Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2015
    S M T W T F S
    « Feb    
    1234567
    891011121314
    15161718192021
    22232425262728
    293031  
  • Email Subscription

  • About Us

    Feb24
    9:52 am (UTC-7)   |    by

    On Sunday, an Italian blog reported of several compromised sites. After some investigation, we found that all sites that were reported have one thing in common: they were created using Plone, an open source content management system.

    Upon further research, we found that a Search Engine Optimization (SEO) blackhat technique called “Doorway Pages” was used, not only to promote some adult pages, but also to redirect the users to pages that download malware or fake anti-malware programs using redirectors. The two main redirectors used in this attack are hxxp://jslib2.info/in and hxxp://69.1.74.16/in. An example is one Italian Hotel Web site that was developed using Plone. Below their home page, you’d see something like this:

    Inside this hotel Web site is the page http://www.{BLOCKED}of.it/portal_memberdata/portraits/fchan, which uses the URL http://jslib2.info.in as redirector. You can find actual evidence searching in Google for “inurl:portal_memberdata sex” and replacing “sex” for any other related word (such as lesbian, gay, etc).

    In November 2007, Australian Computer Emergency Response Team (AusCERT) discovered a vulnerability in Plone. In my opinion, somebody has discovered this vulnerability and is exploiting it to use as a redirector to malicious Web sites.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice