Compromised Web Sites Infect Web Surfers

Discussion in 'other security issues & news' started by Uguel707, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego
    This morning I read that there are all sorts of javascript expoits being distributed by hacked legitimate websites. They haven't found what the source of the vulnerability is.This is almost certainly just an unknown IE vulnerability so it is probably safe to run javascript in Opera and Firefox if you need it but I disabled it on all, just in case!

    source:

    http://isc.incidents.org/
     
  2. Justhelping

    Justhelping Guest

    A minor correction

    I believe it's the IIS webservers which are being exploited by some unknown exploit. Once infected those websites will attempt to infect IE users, but in this case using known exploits. One of these exploits is still unpatched.
     
  3. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    some days ago an expert with Kaspersky commented that spammers will join hands with coders. at that time many people thought its just too exteme and now look what we've got. that expert joined Kaspersky after leaving RAV for greener pasture. hmm... he was right about it. i tried to connect to those websites but looks like they are all down :(
     
  4. Tony H

    Tony H Registered Member

    Joined:
    Dec 5, 2002
    Posts:
    32
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Is there a way to tell if your PC has been compromised?


    Edit: Found an answer to my own question from the link above. Using a app like PE you can...

    "If you are able to monitor traffic to the infected host, you may see attempts to contact 217.107.218.147 on port 80.
     
  6. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Suggestion. I went into my firewall (ZA PRO) and added a block to that IP address. Sounds like a good backup plan.
     
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Here is a little more info
     

    Attached Files:

  8. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Apparently NOD32 hasn't updated for this (SCOB) yet.

    Correction: Another name is apparently PADODOR, which was added in today's NOD32's signatures. Thanks Ronjor! :D
     
    Last edited: Jun 25, 2004
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Look at this thread from this morning D&C. Link
     
  10. Uguel707

    Uguel707 Graphic Artist

    Joined:
    Nov 9, 2002
    Posts:
    2,999
    Location:
    San Diego

    Right! But you may have not notice this: "...This morning I read that there are all sorts of javascript expoits being distributed by hacked legitimate websites...". So I understood that the website itself is not the "offender" but rather the "offended" that spreads the infection unintentionnally to the visitors. Also, some pages I read on that matter said that it explores an unknown (unpatched) exploit like you said. And others, reccomended this:

    "Home users are being told to update their browser and avoid the
    threat by turning off Javascript. However, this could mean that some
    webpages do not display as expected. Microsoft has also given advice about how people can check if they are infected. So far the server/browser combination has not been given a single name. In its warning about the problem Microsoft calls it download.ject but others, such as F-Secure, are calling it Scob."

    From: http://news.bbc.co.uk/1/hi/technology/3840101.stm

    Furthermore:

    ",,,you visited an affected page, and your BROWSER is compromised: * You may see a warning about a javascript error. But it depends on how the attack code interfers with other javascript on the respective page, and many users disable these javascript warnings.
    * Disconnect the system from the network as soon as possible.
    * run a thorough virus check with up to date virus definitions. Many AV
    vendors released new definitions as recently as last night.
    * If you are able to monitor traffic to the infected host, you may see
    attempts to contact 217.107.218.147 on port 80.
    (right Dazed_and_ Confused!!! :) )

    We do not have any evidence of any other target IPs being involved at this point. However, as this ip is no longer reachable, attackers may plant scripts that point to other IPs in the future* AV software will detect the javascript as 'JS.Scob.Trojan'...."

    from:http://isc.incidents.org/

    Surfing carefully and being aware is the key!
     
  11. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Apart from an up to date AV and 'safe surfing' is the rule to block 217.107.218.147 on port 80 extra security for this flaw we have now? I have added 2 in Sygate Pro one for TCP and one for UDP for this address and port 80 but just need to know if this is the correct thing to do o_O Thanks
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    This is going on for quite some time now, actually.

    regards.

    paul
     
  13. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello, Robyn! I have added a rule block everthing to this address (TCP & UDP), all ports. I think it a great backup plan - just in case.... :D
     
  14. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thanks D&C I will keep my safety net on both TCP and UDP in my firewall ;) There is a lot of confusing information out about this one with one report saying it is Ok while others are still warning about the danger o_O
     
  15. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    As has been posted, if you have a decent AV, you should be safe. I do, but I always double-lock my doors too. :rolleyes: As a safety net, it's probably sufficient to simply block TCP connections to port 80 of the aforementioned IP address. But I see no reason not to block all traffic to the site.

    P.S. Really like your avatar! :D
     
  16. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thanks again - I have edited my rule to cover all!

    Pleased you like my little lonely fairy (I adore any of them) ;) ever read 'Little, Big' enchanting :) much nicer than the armed guards we now need to be online!
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Web site virus attack blunted.

    Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been disarmed.

    Info
     
  18. dog

    dog Guest

    Hi Ronjor, ;)

    Thanks for the Good News! ;)

    dog - *puppy*
     
  19. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    it's yet another CWS hijack that we have been fighting for the past couple of years

    The main AV vendoors have just woken up to it

    this also helps to prevent it affecting you

    to see if we can prevent the cws hijackers reinfecting you try this:
    install a good firewall, lists here http://www.wilders.org/firewalls.htm if you haven't already got one and block these ranges of ports, both incoming and outgoing

    209.66.114.0 - 209.66.115.255
    81.211.105.0 - 81.211.105.255
    213.159.96.0 - 213.159.127.255
    217.107.218.0 - 217.107.218.255
    that stops the known cws servers responding or any hidden files on your computer updating. This works sometimes but not always as spme hijacks come from a different IP number but it's a help. The problem with this approach is that some good sites might also be blocked (not many as all the IP numbers are in Russia and very few Russian sites have much relevance to most people and as far as I know all the IP numbers listed are known to be CWS sites)
     
  20. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Wow. More great information dvk01. Your a wealth of knowledge today! :D
     
  21. dog

    dog Guest

    Yes, Thanks much Derek. ;) :D

    I'm Blocked and Protected!

    I hope you make this info a sticky in the Hijack Info Forum.

    Thanks

    dog - *puppy*
     
  22. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thanks dvk01 I am going to add these rules right now and share them with others who have concerns about this, hopefully that is OK as your knowledge and advice cannot be disputed ;)
     
Loading...
Thread Status:
Not open for further replies.