google.com.bd is attacked using DNS poisoning

Posted on January 8, 2011 by Monirul

Just a few hours back, one of my old colleagues made a phone call to let me know that google has been hacked by a Bangladeshi guy. I was astonished to hear that thus couldn’t stop myselft to investigate further. First, when I tried http://www.google.com.bd it was ok. Then tried http://google.com.bd and yes, it has been hacked! The hacker has defaced the home page. Without being late I made a remote desktop connection to a PC which is located in australia. When I hit google.com.bd from there, it was redirecting me to www.google.com.bd one. This primary test make sure that it’s not a world wide problem. Then I asked few of my friends (who is under different network) to check whether this is particular to BD or not. One of them reported he found it ok. So, this is BD specific and some ISP specific. Finally running tracert command for both ensured that it’s a dns poising attack.

So, hackers have changed the ip address in the DNS servers (which translates a requested domain name into it’s corresponding ip address) for google.com.bd. However here is the tracert result:

Tracing route to www.google.com [74.125.230.81]over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 3 ms 2 ms 3 ms 114.130.35.65
3 5 ms 5 ms 2 ms 114.130.8.113
4 4 ms 4 ms 6 ms 169.dhk-peer.mango.com.bd [114.130.3.169]
5 6 ms 7 ms 4 ms gi1-3.gsr-7609.dhk-gsr-01.mango.com.bd [114.130.1.13]
6 152 ms 150 ms 151 ms pos12-1-0.palermo7.pal.seabone.net [195.22.198.157]

7 199 ms 197 ms 196 ms 72.14.198.233
8 197 ms 195 ms 195 ms 72.14.198.233
9 177 ms 178 ms 178 ms 216.239.47.128
10 190 ms 186 ms 187 ms 209.85.249.234
11 192 ms 193 ms 194 ms 72.14.233.104
12 194 ms 195 ms 195 ms 64.233.175.115
13 198 ms 194 ms 198 ms 74.125.230.81
Trace complete

Tracing route to google.com.bd [173.233.68.2]over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 2 ms 3 ms 2 ms 114.130.35.65
3 3 ms 3 ms 2 ms 114.130.8.113
4 3 ms 3 ms 4 ms 169.dhk-peer.mango.com.bd [114.130.3.169]
5 6 ms 5 ms 4 ms gi1-2.gsr-7609.dhk-gsr-01.mango.com.bd [114.130.1.9]
6 151 ms 150 ms 151 ms pos12-1-0.palermo7.pal.seabone.net [195.22.198.157]

7 189 ms 215 ms 189 ms xe-5-0-0.franco31.fra.seabone.net [195.22.211.221]
8 326 ms 324 ms 325 ms global-crossing.franco31.fra.seabone.net [89.221.34.110]
9 369 ms 371 ms 365 ms turnkey-internet.so-5-1-2.ar4.jfk1.gblx.net [64.215.182.250]
10 330 ms 331 ms 331 ms jm20-ny1-ge-1-3-0.turnkeyinternet.net [64.128.116.2] .
11 331 ms 333 ms 332 ms c6509-ny1-i12ge50.turnkeyinternet.net [208.85.1.14]
12 390 ms 369 ms 401 ms webserver24.turnkeywebspace.com [173.233.68.2]
Trace complete.

Prothom-alo source code revealed

Posted on January 4, 2011 by Monirul

One of my colleagues who sits just behind me was reading the most popular Bangladeshi online newspaper prothom-alo just like other day but the attention was on a strange behavior of the site for few moments. When he clicked on a link from the bottom of the home page, he was taken to that page but as well as his browser was asking him to download a php file. He downloaded it, read it and found that it was a live page from prothom-alojobs.com site. Here is the source code of that page:

