Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

American Football Championship Shenanigans

Published: 2007-02-02
Last Updated: 2007-02-08 16:58:49 UTC
by Kevin Liston (Version: 7)
0 comment(s)
Websense Labs has reported that "the official website of Dolphin Stadium has been compromised with malicious code."  As of now (~1820 GMT 02-FEB-2007) the site still has the injected redirect, but the site hosting the malicious code is not responding.  The malicious script is reported to exploit vulnerabilities described in Microsoft Security Bulletins MS06-014 and MS07-004. has a signature available:

The first reported site has been repaired (for now?)
Other sites have been identified using some googledorking and are in the process of being informed.

McAfee has released updated signatures to detect Backdoor-DKT:
Other AV vendors should have specific signatures by now as well.


A similar (identical?) exploit is served by the following domains. At this point, the best defense (after patching) is to block these domains and monitor DNS requests for them. Infected machines will try to call home to them.,,,, was the domain used in the defacement. Thanks to the cooperation from Xin-Net, the domain is no longer resolving. But there is always a chance that it will come back.

If your website is defaced by this group: Please contact us and preserve logs.

We had '' listed here earlier. According to information from the system administrator for the site, the javascript file on that site is not malicious and just happens to have the same filename.

Updating our earlier update :-), the 3.js off the Natmags site downloads an ad.htm file which is clearly an exploit, as can be shown with a little PERL-fu to make it readable: cat ad.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'
The corresponding www.exe is no longer available on the server though (or doesn't download).
0 comment(s)
Diary Archives