Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

University of Washington Infected with GetMama 3000 files!

 

 

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


washington_u_getmama at hushmail

May 5, 2012, 12:33 PM

Post #1 of 3 (236 views)
Permalink
University of Washington Infected with GetMama 3000 files!

dearest FD the university of washington server has been feeding
malware 4 about a 1 month. i grep & found total infected files to be
about 3000. it is the GetMama malware. i saved the list of infected
files on pastebin (http://pastebin.com/P4A4JN6F) and on
students03.u.washington.edu
(/nfs/aesop03/hw32/d93/blogs/wp-content/plugins/si-contact-form/captcha/temp/infected.txt).
if they can not keep the servers safe from the public then what are
they getting paid to do? they have been hacked many times before &
refuse to inform ur students, ur staff, & the public! i also post on
all their blogs to alert the students & staff
http://blogs.uw.edu/nikky/2012/05/11/hacked-serving-getmama-malware/


Valdis.Kletnieks at vt

May 6, 2012, 11:53 AM

Post #2 of 3 (216 views)
Permalink
Re: University of Washington Infected with GetMama 3000 files! [In reply to]

On Sat, 05 May 2012 19:33:52 -0000, washington_u_getmama [at] hushmail said:
> dearest FD the university of washington server has been feeding

*the* server, or *a* server? precision in writing is often useful - I have
literally several thousand servers across the hall here.

> if they can not keep the servers safe from the public then what are
> they getting paid to do?

So in a bored moment, I took a look at the list, and noticed the following:

1) There's only a very limited number of upper-level pathnames:

/nfs/aesop02/hw22/d23/sauf/hubproject/ (493 files)
/nfs/aesop01/hw11/d04/geog/wordpress/ (605 files)
/nfs/aesop01/hw11/d08/rjsanyal/ (326 files)
/nfs/aesop01/hw11/d29/drobnygp/wordpress/ (658 files)
/nfs/aesop01/hw12/d56/dwsamplr/ (2 files)
/nfs/giovanni11/dw21/d98/uwfarm (1 file)
/nfs/aesop03/hw31/d24/cerid/ (1 file)
/nfs/giovanni13/dw23/d68/uwkc/phpBB3/cache/ (129 files)
/nfs/giovanni13/dw23/d95/rgeorgi/ (2 files)
/nfs/giovanni13/dw23/d15/ckwalsh/post_versions/ (50 files)
/nfs/giovanni13/dw23/d72/ukc/wordpress/ (308 files)
/nfs/aesop01/hw11/d04/geog/wordpress/ (1 file)

2) The pathnames certainly look like they have components that are probably
userids or department hames - and there's only 12 of them.

3) UW is like 30K students. If out of 30K students, only 12 have gotten hit
with this thing, that's an incredibly *good* track record.

So this raises the question - what *exactly* does the UW AUP say? This becomes
important, because we need to know that to resolve several questions:

1) If a user uploads infected files, or creates a publically writable directory that then
gets used to upload the files, is it the user's responsibility or UW's to clean up the
user's mess?

2) Does UW even have the *right* to take down a user file without lots of due process
just because it's infected with something?

At least in the US, an ISP has a "safe harbor" exemption under 17 USC 512 that
the ISP has no liability for copyright-infringing material uploaded by a user
as long as they respond to takedown notices. And that's for files who's very
existence is *illegal*. I don't think anybody on this list (with the possible
exception of n3td3v if he's still lurking) wants the ISP to have the right (or
worse, the responsibility) to auto-nuke files that are merely "likely
dangerous" - simply because "likely dangerous" is a very slippery slope indeed.
And since UW is a university, the whole "academic freedom" thing means it's
usually even tougher to take a user's stuff down without lots of due process.


washington_u_getmama at hushmail

May 12, 2012, 5:14 AM

Post #3 of 3 (189 views)
Permalink
Re: University of Washington Infected with GetMama 3000 files! [In reply to]

original pastebin down, here are some more
http://pastebin.mozilla.org/1633564
http://paste2.org/p/2019542
http://paste.ubuntu.com/983362/

On Sunday, May 06, 2012 at 6:53 PM, Valdis Kletnieks wrote:On Sat, 05
May 2012 19:33:52 -0000, washington_u_getmama [at] hushmail said:
> dearest FD the university of washington server has been feeding

*the* server, or *a* server? precision in writing is often useful - I
have
literally several thousand servers across the hall here.

> if they can not keep the servers safe from the public then what are
> they getting paid to do?

So in a bored moment, I took a look at the list, and noticed the
following:

1) There's only a very limited number of upper-level pathnames:

/nfs/aesop02/hw22/d23/sauf/hubproject/ (493 files)
/nfs/aesop01/hw11/d04/geog/wordpress/ (605 files)
/nfs/aesop01/hw11/d08/rjsanyal/ (326 files)
/nfs/aesop01/hw11/d29/drobnygp/wordpress/ (658 files)
/nfs/aesop01/hw12/d56/dwsamplr/ (2 files)
/nfs/giovanni11/dw21/d98/uwfarm (1 file)
/nfs/aesop03/hw31/d24/cerid/ (1 file)
/nfs/giovanni13/dw23/d68/uwkc/phpBB3/cache/ (129 files)
/nfs/giovanni13/dw23/d95/rgeorgi/ (2 files)
/nfs/giovanni13/dw23/d15/ckwalsh/post_versions/ (50 files)
/nfs/giovanni13/dw23/d72/ukc/wordpress/ (308 files)
/nfs/aesop01/hw11/d04/geog/wordpress/ (1 file)

2) The pathnames certainly look like they have components that are
probably
userids or department hames - and there's only 12 of them.

3) UW is like 30K students. If out of 30K students, only 12 have
gotten hit
with this thing, that's an incredibly *good* track record.

So this raises the question - what *exactly* does the UW AUP say?
This becomes
important, because we need to know that to resolve several questions:

1) If a user uploads infected files, or creates a publically writable
directory that then
gets used to upload the files, is it the user's responsibility or UW's
to clean up the
user's mess?

2) Does UW even have the *right* to take down a user file without lots
of due process
just because it's infected with something?

At least in the US, an ISP has a "safe harbor" exemption under 17 USC
512 that
the ISP has no liability for copyright-infringing material uploaded by
a user
as long as they respond to takedown notices. And that's for files
who's very
existence is *illegal*. I don't think anybody on this list (with the
possible
exception of n3td3v if he's still lurking) wants the ISP to have the
right (or
worse, the responsibility) to auto-nuke files that are merely "likely
dangerous" - simply because "likely dangerous" is a very slippery
slope indeed.
And since UW is a university, the whole "academic freedom" thing means
it's
usually even tougher to take a user's stuff down without lots of due
process.

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.