[See the update below]
On Friday we reported that the Dolphins Stadium (home of the 2007 Super Bowl) was infected with a scripted pointer to malware that exploited two patchable Microsoft Windows vulnerabilities. While doing research on that issue we uncovered many more sites that contain similar references. Here is a list of the some of the ones we found, many have already been cleaned up but many have not. System administrators might want to check their network flow logs for any traffic to these sites, and for any traffic to the five sites that hosted the hostile Java script. It looks like the "1.js" intrusions happened around the first of January while the "3.js" intrusions occured near the end of January. We cannot find any evidence of a "2.js" or "4.js" script. In the references below, I changed the word "script" to "skript" in order to prevent any accidental mis-fires. <skript src="http://w1c.cn/3.js"></skript> www.nlgaming.com www.arcchart.com <skript src="http://dv521.com/3.js"></skript> [multiple_sub_domains].squizzle.com www.offshore247.com mhmonline.com www.citruscollege.edu www.stariq.com www2a.cdc.gov www.surfersvillage.com www.citrus.cc.ca.us 207.178.138.47 <skript src="http://www.natmags.co.uk/3.js"></skript> www.zeenews.com <skript src="http://bc0.cn/3.js"></skript> https://www.massgeneral.org <skript src="http://bc0.cn/1.js"></skript> www.me-uk.com www.olympusamerica.com www.cabi-publishing.org www.imo.org www.pathnet.org www.vcuhealth.org www.medcompare.com ymghealthinfo.org www.zeenews.com www.pharmabrandeurope.com www.infogrip.com totallydrivers.com www.ajr.org www.offshore247.com www.massgeneral.org www.nlgaming.com www.scif.com www.speroforum.com www.betterpropaganda.com www.youandaids.org www.cottagesdirect.com www.plasticsmag.com www.healthy.net www.irinnews.org www.pubapps.vcu.edu www.generousgiving.org www.doctorndtv.com www.mcv.org www.vcuhs.org www.nordic-telecom.com www.betterpropaganda.com www.nationalmssociety.org www.nmss.org cityofboston.gov scif.ca.gov <skript src="http://137wg.com/1.js"></skript> wanniski.com www.wilson.edu A common theme seems to be an attack on hospital or medical care sites, although that is not completely the case. We checked to see if this was a mass attack on one service provider but other than a lot of *.squizzle.com sites it does not appear to be this type of attack. [UPDATE 5 Feb 07 1754Z] A reader sent us this: I think the 1.js problem goes back a bit further in time. I found these logs: Fri Dec 1 10:08:44 2006: x.x.x.x -> 220.162.244.78: 54995 -> 80 GET /1.js HTTP/1.0 (bc0.cn) Wed Dec 6 11:42:05 2006: x.x.x.x -> 220.162.244.78: 55089 -> 80 GET /1.js HTTP/1.0 (bc0.cn) Mon Dec 11 14:17:04 2006: x.x.x.x -> 220.162.244.78: 51732 -> 80 GET /1.js HTTP/1.0 (bc0.cn) Thu Dec 21 12:17:55 2006: x.x.x.x -> 220.162.244.78: 48628 -> 80 GET /1.js HTTP/1.0 (bc0.cn) ...which makes us curious as to when this incident started. If you could check your logs and let us know about detections prior to December 1st 2006 we would greatly appreciate it. We'll post an update here later today or tonight. Marcus H. Sachs Director, SANS Internet Storm Center |
Marcus 301 Posts ISC Handler Feb 5th 2007 |
Thread locked Subscribe |
Feb 5th 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!