Virginia Department of Health Professions Website Compromised

https://www.pmp.dhp.virginia.gov/pmpwebcenter/login.aspx  is currently (2:07PM) down.

Wikileaks report is here - http://wikileaks.org/wiki/Over_8M_Virginian_patient_records_held_to_rans...

SecurityFocus report is here - http://www.securityfocus.com/brief/957

Virginia Department of Health Professions main site is here - http://www.dhp.virginia.gov/

That site was running on Windows 2003 with Microsoft-IIS/6.0 until this morning when it was downgraded to Windows 2000 with Microsoft-IIS/5.0

The main Virginia site http://virginia.gov used to run on Solaris (Sun). The current webserver is Apache/1.3.41 Unix JRun/4.0 mod_perl/1.30 mod_ssl/2.8.31 OpenSSL/0.9.7m mod_gzip/1.3.26.1a, For comparison, LSNet's web server returns Apache/2.2.3 Ubuntu PHP/5.2.1 mod_ssl/2.2.3 OpenSSL/0.9.8c

I have no knowledge of the particular vulnerability in this case - IIS6.0 or the content management system (CMS) - but one of the reasons for recent upgrades at LSNet was the "HTTP Request Smuggling" vulnerability affecting both Microsoft and *nix web servers. http://www.securiteam.com/securityreviews/5GP0220G0U.html We spent the entire day yesterday on security updates for our chosen CMS - Drupal.

The PMP software system was developed by the private contractor Optimum Technology - http://www.otech.com/. The data sheet for the software can be found here - http://www.otech.com/downloads/index.asp Otech's web server runs on the same system as PMP

tarvid@hans:~$ HEAD http://www.otech.com
200 OK
Cache-Control: private
Connection: Close
Date: Wed, 06 May 2009 12:19:42 GMT
Server: Microsoft-IIS/6.0
Content-Length: 7852
Content-Type: text/html
Client-Date: Wed, 06 May 2009 12:23:51 GMT
Client-Peer: 64.132.213.39:80
Client-Response-Num: 1
Set-Cookie: ASPSESSIONIDAQDCCCBC=ANJLFLLAPNHMEIGMEHOPGAJH; path=/
X-Powered-By: ASP.NET

I suspect there are a lot of a nervous admins at http://www.vita.virginia.gov/ If you find anyone else running aged web servers you might report the suspicious activity to - http://www.vsp.state.va.us/FusionCenter/Report_Suspicious_Activity.shtm

On the other hand that's the same webserver running virginia.gov

root@hans:/etc/X11# HEAD http://www.vsp.state.va.us/FusionCenter/Report_Suspicious_Activity.shtm/...
200 OK
Connection: Close
Date: Tue, 05 May 2009 19:12:03 GMT
Server: Apache/1.3.41 (Unix) JRun/4.0 mod_perl/1.30 mod_ssl/2.8.31 OpenSSL/0.9.7m mod_gzip/1.3.26.1a
Content-Type: text/html
Client-Date: Tue, 05 May 2009 19:12:04 GMT
Client-Peer: 206.113.150.68:80
Client-Response-Num: 1
 

»