Tuesday, 24 July 2007
The popular movie site Empireonline.com was compromised this morning, with a rogue IFRAME - this was around 9am UK time this morning. The site now appears to be fixed.
The IFRAME connects to a page called g.htm on g.ignfile.cn which appears to be a malware server hosted on 22.214.171.124 in China. For obvious reasons, I'm not including a clickable link but see the screenshot of the source below:
g.htm loads a couple of IFRAMES and has a web counter.
The other IFRAME is called imags1.htm, this leads to a compromised file on a server called sexbb888.com. It is likely that the server has been hijacked, and the site owners are unaware of the problem.
Both appear to be using variants of the MS07-017 vulnerability from April 2007, although the nature of the payload is uncertain.
In any case, the problem appears to be fixed and anyone with a fully patched system should have been protected. Still, it's a good example of how trusted sites can fall prey to malware pushers.