On Sunday, an Italian blog reported of several compromised sites. After some investigation, we found that all sites that were reported have one thing in common: they were created using Plone, an open source content management system.

Upon further research, we found that a Search Engine Optimization (SEO) blackhat technique called “Doorway Pages” was used, not only to promote some adult pages, but also to redirect the users to pages that download malware or fake anti-malware programs using redirectors. The two main redirectors used in this attack are hxxp://jslib2.info/in and hxxp://69.1.74.16/in. An example is one Italian Hotel Web site that was developed using Plone. Below their home page, you’d see something like this:

Inside this hotel Web site is the page http://www.{BLOCKED}of.it/portal_memberdata/portraits/fchan, which uses the URL http://jslib2.info.in as redirector. You can find actual evidence searching in Google for “inurl:portal_memberdata sex” and replacing “sex” for any other related word (such as lesbian, gay, etc).

In November 2007, Australian Computer Emergency Response Team (AusCERT) discovered a vulnerability in Plone. In my opinion, somebody has discovered this vulnerability and is exploiting it to use as a redirector to malicious Web sites.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!