Comments on: The website hack you’d never find

By: Ben LaGrone

Ben LaGrone — Mon, 28 Apr 2008 17:23:57 +0000

John,

BTW I’ve found Fiddler very useful, but have hit a brick wall.

By: Ben LaGrone

Ben LaGrone — Mon, 28 Apr 2008 17:22:21 +0000

Hi John,

I’m trying to solve a similar mystery. Can I PM you the URL and see if you have any ideas. I’m trying to trace a cloaked redirect…

By: Tristan

Tristan — Sat, 01 Mar 2008 04:01:44 +0000

Great project!! You should be on google payrole!

John: “That could be a security issue in Firefox” :- given this would you recommend staying with Internet Explorer / Other for security reasons? I was considering Firefox due to repeated “IE not responding”.

Do you think the antivirus advert (hidden hack redirect) was a joke or a moneyspinner or both?

BTW FYI I found this page after visiting http://groups.google.com/group/Google_Webmaster_Help-Requests/browse_thread/thread/3238914c52ff7b18/3f4de587650273fc

After an AVG activex thing popped up in ie7 while visiting a christianity page. I clicked no. Did that mean the page was triggering AVG or a virus pretending to? I ran AVG afterwards and it found a “virus identified exploit.ANI” in my temp. Did I prevent the virus spreading out of temp by clicking NO on the ActiveX request or prevent AVG catching it? What use is the thing in temp anyway?

Just curious (re:spam protection on this page).. Sum of 7 + 4.. can see how me typing in 11 would partially suggest I was a human; but as 11 is allready show in the field does this mean SHOWING question is redundant? My guess is prob’ no, but I’m so curious

Brilliant work btw.. Tris.

By: mrg

mrg — Tue, 04 Sep 2007 17:51:21 +0000

Adding a little… You don’t need to use a proxy if you are on windows. Back when we looked at the other hacked site with this same exploit all I had to do was to repair the connection to get a new IP address. And every time after that, when checking LiveHTTPHeaders it triggered the 302.

By: » Show heute fällt leider aus | seoFM - der erste deutsche PodCast für SEOs und Online-Marketer

Tue, 28 Aug 2007 14:32:37 +0000

[…] Der wohl sneaky-ste Website Hack bislang […]

By: Richard Hearne

Richard Hearne — Sun, 26 Aug 2007 10:33:58 +0000

Indeed rather scary stuff. Possibly one of the nastier exploits I’ve heard of recently.

I think tracking down the aff codes might help - removing some of the financial gain would be a start. I’m sure the installed payload is also just as nasty given the lengths the hackers have gone to…

By: John Mueller

John Mueller — Fri, 24 Aug 2007 11:01:48 +0000

Good, then it’s not that bad *big sigh of relief*

By: Patrick Altoft

Patrick Altoft — Fri, 24 Aug 2007 11:00:04 +0000

I do use FF. It does just show the persons name at the top of the page.

By: John Mueller

John Mueller — Fri, 24 Aug 2007 10:57:42 +0000

I tried Netvibes - you don’t get redirected, but you see a part of the content here on their page (at least that’s what I see). I see the name of the person from the original posting on the netvibes page and then this blog entry opens up in a separate window. Maybe I was a bit too sneaky for my own good, I hid that name from indexing by using javascript to display it (so that this page doesn’t rank for his name). Apparently that javascript snippet is executed on the old page, before the redirect to the new window takes place. That could be a security issue in Firefox… (did you use Firefox as well?)

By: John Mueller

John Mueller — Fri, 24 Aug 2007 10:36:58 +0000

@Patrick: that doesn’t sound too good, but since the exploit only triggers when a user comes from Google, it shouldn’t matter. Is Netvibes interpreting some of the markup? Did it really redirect or did it link to the site?

By: Patrick Altoft

Patrick Altoft — Fri, 24 Aug 2007 08:55:47 +0000

When I looked at this in your RSS feed in netvibes it redirected me to the infected site………..

By: JLH

JLH — Fri, 24 Aug 2007 04:19:50 +0000

I’m glad you are one of the good guys…you’ve got some scary skills in figuring things out.