Thursday, March 12, 2009

Oh goody! City of Streator has a Yahoo counter!

The page looks quite normal, except that LinkScanner knows better and has told us that it contains a fake Yahoo! counter, and if you look at the source, sure enough you see this block of code ...



As readers of this blog will know, one of the more commonly-encountered web tricks is a Yahoo-counter-that-is-not-a-counter. Instead of counting visitors, it reaches out to an exploit site and ... counts victims.


This gang's specialty is to hack into an innocent website, and turn it into a unwitting lure... all the website's visitors are probed by the villains, and if they're vulnerable... wham! the visitor is a victim of a drive-by download.

Here's a sample from today's hack list. (*** AGAIN.... DON"T GO TO THE PAGE ... IT MIGHT BE STILL INFECTIVE ***)

This page, hxxp://www.ci.streator.il.us/cms/index.php?page=fire-department-faq-s, looks like this ...





If you look closely at the code you see not one, but _two_ yahoo counters! How exciting! This means they've been whacked not once, but twice. :-)

And sure, enough, if we look at the critical files list, we see the start of an infection cycle...



I find that outing a site on this blog is actually the best way to get it cleaned up. It's much more effective than me trying to explain to confused support staff, so c'mon City of Streator guys.... please clean your site, and fix the hole that allowed the Bad Guys in in the first place. You're probably running a vulnerable php tool or version.

Readers, please remember that City of Streator is an innocent victim too... they didn't mean for this to happen, but they do need to fix it.

Look both ways when crossing the web, folks.... it's dangerous out there.

Roger

Ps to be notified of updates to this blog, please follow me on Twitter

No comments: