More advice for local website operators
17th March 2005 (The Star)

PETALING JAYA: The Malaysian Communications and Multimedia Information Sharing Forum (ISF) has issued an advisory urging local web administrators to protect their websites from hacker attack.

The advisory comes on the back of a mass attack on local websites that raged over the past week. Between "50 and 80" websites were compromised by foreign hackers, ISF said.

Last week, the Malaysian Computer Emergency Response Team (MyCERT) also urged administrators to secure their websites.

An ISF analysis of the affected websites showed that hackers go through via three main routes: SQL (Structured Query Language) injection vulnerabilities, and multiple vulnerabilities in Awstats (v 5.7 to 6.2) and phpBB (versions earlier than v 2.0.13) implementations.

Awstats is a popular web server analysis tool used by web administrators, while phpBB is a bulletin board application.

Some websites running old versions of the PHP scripting language (versions earlier than v 4.3.10, and v 5.0.3) were also compromised via vulnerabilities contained in them, ISF said.

In the advisory, the forum also provided detailed guidelines on rectifying the faults. It can be downloaded from the Malaysian Communications and Multimedia Commission (MCMC) website at www.mcmc.gov.my.

Formed in June last year to combat rising incidences of Internet abuse, ISF comprises regulators, security agencies and service providers in the local communications and multimedia sector.

The MCMC heads the forum, and members include the ICT Security Division of the Malaysian Administrative Modernisation and Management Planning Unit (Mampu), National ICT Security Emergency Response Centre (Niser) and Malaysian Technical Standards Forum.

Service providers TIMENet, NTT MSC, Jaring, TM Net, Celcom, Maxis Communications and DiGi Telecommunications are also members.

The forum is currently working on a "whitelist" of spam - and virus-free local IP (Internet Protocol) addresses, and a blacklist of spammers.

It also plans to introduce a standardised Acceptable Internet Use Policy and Internet Peering Policy for Internet service providers to adopt.