Sponsored by..

Tuesday 24 July 2007

Empireonline.com compromised


The popular movie site Empireonline.com was compromised this morning, with a rogue IFRAME - this was around 9am UK time this morning. The site now appears to be fixed.

The IFRAME connects to a page called g.htm on g.ignfile.cn which appears to be a malware server hosted on 61.151.239.13 in China. For obvious reasons, I'm not including a clickable link but see the screenshot of the source below:



g.htm loads a couple of IFRAMES and has a web counter.



014.htm has some nasty obfuscated javascript:



The other IFRAME is called imags1.htm, this leads to a compromised file on a server called sexbb888.com. It is likely that the server has been hijacked, and the site owners are unaware of the problem.



Both appear to be using variants of the MS07-017 vulnerability from April 2007, although the nature of the payload is uncertain.

In any case, the problem appears to be fixed and anyone with a fully patched system should have been protected. Still, it's a good example of how trusted sites can fall prey to malware pushers.

No comments: