[OWASP-Bangalore] OWASP-Bangalore Digest, Vol 23, Issue 2

Sajin Jose sajinkokkad at gmail.com
Wed Oct 7 12:14:13 EDT 2009


Unbelievable !! Just wondering why no one there at the university didn't
notice this and rectify this..
Also, I would really appreciate if some could one explain how the malicious
site did this on a seemingly reputed university's site.. Any inputs?

Rgds,
Sajin.

On Wed, Oct 7, 2009 at 9:30 PM, <owasp-bangalore-request at lists.owasp.org>wrote:

> Send OWASP-Bangalore mailing list submissions to
>        owasp-bangalore at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> or, via email, send a message with subject or body 'help' to
>        owasp-bangalore-request at lists.owasp.org
>
> You can reach the person managing the list at
>        owasp-bangalore-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OWASP-Bangalore digest..."
>
>
> Today's Topics:
>
>   1. iframes injected into premiere educational        institutes site
>      (praveen_recker .)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 6 Oct 2009 23:51:14 +0530
> From: "praveen_recker ." <praveen_recker at sify.com>
> Subject: [OWASP-Bangalore] iframes injected into premiere educational
>        institutes site
> To: owasp-bangalore at lists.owasp.org, owasp-delhi at lists.owasp.org
> Message-ID:
>        <3542efac0910061121p71a17debx4f530e8523dc1022 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi OWASP,
>
> I am writing this such that it can be informed to concerned authorities.
> I tried to find mail id of the respective institue to inform them but
> could'nt find any.
>
> Details are as follows....
> Visit to anypage on* http://www.nagarjunauniversity.ac.in*
> and right click to "View Source", we'll find the following site embedded in
> iframe *http://bale.ws/show.php*
> When we open above site it gets redirected to *
> http://superpupermegacasino.com/* which hosts *SmartDownload.exe*
>
> Details of the EXE at virustotal is shown as *Win32/CasOnline!Adware*
>
> http://www.virustotal.com/analisis/9709a6f32be02642671f96ee264bae85fc924072ceb1a6f07c94ab94ae77943d-1254763534
>
>
> the page has eval() and base64_decode() methods. When we decode the base64
> content site *esli.tw* is embedded.
>
> There is one more site embedded *http://b.nt002.cn/E/J.JS*
>
> When we visit few pages on this site and if any AV is installed on ur
> machine (McAfee AntiVirus is installed in my case and triggers PDF-Exploit
> alert) it should trigger some alert.
>
> Interested folks can further analyze. Please inform concerned guys from
> Nagarjuna University.
>
> Best Regards,
> Praveen Darshanam,
> Security Researcher
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20091006/31f34ba0/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>
>
> End of OWASP-Bangalore Digest, Vol 23, Issue 2
> **********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20091007/8ce2100b/attachment.html 


More information about the OWASP-Bangalore mailing list