Mass File Injection Attack

May 11, 2008 – 4:06 PM

We received a report from Mike this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob.  If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now.  The major portion of the sites seem to be running phpBB forum software.

If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites.  Internal clients that have connected may need some cleanup work.  Another preventive step would be to blacklist these two URLs.

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

Source: SANS

You must be logged in to post a comment.