Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Feb24
    9:52 am (UTC-7)   |    by

    On Sunday, an Italian blog reported of several compromised sites. After some investigation, we found that all sites that were reported have one thing in common: they were created using Plone, an open source content management system.

    Upon further research, we found that a Search Engine Optimization (SEO) blackhat technique called “Doorway Pages” was used, not only to promote some adult pages, but also to redirect the users to pages that download malware or fake anti-malware programs using redirectors. The two main redirectors used in this attack are hxxp://jslib2.info/in and hxxp://69.1.74.16/in. An example is one Italian Hotel Web site that was developed using Plone. Below their home page, you’d see something like this:

    Inside this hotel Web site is the page http://www.{BLOCKED}of.it/portal_memberdata/portraits/fchan, which uses the URL http://jslib2.info.in as redirector. You can find actual evidence searching in Google for “inurl:portal_memberdata sex” and replacing “sex” for any other related word (such as lesbian, gay, etc).

    In November 2007, Australian Computer Emergency Response Team (AusCERT) discovered a vulnerability in Plone. In my opinion, somebody has discovered this vulnerability and is exploiting it to use as a redirector to malicious Web sites.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice