Thousands of sites infected - archive

[AplusWebMaster]

FYI...

China Business Network Rail Site Infected with Mass Script Injection
- http://securitylabs.websense.com/con...erts/3207.aspx
10.14.2008 - "Websense... discovered today that the China Business Network Rail Web site has been infected with the mass attack JavaScript injection to deliver a malicious payload. The reporting page on the site contains partially obfuscated malicious JavaScript code that, through numerous redirects, loads numerous exploit code. Applications targetted include a GLWorld ActiveX Control, Real Player, a UUSE P2P streaming application, and Xulnei Thunder DapPlayer... Websense ThreatSeeker has been tracking how such attacks prevail over reputed Business-to-Business (B2B) and Business-to-Clients (B2C) Web sites to target their peers and other visitors..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Adobe site - SQL injected...
- http://www.sophos.com/security/blog/2008/10/1863.html
16 October 2008 - "At the end of last week SophosLabs discovered that Adobe’s website was linking to a site infected with Mal/Badsrc-C. The infection had been encountered by a business partner of ours... Digging deeper, we discovered that the infected site was actually now part of the Adobe empire following an acquisition in October 2006. Some of the infected webpages have subsequently been rebranded but the underlying databases serving the site are still riddled with infections... The threat from web-based malware is increasing by the day and the fact the it can happen to companies as large as Adobe should make all web admins sit up and take notice.
NOTE/update: Last night Adobe contacted us and indicated that the issue had been resolved. I can confirm that the issue has been resolved."
- http://www.theregister.co.uk/2008/10...ed_abobe_page/

(Screenshot available at both URLs above.)

[AplusWebMaster]

FYI...

ECPAT NZ INC Courtesy Site: Mass Injection
- http://securitylabs.websense.com/con...erts/3227.aspx
11.04.2008 - "Websense... has discovered that an ECPAT NZ INC courtesy site is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site have been mass injected attempting to deliver malicious payloads from 20 different hosts. ECPAT is a global network of organizations and individuals working together for the elimination of child prostitution, child pornography, and the trafficking of children for sexual purposes. ECPAT NZ plays a key role in liaising and bringing about cooperation between key government and sector groups involved in the areas of commercial sexual exploitation of children (CSEC). In an effort to protect their visitors, Websense Security Labs is working closely with ECPAT NZ INC to advise on the threats on their Web site. The ThreatSeeker Network has been tracking how such attacks prevail over reputed and significant Web sites, targeting their peers and other visitors..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187604
November 07, 2008 | 16:31 GMT - "...onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days alone, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this... We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen. One common factor is that the majority of the hacked sites run on some type of ASP engine... The attackers add a tag, <script src=http://******/h.js>, to the html of hacked sites. The link leads to Java Script located on one of six servers – these servers act as gateways for further redirecting of requests. We’ve identified six of these gateways and they’ve been added to the blacklist in our antivirus:
* armsart.com
* acglgoa.com
* idea21.org
* yrwap.cn
* s4d.in
* dbios.org
If you’re an admin, you should block access to these sites..."

[AplusWebMaster]

FYI...

"Warning: We strongly suggest that readers NOT visit websites on this list. They all have a history of covert hacks, redirecting the browser to drive-by-malware installations, and should be considered dangerous and capable of infecting and causing damage to your system with exploits, spyware, trojans, viruses, and the like. "

Full list of Injected Sites
- http://www.shadowserver.org/wiki/upl...l-inj-list.txt
Last Updated: 11/24/08 13:44:37 -0400

Significant additions:
Domain (442 domains)
---------------------------------------------------------------
go .nnd .hk ................ -Count- 92,400 -Date Found- 11/04/08
www .wakasa .or .jp ... -Count- 87,700 -Date Found- 11/12/08

[AplusWebMaster]

FYI...

- http://www.infoworld.com/article/08/...me_hack_1.html
December 01, 2008 - "TV network CBS has become the latest big name to have it website used to host malware, a security company has reported. It appears that Russian malware distributors were able to launch another iFrame attack on a sub-domain of the cbs.com site so that it was serving remote malware to any visitors. A user's vulnerability to the malware attack launched by the site hack would depend on a number of factors, including the type of security used on a PC, the operating system, and possibly the browser version... Finjan had informed CBS of the issue, but that the Russian exploit server had in any case been taken offline, neutering the attack for the time being..."

[AplusWebMaster]

FYI...

Mass Injection on John Sands Greeting Card Company site
- http://securitylabs.websense.com/con...erts/3268.aspx
12.23.2008 - "Websense... has discovered that the Web site of John Sands Greeting Card Company is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site has been found to contain the said malicious code... Acquired by American Greetings in 1996, the company was founded in 1837 by John Sands, the son of an English engraver. The company is Australia's second oldest registered company. In an effort to protect their visitors, Websense Security Labs has contacted John Sands Greeting Card Company and advised them on this incident..."

(Screenshot available at the Websense URL above.)

[AplusWebMaster]

FYI...

Multiple Chinese sites compromised...
- http://securitylabs.websense.com/content/alerts.aspx
12.31.2008 - Chinese Government Affairs Information Site Compromised...
12.29.2008 - Download Site of China.com Compromised - Malicious Web Site / Malicious Code
12.26.2008 - Sohu Web Site in China Compromised - Malicious Web Site / Malicious Code...

[AplusWebMaster]

FYI...

Paris Hilton website infected with malware
- http://www.informationweek.com/share...leID=212800229
January 12, 2009 - "Once again, hackers have targeted technology associated with Paris Hilton. This time it's her Web site, ParisHilton .com. Security researchers at ScanSafe report that anyone visiting Hilton's site risks infection with malware. "Hilton's popular website, ParisHilton .com, has been outfitted with malware prompting site visitors to 'update' their system in order to continue navigating the site" ScanSafe said in an e-mail. "When the bogus pop-up box appears, users have the option to click 'Cancel' or 'OK.' Regardless of which option they choose, destructive malware will be downloaded to the user's computer"... ScanSafe says the malware has been detected on some 15,000 other Web sites. The company says it found a similar threat, a malicious ad, on Major League Baseball's MLB.com last week. Paris Hilton's site is currently compromised," said Mary Landesman, senior security researcher at ScanSafe, in a phone interview. "We first encountered it on [Jan. 9]. We don't know when it happened." According to Landesman, there's an iFrame that has been embedded in the ParisHilton .com Web site. The iFrame calls out to a site hosting the malware, you69tube .com. It downloads a malicious PDF and attempts to force users into clicking and launching the PDF, which attempts to activate an exploit. Because the malware tries to download additional files whether one clicks "Cancel" or "OK," Landesman says that only a hard quit - CTRL+ALT+Delete - of one's browser provides a way out..."

- http://www.f-secure.com/weblog/archives/00001581.html
January 15, 2009 - "... The offending IFrame appears to have been removed at this time... The infection of "Paris Hilton" highlights a popular trend among online attackers..."

[AplusWebMaster]

FYI...

"Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system... list of domains used in the mass SQL injections that insert malicious javascript into websites..."

Full list of Injected Sites
- http://www.shadowserver.org/wiki/upl...l-inj-list.txt
Last Updated: 01/23/09 09:12:21 -0700