More code injection sites 8.js
FYI...
-
http://isc.sans.org/diary.html?storyid=2178
Last Updated: 2007-02-06 22:55:53 UTC
"We have discovered
more defacements / code-injection similar to the superbowl site defacement. If you google for script
8.js you will find that 1.js and 3.js were
not the only java script’s used in this fashion. This version appears to have been targeted a bit at gaming sites although there are a few medical sites including an “anonymous expert HIV/AIDS counseling” site with this defacement... The concept of a website having additional content or having portions of the content replaced was usually looked at as embarrassing but not a major threat. In my opinion with the recent trend to perform “silent defacements” with malicious code injection, world writable content areas
should be treated as a threat. The only malicious version of 8.js I have seen so far is hosted on 001yl.com ... The stuff I pulled from 001y.com is very similar to the 3.js defacement we discussed in the dolphinstadium site write-ups. 8.js uses a hidden iframe to hide its reference to qq.htm... qq.htm uses several hidden iframes to call happy1.htm, happy2.htm, happy3.htm from 001yl.com , h.js from zj5173.com and a counter at s102 .cnzz .com. Each happy1.htm (and 2 and 3) had pointers to zj5173.com/2.exe - h.js injects zj5173.com/3.js into a cookie. - 3.js uses another hidden iframe to call zj5173.com/1.htm -
1.htm uses a VML overflow from hackwm.com to run some shell code.
2.exe is not currently well detected by the virus scanning engines at virus total..."
(More detail at the ISC URL above.)
----------------------------------------------
-
http://isc.sans.org/diary.html?storyid=2166
Last Updated: 2007-02-07 18:52:55 UTC ...(Version: 3)
[See the updates (dtd. 2/7/2007)]
~ and:
...
Possible Vector for ...Malicious JavaScript Insertion
-
http://isc.sans.org/diary.html?storyid=2187
Last Updated: 2007-02-07 21:41:45 UTC ~ "We've received information that the likely common vector for how the web sites were compromised appears to be through the use of Dreamweaver. There is not a flaw in Dreamweaver that was exploited. It was a case of lazy programming on the parts of site developers who
did not do a good job of "input validation" so attackers were able to do
"sql injection" attacks."
==================================
-
http://isc.sans.org/diary.html?storyid=2151
Last Updated: 2007-02-08 16:58:49 UTC ~ "...UPDATE4:
Updating our earlier update
, the
3.js off the Natmags site downloads an ad.htm file which is
clearly an exploit, as can be shown with a little PERL-fu to make it readable:
cat ad.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'
The corresponding www .exe is no longer available on the server though (or doesn't download)."
:fear: :spider: :fear:
