ZION SECURITY :: Comment spam results in porn and virus infection

Comment spam results in porn and virus infection

Wednesday, April 14, 2010 by Administrator

Since we started this blog, a lot of automated requests from spam bots have been detected and blocked by our ZION SECURED WAMAF.

To give you some statistics: during the last month we stopped 1150 attempts to inject spam in this blog. The XSS attack is in fact comment spam.

An example of such a request:

POST /blog/2010/3/2/update-about-the-rijksregisternumber.aspx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MyIE2; Maxthon)
Host: www.zionsecurity.com
Accept: */*
Referer: http://ufsix.ir/index.php/more-about-joomla/25-the-project/5-joomla-license-guidelines.html, http://www.zionsecurity.com/blog/2010/3/2/update-about-the-rijksregisternumber.aspx
X-FORWARDED-FOR: 213.206.5.224, 158.43.240.12, 198.165.92.91, 158.43.240.10, 66.119.34.38, 202.45.127.18
FORWARDED-FOR: 213.206.5.224, 158.43.240.12, 198.165.92.91, 158.43.240.10, 66.119.34.38, 202.45.127.18
X-COMING-FROM: 213.206.5.224, 158.43.240.12, 158.43.240.10, 66.119.34.38

VIA: 1.1 sfcache1 (NetCache NetApp/5.5R6), 1.1 sfcache1 (NetCache NetApp/5.5R6)
Content-Length: 2621
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue

Some strange things here: 2 Referer entries, not 1. And a cascade of anonymous proxies. Also the User-Agent is like a normal user-agent.

My guess is that this is an infected machine that is querying google for keywords like blog, comment, ... and attempts to inject the spam. Spam is removed for obvious reasons from this post :)

Country of origin:

Clicking on one of the links in the spam redirects to a spammed forum (phpBB), where the visitor is being trapped in visiting a porn site because clicking the image with Yesn I am 18+ or No, I am not 18+ gives the same result.

With NoScript enabled, nothing happened. Disabling NoScript and intercepting the traffic in Burp gave some interesting results:

Kaspersky

Anti-Virus 6.0 for Windows Workstations

Access denied

The requested URL could not be retrieved

While trying to retrieve the URL:

http://pagecsearch.org/cgi-bin/030

The following error was encountered:

The requested object is INFECTED with the following viruses: Packed.JS.Agent.cl

Please contact your service provider if you consider it incorrect.

Generated:
14/04/2010 16:28:02
Kaspersky Anti-Virus 6.0 for Windows Workstations

I wonder what the legal impact is for a Belgian site being infected with this kind of spam and users get redirected to a porn site that tries to infect the user.

10 comment(s) for “Comment spam results in porn and virus infection”

Johan Says:
Wednesday, April 14, 2010The legal system in Belgium is always a gamble.

Not long ago a judge in Belgium destroyed a verdict because the case contained English words like "Blog", "hostadres", "user-id", etc...
(Even though most words ARE in the Dutch Van Dale dictionary.)

The Judge based his decision on a law from 1935.
Laws should be limited in time. ;-)

But, it seems websiteowners today can be held accountable for content that is displayed on their website, even if that content is put there by their users, or included from another server.

An "act of God" (Overmacht) can only be used as a defense if you did take adequate measures to prevent this from happening.
But by definition if you site has this problem, you clearly didn't take "adequate" measures.

But, I'm not a lawyer, and it's best to make sure your website is secure and things like this never happen (again). ;-)
pornosu izle Says:
Friday, July 23, 2010

wow, it is bad idea to place porn banner on Technorati ..
free registry cleaner Says:
Thursday, August 05, 2010Good journey and experience!
sex porno Says:
Friday, August 06, 2010wery nice thanks
mrbooboo Says:
Thursday, August 19, 2010
pc games Says:
Friday, September 03, 2010
business lending Says:
Monday, September 06, 2010
email fax Says:
Monday, September 06, 2010
dreabrili Says:
Tuesday, September 07, 2010
campingantipolis Says:
Wednesday, September 08, 2010