malicious website hacking into my router or just bad coding?

When I go to this site I get prompted by my router to enter the credentials. (With NoScript I just get an ABE warning). The problem it seems are image files embedded on the site which are missing on the server.
Could someone check what's causing that behaviour?
hxxp://rmccurdy.com/scripts/downloaded/www.offensive-security.com/_013_msfgui.html

Thank you.

 

Some online analysis:
http://anubis.iseclab.org/?action=result&task_id=15905303b5f04f364f507756d05ef40f3
http://wepawet.iseclab.org/view.php?hash=b796446a453e778ad7d32bb34f3cac54&t=1295104337&type=js

 

This is what causing that behaviour:

 

Thank you.
Any idea why it might be doing that?

 

Not sure, a hacking attempt maybe?
http://hackademix.net/2010/07/28/abe-patrols-the-routes-to-your-routers/

 

That was my first thought too but where is the malicious payload? No obfuscated javascript, online scanner come out clean...

 

Not written in disk? In RAM, perhaps, in the same manner as didier steven's loading of dll from memory? This topic reminds me of these threads...

https://www.wilderssecurity.com/showthread.php?t=245575

and

https://www.wilderssecurity.com/showthread.php?t=245234

 

What's got written to disk got to do with anything? This is not about malware being downloaded and executed.

About http response splitting and smuggling
I assume you like almost everybody else who posted in these threads didn't read the whitepapers
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html

I'll make it brief: Checking html source and http headers would reveal response splitting, it doesn't magically hide the payload. This weakness in html is primarely relevant if you are behind a caching proxy and to a lesser extent if you follow "untrusted links" ("funny looking strings") to a trusted site (i.e. alway enter bankofamerica, paypal what ever manually into the address bar, basic anti-phishing knowledge really).

This has nothing to do with DNS rebinding. If you think XSS and CSRF there's a slight connection but still totally irrelevant for this case.

------

My conclusion, if there is no malicious script this is not a malicious hacking attempt. It's an error and I'd like to know how this works on the server side. How comes some resources on this site redirect always to your public IP?

 

Don't know if you can make some use of it but here are all the scripts that can be found on this very page. I know about nothing on this stuff so I'll let you have a check on and try to decipher :

Hope it could help.

 

Yes, it's not a hacking attempt, it redirects to your IP when a resource doesn't exist, instead of showing a 404 page. The .htaccess file probably contains something like this:

 

I said this thread just reminded me of those threads and I didn't exactly say http splitting did that to your router. Ok, so those threads were irrelevant to the topic at hand. If you say so. You're the expert here.

Thanks for the clarifications and for those links. Like almost everybody else on those threads including the threadstarter there fully admitted that we don't fully understand the mechanics of these things and not as knowledgeable like you. You're the man, idol. :u LOL -embarassed