Ok I might be jumping the gun here but there appears to be a new compromised, someone that has me on their IM list got pwnd or some list is being generated somewhere.
I returned to my computer this evening to find an IM from someone that I did not know and the following message:
——————————————————
mmmmmm88@hotmail.fr [h:mm PM]:
OMG u gotta see this! Go here: _hxxp://xxxx.obama-offers.com
——————————————————
Obviously I modified it slightly to avoid accidental clicks and to keep somewhat anonymous, but you get the picture.
So lets see what we can learn about obama-offers.com and the sender.
- The usual checks for other reports using uSearchIt.com. I prefer using this site because I can easily compare results across search engines as well as other sites like Twitter.
- Results – Couple reports on Twitter but nothing in the search engines so I went to Google directly. Found a page but the translator didnt work and there is no cached page. Using obama + offers as a domain was a pretty smart way to hide.
- Checking Dataopedia for any clues as to the origin of the site.
- Results – Private registration but appears to have been set up today. Not surprisingly there isnt enough traffic to get any hits in Alexa, Compete.com, or Quantcast.
- Next stop BuiltWith.com to see what we can learn about the technical side of the site before visiting it directly.
- Results – Running on a server with Linux CentOS and Apache. They are using PHP with frames, surprise surprise… NOT.
- Lets not forget domainwhitepages to see if there is anything interesting about the route of traffic or maybe, if we are lucky, better information about the registrar.
- Results – IP 208.116.34.163. WhoIs information FortressITX 100 Delawanna Ave Clifton NJ 07014. Looks like they are using an email forwarder. OH BOY my old friends ThePlanet and Level3. From what I have investigated over the years these guys shouldnt even be on the web.
- Another great resource is YouGetSignal. This site offers a number of useful tools for reverse lookups.
- Results – Mostly results aligned with those on other sites but i found that there are 3546 other domains hosted on the same server. A quick scan of the domain names makes me wonder if looking too far into this could be a can of worms that turns into a needle in a haystack.
- Time for a virtual machine with Fiddler running.
- Results – I used the name jonsmith figuring the page would not perform as intended without a subdomain. I got a generic parking page but lots loaded in the background. See details below:
Here is the page source and enough information if someone were to take legal action to know who to subpoena records for from the various companies:
———————————————————————————
<html><head><title></title></head><frameset rows=’100%, *’ frameborder=no framespacing=0 border=0><frame src="http://64.34.154.95/ads" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame></frameset><noframes><h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br><center>Click <a href="http://64.34.154.95/ads" >here</a> to enter the site.</center></noframes></html>
———————————————————————————
Source of hxxp://64.34.154.95/ads
———————————————————————————
<html>
<head>
<title>Great Offers For You</title>
</head>
<frameset rows="*,1" frameborder=0>
<frame src="indexx.php" name="">
<frame src="body.php" name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>
———————————————————————————
indexx.php calls a redirect:
———————————————————————————
Location: hxxp://www.herbalaffiliateprogram.com/herbalalternatives/aff_manager/newaff/redirect.cfm/i/2009015138
———————————————————————————
