antirootkits through your system to ensure nothing has slipped through. It is also vital to keep up with both Microsoft and 3rd party application patches and updates.
If you have any doubts or queries then feel free to Contact Us for advice.
Technorati Tags: exploit, FETA, Fife, Forth Estuary Transport Authority, Forth Road Bridge, hacked, Joomla, MDAC-RDS, Roger Thompson, Windows
February 6th, 2008 at 12:52 pm
[...] Roundtrip Solutions Blog – The Small Business Consultancy wrote an interesting post today on Forth Road Bridge Website HackedHere’s a quick excerptWe have just finished investigating a reported issue with the website of the Forth Estuary Transport Authority (FETA), otherwise known as the Forth Road Bridge website. This blog post will make for interesting reading, highlighting the changing nature of the web and how legitimate website can be compromised to serve nasties to visitors. One of our […] [...]
February 6th, 2008 at 4:58 pm
[...] exploit and how it worked. We’d recommend you go read his blog entry on this alongside our own earlier blog post. He has came to pretty much the same conclusions as we did, which is [...]
February 7th, 2008 at 1:02 pm
[...] was a serious incident and don’t underestimate the impact it may have had on vulnerable computers out there! Public [...]
February 7th, 2008 at 1:35 pm
[...] full story, including the gruesome details, can be found on my company blog. It has also been picked up by The [...]
February 8th, 2008 at 11:39 pm
[...] you have visited the FETA website within the last few weeks then you may wish to read John’s analysis and suggestions for checking your [...]
February 9th, 2008 at 4:44 pm
[...] so you don’t miss out on all the information, news, tips and tricks. Thanks for visiting!The FETA hacking incident fame is spreading. Here’s just some of the places we are being [...]
February 20th, 2008 at 11:07 pm
this is Great hacks!
December 5th, 2008 at 10:09 am
[...] been torn open in embarrassing fashion to serve malware, researchers are reporting. According to the security blog of a small consultancy, Roundtrip Solutions, the website is now hosting an ‘obfuscated’ [...]