Hi malware fighters,
I opened up an old link from inside an old forum post to: hxtp://bypass.xssing.com/testing.php?
http://jsunpack.jeek.org/dec/go?report=572082cb079b3e130c8bb2c88c1f3fc4444c098e
And landed at a site that had this in the code
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<!-- turing_cluster_prod -->
<html>
<head> <title> xssing.com </title>
<meta http-equiv="Keywords" content="">
<meta http-equiv="Description" content="">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<link rel="shortcut icon" href="http://spi.domainsponsor.com/favicon/mi_favicon.ico" type="image/x-icon">
<script type="text/javascript">
iFrame found:
http://safeweb.norton.com/report/show?url=domdex.com
What happened here and why it was hijacked and redirected to this Oversee.net site, while the original link came from: http://www.xssed.com/article/15/Paper_Cross_Site_Scripting_-_Attack_and_Defense_Guide/ hosted at OVH in the Netherlands, how came the link was hijacked over time, what is this hack and is malware involved…
should users block spi.domainsponsor.com (re: http://foohack.com/2008/06/hacking-the-google-favicon/ )
see WOT qualification…
Host list where it is blocked: http://www.possessionstudios.com/hosts.txt
polonus
There are several sites being hacked at the moment Geeks to go has gone offline whilst they investigate
Hi essexboy,
and what is this query=botsearch09?
htxp://bypass.xssing.com/?epl=02830012VGsLXARcBwBRAUQHVwgHWg9aB1oGCE8SElxbXxZXXggTUw1XZhdWUgRCBxEFQxJAXAVUAFoCBFZUAwAeVltFOldYDVtSAFcJR1UMF0oKFkpcBEgCVQwAU0dBUEtMa1gBCAJTCx8KQ0BcXwxFSAoWRg9QA0VeWlEHR0ZQWUpXWTpFWxEFWwpHEgVVEQpfCzlaBQlTB1ITVAAVUFJXSk0MAlBaB0pQBhVHDVkBBmcMAg5QEhVSAkdUCT5BTEhdCV0MW19EWVUJXEM_Vw0MXwkDbAtHWwc&query=botsearch09
There is something phishy going on here…that is certain,
Similar iFrame here detected: http://www.google.com/safebrowsing/diagnostic?site=www.ech0.net
see: http://sucuri.net/index.php?page=scan&scan=www.ech0.net
pol
system
July 21, 2010, 7:23pm
4
See
geekstogo.com has been re-compromised, so I’ve added it with the EXP classification until it’s cleaned and secured.
http://forum.hosts-file.net/viewtopic.php?p=14293#p14293
http://hosts-file.net/?s=spi.domainsponsor.com&x=32&y=6 <== • EMD - sites engaged in malware distribution
This classification is assigned to website’s engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).
Hi YoKenny,
These gonna be busy days for you blockers, the world wide web is being allowed to be attacked grand style…
They are doing maintenance on the LiteSpeed server at geeks2go, but site is not back on yet…
for the hidden iFrame see jsunpack links at the bottom: http://www.unmaskparasites.com/web-page-options/?url=http%3A//domdex.com/f%3Fc%3D107
pol
Hi essexboy,
More info on the geeks2go hack through malware script: http://hphosts.blogspot.com/2010/07/alert-geekstogocom-serving-exploit.html
The attack with effects.js?ver=1.8.3 exploit comes from the criminal friendly Dutch unoosearch*com site http://www.urlvoid.com/scan/unoosearch.com
engaged in such exploits, here the page analyzer analyzes their web page performance by emulating how a web browser would load your page and all resources referenced in it compromized…
suspicious code here: http://4.bp.blogspot.com/_gtpf1L0KR7E/TEZDNW4yl8I/AAAAAAAAAxM/BVGybUi_-Bw/s1600/imggeekstogo.com_-_exploit.png (image of it naturally ;D )
polonus