Monday, May 11, 2009

Here's a whoopsie to start the week.

*** don't go to any of these websites... they seem safe today, but you can't be certain, and it's better to avoid them ***

It's just a simple (and common) script injection, but the victim is kind of interesting. Seems like none other than the City of London website has poor security. :-)


As usual, the page itself renders just fine, and looks like this ...




but if you have a look at the source, you see something like this ...



If you look closely, you see references to URLs like 4log-in.ru, and in fact there are eight different ones...

www.ojns.ru/js.js>
www.ujnc.ru/js.js>
www.64do.com/script.js
www.mnicbre.ru/script.js>
www.4log-in.ru/script.js>
www.berjke.ru/script.js>
www.wmpd.ru/style.js
www.lijg.ru/script.js

(again, don't go to these places unless you know what you're doing, because you might get nailed)

What this means is that the City of London website has been nailed, not once, but _eight_ times.

Fortunately, the site is seemingly not infective, so the injections have only partly worked, but then again, it might depend on what you click on the page, and there might well be other hacked pages that we've not discovered yet.

What needs to happen is that the injections need to be removed, and the City of London webmeisters need to find the form that is allowing the injections, and fix it.

It's a dangerous Internet, folks. Keep safe.

Cheers

Roger