Tuesday, 24 July 2007
Empireonline.com compromised
The popular movie site Empireonline.com was compromised this morning, with a rogue IFRAME - this was around 9am UK time this morning. The site now appears to be fixed.
The IFRAME connects to a page called g.htm on g.ignfile.cn which appears to be a malware server hosted on 61.151.239.13 in China. For obvious reasons, I'm not including a clickable link but see the screenshot of the source below:
g.htm loads a couple of IFRAMES and has a web counter.
014.htm has some nasty obfuscated javascript:
The other IFRAME is called imags1.htm, this leads to a compromised file on a server called sexbb888.com. It is likely that the server has been hijacked, and the site owners are unaware of the problem.
Both appear to be using variants of the MS07-017 vulnerability from April 2007, although the nature of the payload is uncertain.
In any case, the problem appears to be fixed and anyone with a fully patched system should have been protected. Still, it's a good example of how trusted sites can fall prey to malware pushers.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment