Possible google hack

From: Johnson, April (apjohnson@seattleschools.org)
Date: 01/07/03

Next message: Lisa Casey: "Re: Root password changed"

Previous message: Sverre H. Huseby: "Re: /sumthin Revisited"
Next in thread: rsavage@nandomedia.com: "Re: Possible google hack"
Reply: rsavage@nandomedia.com: "Re: Possible google hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Johnson, April" <apjohnson@seattleschools.org>
To: incidents@securityfocus.com
Date: Tue, 7 Jan 2003 11:13:30 -0800

I've run into something most unusual in my proxy cache from last night: This
was what appeared if I used my proxy to view www.google.com. It *could* be
that my proxy cache was hacked, or some kind of dns spoofing/corruption
occured between here and there. But has anyone else heard/seen this?

Ping for www.google.com resolves to 216.239.33.101 - from the proxy console.

The google site with a black background and the text

Touch by cassablanca

Gratz To

s2c botaks [M2C] Junkist DewaLangit SpaceGhostz Ghostz bagan Escuver
frozenghost Gir4ff3 AxAL

#IndoHackerLInk@DAL.Net #AntiHackerLink@DAL.Net #RealCyber@DAL.net

I've included the source as follows... It doesn't look all that clean.

-April Johnson (CISSP, MCSE, CCNP)
Network Operations - Security
Seattle Public Schools
apjohnson@seattleschools.org
206.252.0353

"Give a kid a fish, and he eats for a day; teach a kid to fish, and he eats
for a lifetime."

----------------------------------------------------------------------------
-

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Touch By cassablanca</TITLE> <META
http-equiv=Content-Type content="text/html; charset=windows-1252">
<"CHECK_FOR_VIRUSES"_STYLE .F1 {
 FILTER: glow(Color=#FF8000,Strength=10); WIDTH: 250px; HEIGHT: 200px
} .F2 {
 FILTER: glow(Color=#00FF00,Strength=10); WIDTH: 250px; HEIGHT: 200px
} .F3 {
 FILTER: glow(Color=#0080FF,Strength=10); WIDTH: 250px; HEIGHT: 200px
} ></"CHECK_FOR_VIRUSES"_STYLE>

<"CHECK_FOR_VIRUSES"_SCRIPT language=JavaScript>

</"CHECK_FOR_VIRUSES"_SCRIPT>
<META content="Microsoft FrontPage 5.0" name=GENERATOR></HEAD> <BODY
text="#ffffff" bgColor="#000000" "CHECK_FOR_VIRUSES"_onload="doThing()"> <CENTER> <TABLE cellSpacing=0
cellPadding=10 width=401 height="69">
 <TBODY>
 <TR>
 <TD width="401" height="69">
 <CENTER>
 Touch by 
 cassablanca
 </CENTER></TD></TR></TBODY></TABLE></CENTER>
Gratz
To s2c botaks
[M2C] Junkist DewaLangit SpaceGhostz Ghostz bagan Escuver frozenghost
Gir4ff3
AxAL
</a></a>
#IndoHackerLInk@DAL.Net</a></a>  #AntiHackerLink@DAL.Net
#RealCyber@DAL.net</A></HTML></a></"CHECK_FOR_VIRUSES"_object></"CHECK_FOR_VIRUSES"_layer></div></"CHECK_FOR_VIRUSES"_style></noscript></table></"CHECK_FOR_VIRUSES"_script></apple
t><"CHECK_FOR_VIRUSES"_script language="JavaScript"
src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></"CHECK_FOR_VIRUSES"_script><"CHECK_FOR_VIRUSES"_script
language="JavaScript"
src="http://domainpending.com/js_source/geov2.js"></"CHECK_FOR_VIRUSES"_script><"CHECK_FOR_VIRUSES"_script
language="javascript">geovisit();</"CHECK_FOR_VIRUSES"_script><noscript><img
src="http://visit.webhosting.yahoo.com/visit.gif?us1040932987" border=0
width=1 height=1></noscript> <IMG
SRC="http://geo.yahoo.com/serv?s=76001085&t=1040932987T=1 WIDTH=1
HEIGHT=1>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Lisa Casey: "Re: Root password changed"
Previous message: Sverre H. Huseby: "Re: /sumthin Revisited"
Next in thread: rsavage@nandomedia.com: "Re: Possible google hack"
Reply: rsavage@nandomedia.com: "Re: Possible google hack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]