No DNS poisoning at Google (in case of trouble, blame the DNS)

Ryan Rawdon ryan at u13.net
Wed Jun 27 14:30:47 UTC 2012


On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote:

> 
> 
> On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:
> 
>> 
>> What would be nice is the to see the contents of the htaccess file
>> (obviously with sensitive information excluded)
> 
> 
> I cleaned up compromises similar to this in a customer site fairly recently.  In our case it was the same exact behavior but was php injected into their application, instead of .htaccess.  I do not recall what the original compromise vector was, it was something in the customer's custom application which they resolved.
> 
> It looked like the malware did a find and replace for <?php and replaced it with:
> 
> 


<snipped>

http://r.u13.net/permatemp/forefront.png

My message may have gotten caught as spam/malicious by filters.  Not sure if it caught the base64 or plaintext so I snipped both.  You can view my original message in the archives at http://mailman.nanog.org/pipermail/nanog/2012-June/049612.html



> 
> 
> 
> (where brugge.osa.pl was the destination for the redirects in the compromise of this customer site)
> 
> 
> 
>> 
>> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
>>> 
>>>> <snip>
>>> 
>> 
>> -- 
>> 
>> - (2^(N-1))
>> 
> 
> 





More information about the NANOG mailing list