Karthik are you going for full disclosure here without including cert India... its a govt site dude ; )
Regards, Plash Chowdhary Security Consultant, Global Consulting Practice - IRM Tata Consultancy Services Ph:- +91-120-4398828 Buzz:- 4120286 Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Outsourcing ____________________________________________ Karthik Muthukrishnan <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/23/2008 11:36 PM To [email protected] cc Subject [Owasp-delhi] XSS in IRCTC. IRCTC seems to have been exploited by an XSS vuln. After booking the ticket, when you click on the print this page link, an alert ("hi") appears. This is the status today morning. I didnt hav etime to analyze as I had to rush to office. Will see if I can spend some time from office. "Pukhraj Singh" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/22/2008 08:29 PM To "Tarun Dua" <[EMAIL PROTECTED]> cc [email protected] Subject Re: [Owasp-delhi] NDTV.com classified by google search as a possible attack site serving malware Tarun, You are correct on that one; I missed mentioning that as the exploit seemed too trivial for my attention. When I went through the blog entry, my focus immediately jumped to the subsequent iframes which were being launched (the ones mentioned after the line: "launches several iframes that launch several other attacks. very nice. I'll let you pull down that code.") and the subsequent malware it was trying to load. I was really keen to pull them down and see if they got something juicy. Loosely speaking, a shotgun attack is not bound to a definition, unlike say buffer overflows, as you may better understand; it was just a term created by my team at Symantec to make the life and explanations easier. This one would still come under the shotgun category (duhh - too hard on fancy definitions) as there were multiple exploits loaded in a sequence of nested iframes. Best, Pukhraj On Sat, Nov 22, 2008 at 12:48 PM, Tarun Dua <[EMAIL PROTECTED]> wrote: Hi Pukhraj, Thanks for your explanation. As I understand that a shotgun attack is the one where the attacking malware site attempts to exploit multiple vulnerabilities ranging from javascript to shockwave objects ? The url you referred lists out the type of malicious SQL injection request that will compromise an MS-SQL server( or can it compromise other any other database servers ) by updating the open table_cursors, thereby injecting javascript into resultsets which are being fetched by the web-pages which thus get written out into the webpages being served and execute a shotgun attack on endusers computers. Is my understanding correct. Thanks -Tarun On Sat, Nov 22, 2008 at 2:48 AM, Pukhraj Singh <[EMAIL PROTECTED]> wrote: > This is the second time I have heard of NDTV being compromised. The first > time it was compromised with the MPack exploitation toolkit. > > The infection via d0uhunqn-dot-cn is pretty old. It seems that website > remained compromised for a long time. Sad! It's a typical shotgun attack, > although the malicious links seem to be offline now. Couple of projects have > crawled through those malicious websites which have been mentioned in the > Google diagnostics page (CastleCops, Shadowserver, Symantec SafeWeb, et al). > Some of the exploits being served are old (from the Storm Worm days): > > http://carnal0wnage.blogspot.com/2008/08/cute.html > > Best, > Pukhraj > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tarun Dua > Sent: Friday, November 21, 2008 10:33 PM > To: [email protected] > Subject: [Owasp-delhi] NDTV.com classified by google search as a possible > attack site serving malware > > See advisory here > http://www.google.com/safebrowsing/diagnostic?site=http://www.ndtv.com/conve > rgence/ndtv/videos.aspx&hl=en > > I couldn't see the malware sites mentioned on the advisory serving out > from ndtv.com anymore on my firebug console so I figure that these > vulnerabilities might have been gone from their site now. Does someone > has more information as to what happened here, was it their windows > servers that got compromised or XSS issues from the advertising or > user generated content served by them. > > Cheers!! > -Tarun > http://tarundua.net/google/ndtv/advisory > _______________________________________________ > Owasp-delhi mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-delhi > > _______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi ForwardSourceID:NT000100CE =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you _______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi ForwardSourceID:NT000019B2 =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
_______________________________________________ Owasp-delhi mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-delhi
