UK .gov site hacked
Note: One of our users, John Thomson (no relation as far as I know :-) ) noticed this first and brought it to our attention. His blog entry is here ...
Sorry John! :-)
Sometime between the 1st Feb 2008, and the 3rd of Feb 2008, the official website for the Forth Estuary Transport Authority was hacked an obfuscated iframe, using Neosploit encoding, was injected.
This decoded to an iframe that called to 18.104.22.168 (careful about going there, folks)...
This, in turn, loaded one of the current Neosploit exploit package (we have a full write-up on Neo a little further down this blog). If you're patched, or running LinkScanner, you're ok, but if not, you probably got a rootkit, so if you visited that website in the last couple of days, you might like to run an anti-root and an anti virus over your system. AVG has a free one here ... http://free.grisoft.com .
One of the most interesting aspects of this is that inside the full Neosploit download was an attempt to load bbc.com.uk , presuamably after the infection, presumably to hide what had happened a little bit. That's no big deal in itself, but a hacked uk gov website, pointing to the bbc afterwards makes us think it was not a random hack, but something more deliberate. Interesting times, folks.
Looks like they cleaned the site this morning, although the google cache is still infective, so be careful.
Labels: feta hacked neosploit bbc