body.php looks like it isnt working correctly
———————————————————————————
HTTP/1.1 200 OK
Transfer-Encoding: chunked
X-Powered-By: PHP/4.4.8
Content-type: text/html
Date: Mon, 02 Feb 2009 15:17:58 GMT
Server: lighttpd/1.4.19
71
<br />
<b>Parse error</b>: syntax error, unexpected ‘<’ in <b>/home/www/ads/body.php</b> on line <b>3</b><br />
0
———————————————————————————
indexx.php redirector call is responded to drop a cookie
———————————————————————————
HTTP/1.1 200 OK
Connection: close
Date: Mon, 02 Feb 2009 06:12:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-type: text/html
P3P: CP="ALL DSP COR NID CURo OUR STP PUR OTPo COM NAV"
Page-Completion-Status: Normal
Page-Completion-Status: Normal
Set-Cookie: AFFILIATEID=2009015138; expires=Tue, 03-Feb-2009 00:12:29 GMT; path=/;
Set-Cookie: CAMPAIGNID=0; expires=Tue, 03-Feb-2009 00:12:29 GMT; path=/;
Set-Cookie: CFGLOBALS=HITCOUNT%3D1%23LASTVISIT%3D%7Bts+%272009%2D02%2D02+00%3A12%3A29%27%7D%23TIMECREATED%3D%7Bts+%272009%2D02%2D02+00%3A12%3A29%27%7D%23; expires=Sun, 27-Sep-2037 00:00:00 GMT; path=/;
Set-Cookie: CFID=10309480; expires=Sun, 27-Sep-2037 00:00:00 GMT; path=/;
Set-Cookie: CFTOKEN=44372689; expires=Sun, 27-Sep-2037 00:00:00 GMT; path=/;
Set-Cookie: LINKID=0; expires=Tue, 03-Feb-2009 00:12:29 GMT; path=/;
———————————————————————————
indexx.php redirector next loads the page www.diet-pills-natural-fast-weight-loss-supplements-fat-product.com, notice that it captured the visiting IP
———————————————————————————
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>
natural supplement vitamin colloidal silver at diet-pills-natural-fast-weight-loss-supplements-fat-product.com
</title>
<meta name="keywords" content="natural,supplement,vitamin,colloidal,silver,vitacost.com,antioxidant,eniva,solgar,liquid" />
<meta name="description" content="primal defense hair vitamin nature way sea silver the greatest" />
<SCRIPT LANGUAGE=’Javascript’ SRC=’/diet-pills-natural-fast-weight-loss-supplements-fat-product.com.js’></SCRIPT>
<link javascript’ type=’Text/Javascript’>
function GetIPPI(g) {
var xmlHttp = createXMLHttpRequest();
if (xmlHttp != null) {
xmlHttp.open(‘GET’, ‘/’+g+’.ippi?g=’+g, true);
xmlHttp.send(null);
}
}
function createXMLHttpRequest() {
try { return new ActiveXObject(‘Msxml2.XMLHTTP’); } catch(e) {}
try { return new ActiveXObject(‘Microsoft.XMLHTTP’); } catch(e) {}
try { return new XMLHttpRequest(); } catch(e) {}
return null;
}
GetIPPI(‘e4f67e00-123e-49f0-88a0-d9a6c847a437′);
</script>
</body>
</html>
———————————————————————————
next comes the .js GET /diet-pills-natural-fast-weight-loss-supplements-fat-product.com.js
———————————————————————————
var mydate=new Date()
var year=mydate.getYear()
if (year < 1000)
year+=1900
var day=mydate.getDay()
var month=mydate.getMonth()
var daym=mydate.getDate()
if (daym<10)
daym=’0′+daym
var dayarray=new Array(‘Sunday’,'Monday’,'Tuesday’,'Wednesday’,'Thursday’,'Friday’,'Saturday’)
var montharray=new Array(‘January’,'February’,'March’,'April’,'May’,'June’,'July’,'August’,'September’,'October’,'November’,'December’)
var d=(dayarray[day]+’, ‘+montharray[month]+’ ‘+daym+’, ‘+year)
function getPage()
{
var c = ‘rd302.a’;
var y = ‘p’;
var a = ‘fo’;
var x = ’s’;
var z = ‘x’;
var b = ‘rwa’;
return a + b + c + x + y + z;
}
function pcNav(url)
{
var x = ‘/’ + getPage() + url;
//alert(x);
window.parent.location.href = x;
}
function slNav(url)
{
window.parent.location.href = url;
}
function createCookie(name,value,days) {
if (days) {
var date = new Date();
date.setTime(date.getTime()+(days*24*60*60*1000));
var expires = ‘; expires=’+date.toGMTString();
}
else var expires = ”;
