Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Stanford University Site Hosted Malware for Months

CrAKeN

By CrAKeN
in Security & Privacy News

Recommended Posts

CrAKeN

CrAKeN

Posted
Posted

Stanford-site-shell.png

 

One of the many web shells uploaded to the Stanford subdomain

 

For almost four months, script kiddies ran amok in one of Stanford's subdomains, installing web shells, mailers, and other types of web malware.

 

The infection was noticed last week by security researchers at Netcraft and was reported to Stanford admins, who recently cleaned their site.

 

The affected website belongs to the Paul F. Glenn Center for the Biology of Aging at Stanford University.

 

According to timestamps of the files surreptitiously uploaded to the hacked site, attackers appear to have compromised the site on January 31, 2017.

 

Multiple hackers broke in, used the site for phishing, spam


The hacker who initially breached the site uploaded a simplistic web shell. Once the website was compromised, other hackers seem to have flocked to the same server, like flies to a carcass.

 

The others that came afterward uploaded more complex web shells, and then started varying their portfolio.

 

When Netcraft researchers found the compromised Stanford site, they say it was hosting numerous pages used for phishing Office 365, Gmail, and LinkedIn credentials. They also found a full-blown phishing kit, and a page that phishing e-banking credentials for the SunTrust Bank.

 

Stanford-site-phishing.png

 

Office 365 phishing page hosted on the Stanford subdomain

 

Besides this, they also found numerous mailer scripts, which means the server was used for sending large quantities of spam.

 

Stanford-site-mailer.png

 

Mailer script hosted on the Stanford subdomain

 

In addition, they also found lots of defacement pages. One of the defacement pages belonged to a hacker named Alarg53, a serial website defacer, who at the time of writing has plastered his name over 15,800 sites.

 

Despite their best efforts, Netcraft researchers couldn't identify the original point of entry. Researchers noted that the compromised site was running the latest version of WordPress, version 4.7.5, which means hackers didn't use a flaw in the website's CMS. Most likely, the hackers used a vulnerability in the site's theme or one of its plugins.

 

Source

Link to comment
Share on other sites
  • Views 422
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...