On 16/09/10 20:00, Babelo Gmvsdm wrote:
>
> Hi,
> since few days when my users go to igoogle.fr, the widget used normally for google maps seems to be hackedand redirect users to : newwave.orge.pl or p3p0.com/...
> If I bypass the squid, the problem does not appear!
> So it seems to be a Squid hack.
> I purge all the caches (I guess) doing this:
> sudo /etc/init.d/squid3 stopsudo rm -Rf /var/spool/squid3/*sudo squid -zsudo /etc/init.d/squid3 start
> but the problem is still here.
Some forensics are required.
That site has security alerts out on it:
"
the last time suspicious content was found on this site was on
2010-09-16.
Malicious software includes 1 scripting exploit(s).
This site was hosted on 2 network(s) including AS51274, AS28753
(NETDIRECT).
Has this site acted as an intermediary resulting in further distribution
of malware?
Over the past 90 days, newwave.orge.pl appeared to function as an
intermediary for the infection of 1 site(s) including smoloskyp.org.ua/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days.
It infected 170 domain(s), including travelprophotoplus.com/,
bankokyangschool.ac.th/, marchex.com/.
"
Can you provide the HTTP requests/replies involved from before
fetching/running the widget to after being redirected to those sites?
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.8 Beta testers wanted for 3.2.0.2Received on Thu Sep 16 2010 - 14:24:01 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 16 2010 - 12:00:03 MDT