document.cookie = name+’='+value+expires+’; path=/’;
}
function readCookie(name) {
var nameEQ = name + ‘=’;
var ca = document.cookie.split(‘;’);
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==’ ‘) c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
function eraseCookie(name) {
createCookie(name,”,-1);
}
———————————————————————————
then the .css request GET /css/dbstore.css?def=Akamai%3aHostingURL%3dhttp%3a%2f%2fi.nuseek.com%7cBdyStyl%3aPageBackgroundColor%3d%23fff%7cBdyStyl%3aFont%3darial%7cBdyStyl%3aFontSize%3d12%7cBdyStyl%3aFontColor%3d%230e5fd8%7cBdyStyl%3aPrimaryColor%3d%231b5709%7cBdyStyl%3aPrimaryColorComplement%3d%23fff%7cBdyStyl%3aSecondaryColor%3d%23c44242%7cBdyStyl%3aSecondaryColorComplement%3d%23edc6c6%7cBdyStyl%3aTertiaryColor%3d%23f3f3f3%7cBdyStyl%3aTertiaryColorComplement%3d%23476ec7%7cPgHdr%3aFontSize%3d18%7cPgHdr%3aFont%3dVerdana%7cRelLink%3aFont%3darial%7cRelLink%3aFontSize%3d14%7cRelLink%3aFontColor%3d%23476ec7%7cRelLink%3aHoverFontColor%3d%23c03625%7cRelLink%3aBackgroundColor%3d%23fafad9%7cRelLink%3aDividerColor%3d%23e2dfb8%7cRelLink%3aHoverBackgroundColor%3d%23fbfbf5%7cRelLink%3aImagePath%3d%2fimages%2fThemes%2fT101%2fbullets%2f0006.gif%7cRelLink%3aImageWidth%3d10%7cRelLink%3aImageHeight%3d10%7cBottomNav%3aImagePath%3d%2fimages%2fThemes%2fT101%2fbullets_9×9%2f0006.gif%7cResult%3aImagePath%3d%2fimages%2fThemes%2fT101%2fbullets%2f0006.gif%7cResult%3aHeaderFont%3darial%7cResult%3aHeaderFontSize%3d12%7cResult%3aHeaderFontColor%3d%23000%7cResult%3aTitleFont%3darial%7cResult%3aTitleFontSize%3d16%7cResult%3aTitleFontColor%3d%2300c%7cResult%3aAbstractFont%3darial%7cResult%3aAbstractFontSize%3d12%7cResult%3aAbstractFontColor%3d%23000%7cResult%3aURLFont%3darial%7cResult%3aURLFontSize%3d12%7cResult%3aURLFontColor%3d%23008000%7cResult%3aSidebarBorderColor%3d%23ccc%7cSrchBox%3aImagePath%3d%2fimages%2fThemes%2fT101%2fbuttons%2f0006.gif%7cSrchBox%3aImageWidth%3d60%7cSrchBox%3aImageHeight%3d22%7cSrchBox%3aAlign%3dright%7cSearchLinkGroup%3aHoverLinkColor%3d%23ff9%7cUsrCust%3aFontType%3dverdana%7cUsrCust%3aFontSize%3d11%7cUsrCust%3aFontColor%3d%23666%7cUsrCust%3aLinkColor%3d%230e5fd8%7cSrchBox%3aTextboxWidth%3d0&cssid=101 HTTP/1.1
———————————————————————————
/*———————————————————————–
Template101_Billboard
———————————————————————–*/
* {padding:0;margin:0}
body {background:#fff;font:12px arial,sans-serif;color:#0e5fd8;text-align:center}
h1,h2,h3,h4,h5,h6 {font-size:100%}
.clear {clear:both}
/* GRID */
#container {width:754px;text-align:left;margin:40px auto 20px}
.col1,.col3 {display:none}
#twoColLayout {width:100%;background:#f6f6f6 url(‘http://i.nuseek.com/Images/Shared/relLinkBkg.gif’) repeat-x bottom;border:1px solid #fff}
.twoColL {background:#e2dfb8;vertical-align:top}
.twoColR {background:#fff;vertical-align:top}
.pg1 .twoColL {width:100%}
/* HEADER */
.hdr {width:100%;background:#1b5709;color:#fff;padding:0}
.pg2 .hdr {border-bottom:26px solid #c44242}
.hdrL {width:100%;border-bottom:1px solid #fff}
.header h1 {font:400 18px Verdana,sans-serif;margin:5px 10px}
.pg2 .header h1 a {color:#fff;text-decoration:none}
/* Google Label Slot */
/* Default */
.leftNavHdrOff {height:26px;background:#c44242;position:relative}
.leftNavHdrOff span {display:none}
/* If Google */
.leftNavHdrOn {height:26px;background:#c44242;position:relative}
.leftNavHdrOn span {width:90%;color:#edc6c6;font-size:100%;position:absolute;left:25px;top:5px;font-weight:700}
/* TWO_COL pg1 */
.ldrRelLinks ul {list-style-type:none;border-top:1px solid white /*fix for IE6/7 gap */}
