http://www.theregister.co.uk/2004/11/22/falk_bofra_statement/ By Falk eSolutions 22nd November 2004 Site notice On Saturday, The Register suspended service by third party ad serving supplier, Falk, following security issues detailed here [1]. Here is Falk's account of what went wrong: Summary Incident at delivery level - Between 6:10 AM and 12:30 AM (GMT) on Saturday, 20th November 2004 Falk sSolutions clients using AdSolution Global experienced problems with banner delivery. This started on Saturday morning with a hacker attack on one of our load balancers. This attack made use of a weak point on this specific type of load balancer. The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated. The results are outlined in this document. Description of the problem The use of a weak point in one of our load balancers type FLB02/CP lead to user requests not being passed to the ad servers. Instead the user requests were answered with a 302 redirect to the URL 'search.comedycentral.com' (199.107.184.146). This happened with approximately every 30th request. Users visiting websites that carry banner advertising delivered by our system were periodically delivered a file from 'search.comedycentral.com'. This file tries to execute the IE-Exploit function on the users' computer. We don't know yet whether the publishers of 'search.comedycentral.com' are aware of the exploit or their server has been attacked by a hacker, too. Problem analysis The weak point occurred due to a memory leak on the load balancer concerned. After the load balancer was taken out of service on Saturday at 11:30 AM (GMT) this was no longer possible. Because of this it was difficult at the beginning to find an error on our side. The servers that deliver the banners were not affected at all. Only afterwards we were able to find the error on the load balancer by analysing its log files. Results of investigation By attacking a single load balancer type FLB02/CP it was possible for users to be redirected to 'search.comedycentral.com' which tried to install the exploit type 'Bofra/IFrame-Expoit'. With approximately every 30th request for banner media this redirect occurred. Further measures The load balancer concerned has been taken out of service indefinitely and has been replaced with a newer model. An additional monitoring has been instated that supervises the load balancing process and whether this has been interrupted of manipulated. Further, a policing tool that supervises redirects to unknown, erroneous or infected files has been deployed. [1] http://www.theregister.co.uk/2004/11/21/register_adserver_attack/ _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Mon Nov 22 2004 - 07:38:11 PST