ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: Super Bowl Infection - More Sites




http://isc.sans.org/diary.html?storyid=2166

Published: 2007-02-04,
Last Updated: 2007-02-04 21:17:53 UTC
by Marcus Sachs (Version: 1)
On Friday we reported that the Dolphins Stadium (home of the 2007 Super
Bowl) was infected with a scripted pointer to malware that exploited two
patchable Microsoft Windows vulnerabilities.  While doing research on
that issue we uncovered many more sites that contain similar references.
Here is a list of the some of the ones we found, many have already been
cleaned up but many have not.  System administrators might want to check
their network flow logs for any traffic to these sites, and for any
traffic to the five sites that hosted the hostile Java script.

It looks like the "1.js" intrusions happened around the first of January
while the "3.js" intrusions occured near the end of January.  We cannot
find any evidence of a "2.js" or "4.js" script.  In the references
below, I changed the word "script" to "skript" in order to prevent any
accidental mis-fires.


<skript src="http://w1c.cn/3.js";></skript>
www.nlgaming.com
www.arcchart.com


<skript src="http://dv521.com/3.js";></skript>
[multiple_sub_domains].squizzle.com
www.offshore247.com
mhmonline.com
www.citruscollege.edu
www.stariq.com
www2a.cdc.gov
www.surfersvillage.com
www.citrus.cc.ca.us
207.178.138.47


<skript src="http://www.natmags.co.uk/3.js";></skript>
www.zeenews.com


<skript src="http://bc0.cn/3.js";></skript>
https://www.massgeneral.org


<skript src="http://bc0.cn/1.js";></skript>
www.me-uk.com
www.olympusamerica.com
www.cabi-publishing.org
www.imo.org
www.pathnet.org
www.vcuhealth.org
www.medcompare.com
ymghealthinfo.org
www.zeenews.com
www.pharmabrandeurope.com
www.infogrip.com
totallydrivers.com
www.ajr.org
www.offshore247.com
www.massgeneral.org
www.nlgaming.com
www.scif.com
www.speroforum.com
www.betterpropaganda.com
www.youandaids.org
www.cottagesdirect.com
www.plasticsmag.com
www.healthy.net
www.irinnews.org
www.pubapps.vcu.edu
www.generousgiving.org
www.doctorndtv.com
www.mcv.org
www.vcuhs.org
www.nordic-telecom.com
www.betterpropaganda.com
www.nationalmssociety.org
www.nmss.org
cityofboston.gov
scif.ca.gov


<skript src="http://137wg.com/1.js";></skript>
wanniski.com
www.wilson.edu


A common theme seems to be an attack on hospital or medical care sites,
although that is not completely the case.  We checked to see if this was
a mass attack on one service provider but other than a lot of
*.squizzle.com sites it does not appear to be this type of attack.



 




Copyright © Lexa Software, 1996-2009.