.ldrRelLinks a:link,.ldrRelLinks a:visited {display:block;width:100%;background:#fafad9 url(‘http://i.nuseek.com/images/Themes/T101/bullets/0006.gif’) no-repeat 25px center;font:700 14px arial,sans-serif;color:#476ec7;text-decoration:none;padding:5px 5px 4px 50px;border-top:1px solid #fff;border-bottom:1px solid #fff;margin-bottom:1px}
.ldrRelLinks a.first:link,.ldrRelLinks a.first:visited {margin-top:1px}
.ldrRelLinks a.last:link,.ldrRelLinks a.last:visited {border-bottom:none}
.ldrRelLinks a:hover {background:#fbfbf5 url(‘http://i.nuseek.com/images/Themes/T101/bullets/0006.gif’) no-repeat 30px center;color:#c03625}
/* JS DISPLAY */
.ldrRelLinks li span.outer {display:block;width:100%;background:#fafad9 url(‘http://i.nuseek.com/images/Themes/T101/bullets/0006.gif’) no-repeat 25px center;font:700 14px arial,sans-serif;color:#476ec7;text-decoration:none;padding:5px 5px 4px 50px;border-top:1px solid #fff;border-bottom:1px solid #fff;margin-bottom:1px;cursor:pointer}
.ldrRelLinks li span.outer:hover {background:#fbfbf5 url(‘http://i.nuseek.com/images/Themes/T101/bullets/0006.gif’) no-repeat 30px center;color:#c03625}
/* IMAGE DISPLAY */
.mainImg {width:360px;height:308px;overflow:hidden;border-left:1px solid #fff;float:right}
/* TWO_COL pg2 */
.resMain {width:500px;padding:10px;margin:0;background:#fff}
.resMain h2 {color:#000;font:400 12px arial,sans-serif;margin:0;/* UPDATE SKINS => color:#000 */}
.resMain ul {list-style-type:none}
.resMain li {background:transparent url(‘http://i.nuseek.com/images/Themes/T101/bullets/0006.gif’) no-repeat 0 3px;padding:0 0 0 25px;margin:15px 0}
.resMain li span {cursor:pointer}
.resMain .title {font:700 16px arial,sans-serif;color:#00c;display:inline-block}
.resMain .titleJS {font:700 16px arial,sans-serif;color:#00c;display:inline-block;border-bottom:1px solid #00c} /* JS version */
.resMain .abstract {font:400 12px arial,sans-serif;color:#000;text-decoration:none}
.resMain .abstractNoClick {font:400 12px arial,sans-serif;color:#000;text-decoration:none;cursor:default}
.resMain .url {font:400 12px arial,sans-serif;color:#008000;text-decoration:none}
.prev {display:block;float:left;padding-left:15px;background:transparent url(‘http://i.nuseek.com/Images/Shared/prev.gif’) no-repeat 0 50%;text-transform:capitalize}
.next {display:block;text-align:right;margin-bottom:10px;padding-right:15px;/* */background:transparent url(‘http://i.nuseek.com/Images/Shared/next.gif’) no-repeat right 50%;text-transform:capitalize}
.prevDisable {float:left;padding-left:15px;background:transparent url(‘http://i.nuseek.com/Images/Shared/prev.gif’) no-repeat 0 50%;color:#ccc;text-transform:capitalize}
.nextDisable {float:right;padding-right:15px;color:#ccc;text-transform:capitalize}
.pg2 .twoColL {background:#fff}
.resRelLinks {padding-top:20px}
.resRelLinks,.demandGadget {/*width:215px*/}
.resRelLinks_Hdr,.demandGadget_Header {background:#1b5709;color:#fff;font-weight:700;padding:5px 10px;margin-right:10px}
.resRelLinks ul,.demandGadget ul {padding:5px 10px;margin:0 10px 10px 0;background:#fafad9;list-style:none}
.resRelLinks li,.demandGadget li {margin:5px 0}
.resRelLinks a:link,.resRelLinks a:visited,.demandGadget a:link,.demandGadget a:visited {color:#476ec7;text-decoration:none;font-weight:400}
.resRelLinks a:hover,.demandGadget a:hover {text-decoration:underline;font-weight:400}
/* JS DISPLAY */
.resRelLinks span.outer {cursor:pointer}
.resRelLinks span.outer:hover {text-decoration:underline;color:#476ec7}
.resRelLinks li span.inner {color:#476ec7}
/* SEARCH */
.searchBox {width:100%;height:28px;background:#c44242;padding-top:3px;border-bottom:1px solid #fff}
.searchBox table {float:right;margin:0 10px 0 25px;display:inline}
.searchBox .SearchBoxText {font-size:16px;width:250px;border:1px inset #999}
