No DNS poisoning at Google (in case of trouble, blame the DNS)
Ryan Rawdon
ryan at u13.net
Wed Jun 27 14:30:47 UTC 2012
On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote:
>
>
> On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:
>
>>
>> What would be nice is the to see the contents of the htaccess file
>> (obviously with sensitive information excluded)
>
>
> I cleaned up compromises similar to this in a customer site fairly recently. In our case it was the same exact behavior but was php injected into their application, instead of .htaccess. I do not recall what the original compromise vector was, it was something in the customer's custom application which they resolved.
>
> It looked like the malware did a find and replace for <?php and replaced it with:
>
>
<snipped>
http://r.u13.net/permatemp/forefront.png
My message may have gotten caught as spam/malicious by filters. Not sure if it caught the base64 or plaintext so I snipped both. You can view my original message in the archives at http://mailman.nanog.org/pipermail/nanog/2012-June/049612.html
>
>
>
> (where brugge.osa.pl was the destination for the redirects in the compromise of this customer site)
>
>
>
>>
>> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
>>>
>>>> <snip>
>>>
>>
>> --
>>
>> - (2^(N-1))
>>
>
>
More information about the NANOG
mailing list