Possible google hack

From: Johnson, April (apjohnsonat_private)
Date: Tue Jan 07 2003 - 11:13:30 PST

Next message: Lisa Casey: "Re: Root password changed"

Previous message: Sverre H. Huseby: "Re: /sumthin Revisited"
Next in thread: rsavageat_private: "Re: Possible google hack"
Reply: rsavageat_private: "Re: Possible google hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've run into something most unusual in my proxy cache from last night: This
was what appeared if I used my proxy to view www.google.com. It *could* be
that my proxy cache was hacked, or some kind of dns spoofing/corruption
occured between here and there.  But has anyone else heard/seen this?

Ping for www.google.com resolves to 216.239.33.101 - from the proxy console.

The google site with a black background and the text

Touch by cassablanca 
 

Gratz To

s2c botaks [M2C] Junkist DewaLangit SpaceGhostz Ghostz bagan Escuver
frozenghost Gir4ff3 AxAL

#IndoHackerLInkat_private  #AntiHackerLinkat_private #RealCyberat_private


I've included the source as follows... It doesn't look all that clean.


-April Johnson (CISSP, MCSE, CCNP)
Network Operations - Security
Seattle Public Schools
apjohnsonat_private
206.252.0353

"Give a kid a fish, and he eats for a day; teach a kid to fish, and he eats
for a lifetime."

----------------------------------------------------------------------------
-





<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Touch By cassablanca</TITLE> <META
http-equiv=Content-Type content="text/html; charset=windows-1252">
<"CHECK_FOR_VIRUSES"_STYLE .F1 {
	FILTER: glow(Color=#FF8000,Strength=10); WIDTH: 250px; HEIGHT: 200px
} .F2 {
	FILTER: glow(Color=#00FF00,Strength=10); WIDTH: 250px; HEIGHT: 200px
} .F3 {
	FILTER: glow(Color=#0080FF,Strength=10); WIDTH: 250px; HEIGHT: 200px
} ></"CHECK_FOR_VIRUSES"_STYLE>

<"CHECK_FOR_VIRUSES"_SCRIPT language=JavaScript>
<!-- Original:  CodeLifter.com (supportat_private) -->
<!-- Web Site:  http://www.codelifter.com -->

<!-- This script and many more are available free online at -->
<!-- The JavaScript Source!! http://javascript.internet.com -->

<!-- Begin
var rate = 1000
// do not edit below this line
var i = 0;
var F = 'F1';
function doThing() {
if (document.getElementById&&document.all) {
ok = true;
i++;
if (i==1) F = 'F1';
if (i==2) F = 'F2';
if (i==3) F = 'F3';
YammaYamma.className = F;
if (i > 2) i = 0;
timer = setTimeout('doThing()', rate);
   }         
}
//  End -->
</"CHECK_FOR_VIRUSES"_SCRIPT>
<META content="Microsoft FrontPage 5.0" name=GENERATOR></HEAD> <BODY
text="#ffffff" bgColor="#000000" "CHECK_FOR_VIRUSES"_onload="doThing()"><!-- STEP THREE: Copy this
code into the BODY of your HTML document  --> <CENTER> <TABLE cellSpacing=0
cellPadding=10 width=401 height="69">
  <TBODY>
  <TR>
    <TD width="401" height="69">
      <CENTER><FONT face="Monotype Corsiva" color=#ffffff>
      <P id=YammaYamma><B><font size="7">Touch by </font> </B></FONT><B>
      <font size="7" face="Monotype Corsiva"
color="#ffffff">cassablanca</font></B><FONT face=Courier color=#ffffff
size=10>
      </P></FONT></CENTER></TD></TR></TBODY></TABLE></CENTER>
<P align="center"><B><FONT face=Terminal color=#00ff00 size=5>Gratz
To</FONT></B></P> <P align="center"><FONT face="Comic Sans MS" color=#ff0000
size=4>s2c botaks 
[M2C] Junkist DewaLangit SpaceGhostz Ghostz bagan Escuver frozenghost
Gir4ff3 
AxAL</FONT></P>
<P align="center"><FONT face="Monotype Corsiva" color=#ff0000 size=5><FONT 
color=#ffffff></a></a></FONT>
</font><FONT face="Monotype Corsiva"
size=5>#IndoHackerLInkat_private</font></a></a> </FONT> </font> <font
face="Monotype Corsiva" size="5">&nbsp;#AntiHackerLinkat_private
#RealCyberat_private</A></font><font face="Monotype Corsiva" color="#ff0000"
size="5"></HTML><font face="Monotype Corsiva"
size="5"></a></font></font></P><!-- text below generated by server. PLEASE
REMOVE
--></"CHECK_FOR_VIRUSES"_object></"CHECK_FOR_VIRUSES"_layer></div></span></"CHECK_FOR_VIRUSES"_style></noscript></table></"CHECK_FOR_VIRUSES"_script></apple
t><"CHECK_FOR_VIRUSES"_script language="JavaScript"
src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></"CHECK_FOR_VIRUSES"_script><"CHECK_FOR_VIRUSES"_script
language="JavaScript"
src="http://domainpending.com/js_source/geov2.js"></"CHECK_FOR_VIRUSES"_script><"CHECK_FOR_VIRUSES"_script
language="javascript">geovisit();</"CHECK_FOR_VIRUSES"_script><noscript><img
src="http://visit.webhosting.yahoo.com/visit.gif?us1040932987" border=0
width=1 height=1></noscript> <IMG
SRC="http://geo.yahoo.com/serv?s=76001085&t=1040932987" ALT=1 WIDTH=1
HEIGHT=1>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Lisa Casey: "Re: Root password changed"
Previous message: Sverre H. Huseby: "Re: /sumthin Revisited"
Next in thread: rsavageat_private: "Re: Possible google hack"
Reply: rsavageat_private: "Re: Possible google hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 14:18:03 PST