[OWASP-Bangalore] iframes injected into premiere educational institutes site

praveen_recker . praveen_recker at sify.com
Tue Oct 6 14:21:14 EDT 2009


Hi OWASP,

I am writing this such that it can be informed to concerned authorities.
I tried to find mail id of the respective institue to inform them but
could'nt find any.

Details are as follows....
Visit to anypage on* http://www.nagarjunauniversity.ac.in*
and right click to "View Source", we'll find the following site embedded in
iframe *http://bale.ws/show.php*
When we open above site it gets redirected to *
http://superpupermegacasino.com/* which hosts *SmartDownload.exe*

Details of the EXE at virustotal is shown as *Win32/CasOnline!Adware*
http://www.virustotal.com/analisis/9709a6f32be02642671f96ee264bae85fc924072ceb1a6f07c94ab94ae77943d-1254763534


the page has eval() and base64_decode() methods. When we decode the base64
content site *esli.tw* is embedded.

There is one more site embedded *http://b.nt002.cn/E/J.JS*

When we visit few pages on this site and if any AV is installed on ur
machine (McAfee AntiVirus is installed in my case and triggers PDF-Exploit
alert) it should trigger some alert.

Interested folks can further analyze. Please inform concerned guys from
Nagarjuna University.

Best Regards,
Praveen Darshanam,
Security Researcher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20091006/31f34ba0/attachment.html 


More information about the OWASP-Bangalore mailing list