HTML:Script-inf

[rwillen]

Hi,

My wife got this warning last night at the following webpage:

hxxp://www.sultan.k12.wa.us/ssd/ssd.cfm?id=166

I'd like to know what set the alert off so I can let the school district know if there may be an issue.

Thanks!

[DavidR]

There is a script tag after the closing HTML tag (a standards no, no) on that page, it points to hXXp://wXw.afkartech.com/images/logo.swf; this domain is in Riyadh, Saudi Arabia, so I don't know why it would be on your school site.

Whilst this says it is a Shock Wave Flash (.swf) file, purporting to be a logo, it could actually be anything.

This also seems to be the case for the favicon.ico file as that seems to have been modified as it is the same as the ssd.cfm page of the original alert.

It could be that the CFM content management software could be being exploited and this script tage inserted when the page is compiled.

Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

[polonus]

Hi rwillen,

Of 273 pages that were tested dusring the previous 90 days on mentioned site, 28 pages have been downlaoding and installing malicious software without user's consent. The last time malware was found there, was 2009-07-14.
Malicious software includes 53 scripting exploits, 53 trojans, 50 exploits.

Malious software has been hosted on 4 domains, e.g. afkartech.com/, hi2i.cn/, kan31ni.cn/.

1 domain seemed to function as a redirecting site in spreading malware to visitors of the site, e.g. afkartech.com/.

This site was hosted on 1 network(s) including AS10430 (WA).

Now what about afkartach.com a suspicious site:
The last timesuspicious content has been found up there was on 2009-08-13.
Malicious software includes 1736 trojans, 551 scripting exploits.

Malicious software has been hosted on 1 domain, e.g. yrwap.cn/.

This site was hosted on 3 network(s) including AS26496 (PAH), AS13867 (CNET), AS15657 (SPEEDBONE).

It seems afkartech.com has been functioning as a malware spreading site to infect 26 sites, e.g. itspawsible.com/, rodeodrive.travel/, northforkluxury.com/.

This site has been hosting maware and infected 210 domains, e.g. nade-nade.net/, allspaces.com/, thomasjmccarthy.com/.

How this happened has been explained by DavidR, by adding malcode to real sites, making that we issue above warnings,

polonus

[rwillen]

Thank you both. I've modified my post, sorry about that I wasn't thinking I guess.

Would you mind showing me how you found that tag? I looked at the page source and didn't see it.

Thanks again.

[DavidR]

You may not find it in the page source as it is likely to be that when the actual page is complied the tag is inserted into the page as I said this is exploiting of vulnerabilities in content management software.

We were looking at the source as it is seen on-line, if you aren't viewing that but the physical sorce before the page is compiled you are unlikely to see anything.

So it is the CFM software that you need to check is fully up to date, closing any security vulnerabilities.

This is supposition as if you don't see the tag on source pages, but it exists on the physical page displayed something has to be injecting the code into the page and this is usually content management software being exploited.

Presumably this domain hXXp://wXw.afkartech.com/images/logo.swf is unknown to the school, e.g. no affiliation, etc. so there would be no legitimate reason for it to be there ?

[rwillen]

You may not find it in the page source as it is likely to be that when the actual page is complied the tag is inserted into the page as I said this is exploiting of vulnerabilities in content management software.

We were looking at the source as it is seen on-line, if you aren't viewing that but the physical sorce before the page is compiled you are unlikely to see anything.

So it is the CFM software that you need to check is fully up to date, closing any security vulnerabilities.

This is supposition as if you don't see the tag on source pages, but it exists on the physical page displayed something has to be injecting the code into the page and this is usually content management software being exploited.

Presumably this domain hXXp://wXw.afkartech.com/images/logo.swf is unknown to the school, e.g. no affiliation, etc. so there would be no legitimate reason for it to be there ?

Thank you David. I'll talk to the admin of the school district.

[DavidR]

You're welcome, good luck.