Friday, April 13, 2007

An orphan no longer

Hi folks,

One of the more interesting ideas that we monitor is that of an Orphaned Lure. That's where you have some site that has been hacked, and made into an Innocent Lure, but then the exploit server is offline. The Lure is now an orphan, but in a macabre parody of a B-grade horror movie the exploit serves can come back to life, and start serving exploits again.

This has happened tonight.

One of the common hacks that we see is an injection of some unescaped code that starts like this ...

< s c ript language="j a vascript"> document.write( unescape( '%3C%69%66%72%61%6D etc

When you decrypt this, it resolves to something like this ...

< iframe src=hxxp:// 81.95.nnn.nn/index.html

where nnn.nn is a substitute to save people from accidently hurting themselves.

This ip has been offline for at least a month, maybe two, but tonight it is live again, and serving stuff.

The moral of the story is that you cannot trust a hacked site. The lure in this case is a hairdressing salon.

Cheers

Roger

posted by tcsl @ 7:11 PM

3 Comments:

At 4:02 PM, Blogger Linda said...

Good Day...well it was a bad day til I found you folks. A non profit group website had their IT guy leave suddenly and badly! I stepped in to revamp site and look after it ...then google showed the site as being a badware site. Put it through your checker-after I found you-and here is an orphan lure situation. I will now try and find the iframe file...although maybe I should take the site down, change servers, design a quickie new html site on another server and then take the few weeks to design a new data base driven site for them...they need to do their own updates. i didn't put the url here so nobody would go there and maybe get hurt but I sure could use some help here. Anyway thanks for being in existence!

 
At 4:08 PM, Blogger Linda said...

Hi
Also can I figure out who or what the origin of this iframe script was ...where or who it came from and also how to identify the remote sleeping server? I am really upset by this. It is a databse driven website and I don't know where to start hunting for it but I will do my best.
Thanks

 
At 6:29 PM, Blogger tcsl said...

Hi,

I've replied off-list with the lines that need to be removed, so remove them and monitor it every few days. You can scan it with our online scanner for free, if you want... http://linkscanner.com/linkscanner

If it happens again, you probably need to smack your ISP.

Good luck.

Cheers

Roger

 

Post a Comment

<< Home