.searchBox .sb_btn {width:60px;height:22px;margin-left:1px;background:transparent url(‘http://i.nuseek.com/images/Themes/T101/buttons/0006.gif’) no-repeat}
/* BOT NAV */
.searchLinkGroup {background:#1b5709;padding:5px 10px;font:400 11px verdana,sans-serif}
.searchLinkGroup h4 {color:#fff;font:700 100% Tahoma;text-transform:uppercase;display:inline}
.searchLinkGroup_Hdr {text-transform:uppercase;color:#fff;float:left;padding-right:5px;font-weight:700}
.searchLinkGroup ul {list-style-type:none;display:inline}
.searchLinkGroup li {display:inline;border-left:1px solid #fff}
.searchLinkGroup li.first {border-left:none}
.searchLinkGroup a:link,.searchLinkGroup a:visited {color:#fff;text-decoration:none;text-transform:uppercase;padding:0 7px/* */;background:#1b5709}
.searchLinkGroup a.first:link,.searchLinkGroup a.first:visited {padding:0 7px 0 0}
.searchLinkGroup a:hover {text-decoration:underline;color:#ff9}
/* JS DISPLAY */
.searchLinkGroup li span.outer {color:#fff;text-decoration:none;text-transform:uppercase;padding:0 7px/* */;background:#1b5709;cursor:pointer}
.searchLinkGroup li span.outer:hover {text-decoration:underline;color:#ff9}
/* FOOTER */
.ftr {text-align:center;margin-top:10px}
.ftr a:link,.ftr a:visited {color:#0e5fd8}
.userCustom,.userCustom2 {color:#666;font:400 11px verdana,sans-serif}
.userCustom2 {text-align:center;padding-bottom:10px}
.forSale {color:blue;font-size:16px;font-weight:700}
/* AD 300×250 */
.banner {margin:10px 10px 10px 0}
/* BRIDGE */
#bridge {background:#fff;font:12px arial;color:#0e5fd8;margin-top:20px;text-align:center}
#bridge div.hdr {width:100%;background:#1b5709;border-bottom:none}
#bridge div.hdr h1 {color:#fff;font:bold 18px Verdana;text-transform:uppercase;padding:5px 0 5px 15px;border:1px solid #fff}
#bridge h4.explicit {color:#1b5709;font-size:14px}
#bridge p.strong {font-weight:600}
#bridge p,#bridge h4,#bridge ul,#bridge ol,#bridge li {margin:15px 0}
#bridge li {margin-left:40px}
#bridge #container {width:653px;text-align:left;margin:20px auto}
#bridge #cntwrap1 {background:#f3f3f3;border:4px solid #f3f3f3;margin:5px 0}
#bridge #cntwrap2 {border:1px solid #1b5709;padding-bottom:5px}
#bridge #cntwrap4 {color:#333 /* default */;padding:0 10px 10px}
#bridge div.call-to-action {text-align:center;margin:10px auto}
#bridge .ftr {height:15px;background:#1b5709;margin:5px 0;padding:5px 10px;text-align:left;border:1px solid #fff}
#bridge .ftr a.popuplink {color:#fff;font-size:10px;text-decoration:underline;cursor:pointer}
#bridge button.btn-enter {height:30px;background:#1b5709;color:#fff;padding:3px 15px;border:2px solid #333;border-top:2px solid #eee;border-left:2px solid #eee;cursor:pointer;font:bold 14px "Lucida Grande",Tahoma;text-transform:uppercase;letter-spacing:.05em}
#bridge button.btn-exit {margin-left:5px;height:30px;background:#1b5709;color:#fff;padding:3px 15px;border:2px solid #333;border-top:2px solid #eee;border-left:2px solid #eee;cursor:pointer;cursor:hand /* for IE 5.x */;font:bold 14px "Lucida Grande",Tahoma;text-transform:uppercase;letter-spacing:.05em}
———————————————————————————
another .js GET /gateway/gw.js?csid=F08747 HTTP/1.1 from Host: js.revsci.net
———————————————————————————
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 02 Feb 2009 06:14:00 GMT
Cache-Control: max-age=86400, public
Expires: Tue, 03 Feb 2009 06:14:00 GMT
Content-Type: text/javascript;charset=ISO-8859-1
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Mon, 02 Feb 2009 06:14:00 GMT
Connection: close
———————————————————————————
Tags:
){kind=link}
){kind=link}
){kind=link}
){kind=link}
){kind=link}