<?php require_once(‘../config.php’); require_once(‘../lib/class.Db.php’); $db = new Db(hostname, username, password, databasename); function fill_spots($job_post_name, $lines) { $num_chars= strlen($job_post_name); //find number of characters; if($num_chars<=40) { $lines++; } elseif($num_chars>40 && $num_chars<=80) { $lines=$lines+2; } elseif($num_chars>80 && $num_chars<=120) { $lines=$lines+3; } elseif($num_chars>120 && $num_chars<=160) { $lines=$lines+4; } else { $lines=$lines+5; } return $lines; } ?> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”> <html xmlns=”http://www.w3.org/1999/xhtml”> <head> <meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ /> <title>Spotlight Jobs of the week</title> <link type=”text/css” rel=”stylesheet” href=”style1.css” mce_href=”style1.css” media=”screen”/> </head> <body> <div style=”width: 220px;”> <div><img src=”images/header1.JPG” mce_src=”images/header1.JPG” width=”220″ /></div> <div id=”content”> <marquee behavior=”scroll” direction=”up” style=”padding-top:20px;” mce_style=”padding-top: 20px;” height=”170″ onmouseover=”stop()” onmouseout=”start()” scrolldelay=”1″ scrollamount=”3″> <div> <?php $query_for_total=”SELECT * FROM `spotlight_jobs` WHERE expiry_date >= CURDATE() AND status=’1′ AND `jobs_of_week` = ’1′ ORDER BY `spotlight_job_id` DESC”; $result_for_total=mysql_query($query_for_total); $total_row=@mysql_num_rows($result_for_total); $i = 0; while($row=@mysql_fetch_array($result_for_total)) { $company_name=$row['title']; $logo_url=$row['logo_url']; $job_list=explode(“,”,$row["job_id"]); $logo_url_tracker=explode(“?”,$logo_url); $i++; if(stristr($logo_url_tracker[1],”jobID”)) $link_src=”http://www.prothom-alojobs.com/static_pages/spotlight_jobs/”.$row["spotlight_job_id"].”/”.$row["logo_url"]; else $link_src=$logo_url; ?> <div class=”spotlight_start”> <div class=”logo”><a target=”_blank” href=”<? echo $link_src; ?>”><img src=”http://www.prothom-alojobs.com/Admin/company_logo_upload/<? echo $row['spotlight_job_id'];?>-<? echo $row['employer_id'];?>/<? echo $row['logo'];?>”></a></div> <div class=”spotlight_job_details”> <h1><?=$company_name;?></h1> <ul> <?php $lines=0; $total_lines=2; $more_jobs=0;//more? yes….1 //more? no…..0 //inner while begins while(key($job_list) !==null) { $curn_id=current($job_list); $q3=”select job_title,no_of_vacancies from jobs where job_id=’”.$curn_id.”‘”; $res3=mysql_query($q3); $row3=mysql_fetch_array($res3); $curn_post=$row3["job_title"]; //echo “post”.$post.” ”; $num=$row3["no_of_vacancies"]; //echo “vacancies”.$num.” ”; $link_src_title=”http://www.prothom-alojobs.com/static_pages/spotlight_jobs/”.$row["spotlight_job_id"].”/”.$row["title_url"]; $present_line=fill_spots($curn_post,$lines); ////////////// if($present_line>$total_lines ) { $more_jobs=1; break; } elseif($present_line==$total_lines) { $nxt_id=next($job_list); $len=strlen($nxt_id); if( $len>=1 ) { $more_jobs=1; break; } else { echo ” <li><a target=\”_blank\” href=”\” mce_href=”\”"”.$link_src_title.”\” >”.$curn_post.”</a></li> ”; break; } } else { echo ” <li><a target=\”_blank\” href=”\” mce_href=”\”"”.$link_src_title.”\” >”.$curn_post.”</a></li> ”; $lines=$present_line; } next($job_list); }// inner while ends ?> </ul> <?php if ($more_jobs==1) // echo “<a target=\”_blank\” href=”\” mce_href=”\”"”.$link_src_title.”\” class=\”\” >+ more jobs</a>”; ?> </div> </div> <?php } ?> </div> </marquee> </div> <!— End Content –> <!— End Content –> <div><img src=”images/fotter1.JPG” mce_src=”images/fotter1.JPG” width=”220″ /></div> </div> </body> </html>

The peculiarity of this problem is, it was only happening in the chrome browser of his PC. Certainly this is not a browser specific issue but still I checked mine and his chrome version. The version mismatched. He was using version 7.0.517.44 but mine was over 8. Then I checked in different PCs (all was unfortunately version over 8 ) where chrome was installed, nowhere it was happening except his PC. At that moment my belief was like this might be a chrome version 7.0.517.44 specific issue. Then while we were planning to update his browser, we noticed that that is already updated automatically to version 8 and was waiting to be restarted. After restarting the browser, that problem was not happening anymore. So my belief became stronger although at the same time I believe it cannot be a browser specific issue.

Finally I downloaded the chrome version 7.0.517.44 and tried to regenerate it without any luck.

Bangladeshi newspaper sites are vulnerable to XSS

Posted on November 26, 2010 by Monirul

Believe it or not, almost every online version of Bangladeshi newspapers are vulnerable to Cross Site Scripting (XSS) attack. Since my last post regarding Prothom-Alo I was believing may be many newspaper sites from Bangladesh are suffering the same problem. And yes, the guess was right because I just tested 11 more sites and surprisingly 10 of them are vulnerable to the same type of attack.The only site, Amar Desh seems to me ok in quick testing.

During the testing session, I noticed some of them have more serious problems like directory browsing enabled, malicious script can be uploaded, sql injection can be done etc. but in this post I will only concentrate on XSS attack. XSS can cause a variety of problems from cookie theft, session stealing to complete account hijack. It can even change the contents of the target site. Some types of XSS attack can disclose user files, install trojan horse programs, redirect user to some other places. Sometimes it allows to add or modify content like news, company information which can really be a problem for the companies.

Now let’s see the insecure sites. To get a proof of concept you will have to click the following links:

Monirul Islam

Stay alert to threats, take steps to protect.

Category Archives: Security

google.com.bd is attacked using DNS poisoning

Prothom-alo source code revealed

Bangladeshi newspaper sites are vulnerable to XSS