Educause Security Discussion mailing list archives
Re: Industry Site delivering malware targeting students
From: Morrow Long <morrow.long () YALE EDU>
Date: Tue, 11 Aug 2009 21:00:52 -0400
Bob and Barbara -- The top level page on the site isn't necessarily malicious (unless you click on the link which will take you away to a different site). The top page just sends out one line of non-conforming HTML with an link linked to the text "Carter" . See below (the URLs have been defanged). I don't know about any of the other pages on the site though as Google appears to have marked the entire site as potentially harmful (if you 'google' "link:going2college.org" all of the pages on the site are marked by Google as "This site may harm your computer."). Morrow $ curl going2college.org Hello, welcome to <a href="hxxp://www3.mapping-your- future.org">Carter</a>! $ $ telnet going2college.org 80 Trying 66.179.80.168... Connected to going2college.org. Escape character is '^]'. GET / HTTP/1.1 Host: going2college.org HTTP/1.1 200 OK Connection: close Date: Wed, 12 Aug 2009 00:49:45 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8 Hello, welcome to <a href="hxxp://www3.mapping-your- future.org">Carter</a>! Connection closed by foreign host. $ $ telnet going2college.org 80 Trying 66.179.80.168... Connected to going2college.org. Escape character is '^]'. GET / HTTP/1.1 Host: going2college.org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2a) Gecko/20020910 Referer: http://www.google.com/ HTTP/1.1 200 OK Connection: close Date: Wed, 12 Aug 2009 00:54:10 GMT Server: Microsoft-IIS/6.0 MicrosoftOfficeWebServer: 5.0_Pub X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8 Hello, welcome to <a href="hxxp://www3.mapping-your- future.org">Carter</a>! Connection closed by foreign host. $ On Aug 11, 2009, at 7:12 PM, Bob Bayn wrote:
I hope this security list is well read. A google search for "going2college.org site:.edu" has lots of hits of higher ed pages recommending this service. Bob Bayn (435)797-2396 Security Team coordinator Power off your desktop after hours to thwart network probes. Office of Information Technology at Utah State University ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU ] On Behalf Of McCrary, Barbara [bmccrary () OGSLP ORG] Sent: Tuesday, August 11, 2009 4:34 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Industry Site delivering malware targeting students FYI, The site going2college.org IS AN ACTIVE ATTACK SITE. DO NOT GO HERE. Users have been trying to go to going2college.com but using .org instead. (.com vs. .org) The .com site is OK the .org site IS AN ACTIVE ATTACK SITE, DO NOT GO THERE. Barbara McCrary Chief Information Security Officer MCSE, MCSE:Security, +Messaging, CompTia:Security+ bmccrary () ogslp org<mailto:bmccrary () ogslp org> Oklahoma State Regents for Higher Education 421 NW 13th, Ste 250 Oklahoma City, OK 73103 405 234.4316 office 405 234.4321 cell 405 234.4588 fax Note: This communication and attachments, if any, are intended solely for the use of the addressee hereof. In addition, this information and attachments, if any, may contain information that is confidential, privileged and exempt from disclosure under applicable law, including, but not limited to, the Privacy Act of 1974. If you are not the intended recipient of this information, you are prohibited from reading, disclosing, reproducing, distributing, disseminating, or otherwise using this information. If you have received this message in error, please promptly notify the sender and immediately, delete this communication from your system.
Current thread:
- Industry Site delivering malware targeting students McCrary, Barbara (Aug 11)
- <Possible follow-ups>
- Re: Industry Site delivering malware targeting students Bob Bayn (Aug 11)
- Re: Industry Site delivering malware targeting students Morrow Long (Aug 11)