Wednesday, February 06, 2008

UK .gov site hacked

Note: One of our users, John Thomson (no relation as far as I know :-) ) noticed this first and brought it to our attention. His blog entry is here ...
http://www.roundtripsolutions.com/blog/2008/02/06/317/forth-road-bridge-website-hacked/

Sorry John! :-)

Hi folks,

Sometime between the 1st Feb 2008, and the 3rd of Feb 2008, the official website for the Forth Estuary Transport Authority was hacked an obfuscated iframe, using Neosploit encoding, was injected.



This decoded to an iframe that called to 88.255.90.130 (careful about going there, folks)...



This, in turn, loaded one of the current Neosploit exploit package (we have a full write-up on Neo a little further down this blog). If you're patched, or running LinkScanner, you're ok, but if not, you probably got a rootkit, so if you visited that website in the last couple of days, you might like to run an anti-root and an anti virus over your system. AVG has a free one here ... http://free.grisoft.com .

One of the most interesting aspects of this is that inside the full Neosploit download was an attempt to load bbc.com.uk , presuamably after the infection, presumably to hide what had happened a little bit. That's no big deal in itself, but a hacked uk gov website, pointing to the bbc afterwards makes us think it was not a random hack, but something more deliberate. Interesting times, folks.

Looks like they cleaned the site this morning, although the google cache is still infective, so be careful.

Cheers

Roger

Labels:

7 Comments:

At 12:59 PM, Anonymous Anonymous said...

Thanks Roger for the acknowledgement and big thank you for your parallel investigation.

I'd also like to acknowledge the part played by the fabulous security tool called, "LinkScanner Pro". This is the true star here! It made our job so much easier to identify there was a specific problem. The follow-up investigation was made all the easier for it alerting us to the problem. Go get a copy folks!

If anyone is in Scotland next week, you can hear about this incident at a security talk myself and another security consultants are doing for the Institution of Engineering and Technology. More details here:

http://www.theiet.org/local/uk/scotland/southeast/computer-security.cfm

Although it is a real shame the FETA website was compromised, I really couldn't have asked for the timing to be any better. ;-)


Regards

John
Roundtrip Solutions

 
At 1:13 PM, Blogger tcsl said...

You're more than welcome! :-)

It's an interesting time we're coming into, eh?

 
At 1:40 PM, Anonymous Anonymous said...

Scary times lie ahead! Time for people to wake up to the real threats that they will encounter on a daily basis!

Did you manage to make a video of the investigation? I'd like to see that one!


Regards

John
Roundtrip Solutions

 
At 3:02 PM, Blogger tcsl said...

I've got enough material to make a vid ... we'll see if we can make one over the next week or so.

Cheers

Roger

 
At 2:18 PM, Anonymous Anonymous said...

Is jsdecrypt (in the screen shots) a custom tool? Google doesn't seem to know of it.

 
At 9:46 AM, Anonymous Anonymous said...

What is the JSDecrypt tool in the screen shot?

 
At 7:30 PM, Blogger tcsl said...

anonymous asked about JSDecrypt... yes, it's a tool we developed for internal use, but we have to admit, it's really handy. Sorry we can't share it.

 

Post a Comment

<< Home