Update on March 24 at 7:03 California time:The Cisco blog post has been updated to change a key finding Ars reported in the following post. Contrary to Cisco's earlier reporting, the update says not all the servers compromised in the attack were running Linux version 2.6. "We have not identified the initial exploit vector for the stage zero URIs," the update stated. "It was not our intention to conflate our anecdotal observations with the technical facts provided in the listed URIs or other demonstrable data, and the below strike through annotations reflect that. We also want to thank the community for the timely feedback."
Earlier this week, Ars reported on attacks exploiting an extremely critical vulnerability in the PHP scripting language almost two years after the bug came to light. By going 22 months without installing crucial patches, the responsible administrators were menacing the entire Internet, in much the same way as the owner of a blighted building might contribute to increased urban decay or neighborhood crime.
Now comes word of a new mass compromise that preys on even more neglected Web severs, some running versions of the Linux operating system kernel first released in 2007. According to a blog post published late Thursday by researchers from Cisco, the people behind the attack appear to have identified a vulnerability that has since been patched in later Linux releases that allows them to dish malicious content to unsuspecting people who visit the site. The quick-spreading compromise took over 400 hosts per day on Monday and Tuesday, and so far, Cisco has counted more than 2,700 distinct URLs that are under the control of the attackers.