Browse Source

Fixed false reference to screenshot

Josh Habdas 4 years ago
parent
commit
54bdbbc68a
1 changed files with 9 additions and 9 deletions
  1. 9
    9
      source/_posts/2009-10-18-google-302-redirect-hijack.md

+ 9
- 9
source/_posts/2009-10-18-google-302-redirect-hijack.md View File

@@ -4,9 +4,9 @@ layout: post
4 4
 title: Anatomy of a Google 302 Redirect Hijack
5 5
 permalink: "/google-302-redirect-hijack/"
6 6
 comments: true
7
-categories: 
7
+categories:
8 8
   - reference
9
-tags: 
9
+tags:
10 10
   - scareware
11 11
   - http
12 12
   - hacking
@@ -18,7 +18,7 @@ tags:
18 18
 published: true
19 19
 ---
20 20
 
21
-Recently while Googling `Olla de Carne` (Costa Rican beef stew) my browser was [hijacked][1] after taking a search results link. Rather than receiving a list of ingredients, the link redirected the browser to a bogus antivirus site that mimicked Windows and faked an integrated Explorer virus scan (see screenshot below or <a class="youtube" href="http://www.youtube.com/v/gnZSOMdp9oI">watch the video</a>).  
21
+Recently while Googling `Olla de Carne` (Costa Rican beef stew) my browser was [hijacked][1] after taking a search results link. Rather than receiving a list of ingredients, the link redirected the browser to a bogus antivirus site that mimicked Windows and faked an integrated Explorer virus scan. Let's examine how it happened.
22 22
 
23 23
 <!--more-->
24 24
 
@@ -72,7 +72,7 @@ The PHP file was stowed away on [woodstockfolkmusic.com][5] (which appears to be
72 72
 
73 73
 Curious as to why the PHP files (with no PHP script or META tags, mind you) would redirect links coming from Google, but not when loaded directly, I again pulled up a client-side proxy for closer investigation. Below are the results of several slightly modified HTTP requests for the file initially requested by Google. Each request contains a modified Referer [request-header field][9].
74 74
 
75
-**First request**  
75
+**First request**
76 76
 Hacked the Referer field to point to the Google domain.
77 77
 
78 78
     GET http://woodstockfolkmusic.com/bftwe/tiijy/carne.php HTTP/1.1
@@ -85,7 +85,7 @@ Hacked the Referer field to point to the Google domain.
85 85
     Accept-Language: en-US,en;q=0.8
86 86
     Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
87 87
 
88
-**First response**  
88
+**First response**
89 89
 Hijack successful; browser redirected to bogus antivirus page.
90 90
 
91 91
     HTTP/1.1 200 OK
@@ -95,7 +95,7 @@ Hijack successful; browser redirected to bogus antivirus page.
95 95
     Connection: close
96 96
     Content-Type: text/html
97 97
 
98
-**Second request**  
98
+**Second request**
99 99
 Hacked the Referer field to a domain other than Google.
100 100
 
101 101
     GET http://woodstockfolkmusic.com/bftwe/tiijy/carne.php HTTP/1.1
@@ -108,7 +108,7 @@ Hacked the Referer field to a domain other than Google.
108 108
     Accept-Language: en-US,en;q=0.8
109 109
     Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
110 110
 
111
-**Second response**  
111
+**Second response**
112 112
 No hijack; browser sent directly to indexed page.
113 113
 
114 114
     HTTP/1.1 200 OK
@@ -117,7 +117,7 @@ No hijack; browser sent directly to indexed page.
117 117
     X-Powered-By: PHP/5.2.6
118 118
     Content-Type: text/html
119 119
 
120
-**Additional testing**  
120
+**Additional testing**
121 121
 Additional testing revealed page redirection would occur only when the Referer field was included in the HTTP request header, and only when the field value contained certain phrases. Two phrases found to trigger the hijack include `google` and `yahoo` (case insensitive) while other likely phrases such as `bing`, `msn`, `aol` and `ask` did not.
122 122
 
123 123
 **Note:** I am I not currently aware if Yahoo is susceptible this particular brand of page hijacking. If you've seen it on Yahoo or know of any examples, please comment and let us know.
@@ -153,4 +153,4 @@ The Chrome button issues are happening on and off. Some of the changes in behavi
153 153
  [7]: http://en.wikipedia.org/wiki/Spamdexing
154 154
  [8]: http://en.wikipedia.org/wiki/Cloaking
155 155
  [9]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
156
- [10]: http://blog.javacoolsoftware.com/2008/12/anti-virus-2009-search-engine-redirect-hacks/
156
+ [10]: http://blog.javacoolsoftware.com/2008/12/anti-virus-2009-search-engine-redirect-hacks/

Loading…
Cancel
Save