nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

From: Ryan Rawdon <ryan () u13 net>
Date: Wed, 27 Jun 2012 10:30:47 -0400

On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote:




On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:



What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)



I cleaned up compromises similar to this in a customer site fairly recently.  In our case it was the same exact 
behavior but was php injected into their application, instead of .htaccess.  I do not recall what the original 
compromise vector was, it was something in the customer's custom application which they resolved.

It looked like the malware did a find and replace for <?php and replaced it with:





<snipped>

http://r.u13.net/permatemp/forefront.png

My message may have gotten caught as spam/malicious by filters.  Not sure if it caught the base64 or plaintext so I 
snipped both.  You can view my original message in the archives at 
http://mailman.nanog.org/pipermail/nanog/2012-June/049612.html







(where brugge.osa.pl was the destination for the redirects in the compromise of this customer site)





On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:



<snip>




-- 

- (2^(N-1))
Previous By Date Next
Previous By Thread Next

Current thread: