A Stanford University website was reportedly compromised for four months without detection, allowing hackers to abuse it to host malicious web shells, phishing kits and defacement images.
According to a blog post published on Wednesday by UK-based Internet security company Netcraft, the website for the Paul F. Glenn Center for the Biology of Aging at Stanford University – part of the School of Medicine – was hacked on January 31, 2017. In the following months, multiple bad actors – many likely working individually – began uploading various malicious scripts onto the site, glennlaboratories.stanford.edu.
Stanford administrators promptly removed all of the malicious scripts found on the WordPress-based website after Netcraft disclosed the intrusion, the blog post reported. It is unclear how the site was compromised in the first place.
During the initial compromise, an adversary hid a simple PHP-based web shell in the top-level directory of the website. Then on May 14, someone uploaded a second web shell -- this one a WSO or Web Shell by Orb that "displays directory listings and offers several other hacking tools that can be used to crack passwords and gain access to databases," Netcraft reported.
Netcraft also discovered multiple scripts and files designed to perpetrate spam mailer and phishing campaigns. Among them was an archive file installed in the top-level directory that deploys a Chinese phishing site targeting users of the Taiwanese Chunghwa Telecom Internet service.
Another pair of archives found uploaded on the site were designed to create phishing sites that steal the usernames and passwords of LinkedIn and Office 365 users. And yet another discovered archive contained a generic phishing kit that presents victims with a phony login error message that tricks them into trying various combinations of email addresses and passwords.
As late as May 29, a bad actor introduced still another phishing kit that presents victims with a fake login form for SunTrust Bank.
Netcraft also found two instances of hackers using HTML-based defacement pages to leave their mark on the compromised Stanford site. The first left the message "Hacked By Alarg53" while the second presented an image a giggling face (with a resemblance to Anonymous' Guy Fawkes mask) and the message "Hacked By # T.F.S #".
"We were notified of the issue by Netcraft in late May and immediately contacted the School of Medicine's IT Department. They spent a day fixing the problem, which is now fully resolved. As far as we can determine, none of our data has been compromised," said a Stanford University spokesperson in response to an SC Media query.