[AusNOG] Web Injection

Matt Palmer mpalmer at hezmatt.org
Tue Jul 8 12:59:40 EST 2014 

On Tue, Jul 08, 2014 at 12:02:53PM +1000, Cameron Murray wrote:
> Thought I'd post here to see if anyone else is seeing the injection at the
> very bottom of this site.
> 
> www.jamboree.com.au

I'm not seeing anything obviously dodgy, testing from two sites.

Test 1 is 150.101.203.91, using Chromium 34 (UA might be important), path
is:

 2  lns20.syd6.on.ii.net (150.101.199.159)  23.755 ms  24.866 ms  26.047 ms
 3  xe-0-0-1.cr1.syd4.on.ii.net (150.101.195.138)  27.938 ms  30.415 ms  30.830 ms
 4  ae5.br1.syd4.on.ii.net (150.101.33.48)  54.254 ms  54.644 ms  55.303 ms
 5  ae0.br1.syd7.on.ii.net (150.101.33.15)  41.392 ms  36.709 ms  38.568 ms
 6  as9280.sydney.pipenetworks.com (218.100.2.85)  40.131 ms  22.295 ms  21.886 ms
 7  ge-1-0-3-0.bdr2.syd1.bucan.com.au (203.17.36.238)  22.281 ms  27.534 ms  27.919 ms
 8  ae12.cor1.syd1.bucan.com.au (203.17.36.198)  28.588 ms  29.410 ms  29.858 ms
 9  * * *
10  * * *
[all stars from here]

Test 2 is from 70.85.129.92, using wget, path is:

 1  router1-dal.linode.com (67.18.7.161)  0.489 ms  0.637 ms  0.967 ms
 2  ae2.car01.dllstx2.networklayer.com (67.18.7.89)  0.324 ms  0.303 ms  0.281 ms
 3  po101.dsr02.dllstx2.networklayer.com (70.87.254.77)  0.842 ms  0.833 ms  0.810 ms
 4  po22.dsr02.dllstx3.networklayer.com (70.87.255.69)  0.780 ms  0.908 ms  1.008 ms
 5  ae17.bbr01.eq01.dal03.networklayer.com (173.192.18.226)  0.672 ms  0.645 ms ae17.bbr02.eq01.dal03.networklayer.com (173.192.18.230)  0.621 ms
 6  ae1.bbr01.tl01.atl01.networklayer.com (173.192.18.135)  20.146 ms  20.128 ms ae7.bbr02.eq01.dal03.networklayer.com (173.192.18.209)  0.658 ms
 7  ae1.bbr01.tl01.atl01.networklayer.com (173.192.18.135)  20.097 ms 10gigabitethernet1-3.core1.atl1.he.net (198.32.132.75)  20.253 ms  25.443 ms
 8  10ge10-4.core1.chi1.he.net (184.105.223.225)  29.751 ms 10gigabitethernet1-3.core1.atl1.he.net (198.32.132.75)  25.327 ms 10ge10-4.core1.chi1.he.net (184.105.223.225)  29.722 ms
 9  10ge11-4.core1.pao1.he.net (184.105.222.173)  67.793 ms 10ge10-4.core1.chi1.he.net (184.105.223.225)  29.801 ms 10ge11-4.core1.pao1.he.net (184.105.222.173)  66.616 ms
10  10ge3-4.core1.sjc1.he.net (72.52.92.114)  63.981 ms 10ge11-4.core1.pao1.he.net (184.105.222.173)  66.957 ms  66.608 ms
11  tpg-internet-pty-ltd.10gigabitethernet3-1.core1.sjc1.he.net (72.52.66.22)  215.012 ms  215.007 ms tpg-internet-pty-ltd.10gigabitethernet1-3.core1.sjc1.he.net (72.52.93.38)  214.218 ms
12  203-219-35-79.static.tpgi.com.au (203.219.35.79)  210.606 ms  210.597 ms tpg-internet-pty-ltd.10gigabitethernet1-3.core1.sjc1.he.net (72.52.93.38)  214.112 ms
13  203-219-35-79.static.tpgi.com.au (203.219.35.79)  210.570 ms 203-219-106-166.tpgi.com.au (203.219.106.166)  229.827 ms  229.849 ms
14  * 203-219-106-166.tpgi.com.au (203.219.106.166)  229.806 ms *
15  * * 203-174-191-50.syd.static-ipl.aapt.com.au (203.174.191.50)  225.693 ms
16  203-174-191-50.syd.static-ipl.aapt.com.au (203.174.191.50)  226.629 ms ae12.cor1.syd1.bucan.com.au (203.17.36.198)  227.098 ms  226.747 ms
17  ae12.cor1.syd1.bucan.com.au (203.17.36.198)  226.571 ms * *
18  * * *
19  * * *
[all stars from here]

Tracking down web injection is something I used to do for a part of my
living; ping me off-list if you'd like more pointers, or if you'd like a
free second pair of eyes.  As others have said, I'd say it's unlikely to be
network-path-based; it's far more likely to either trigger based on UA,
cookies, referer, or some other L7 criteria (possibly a complicated
combination of factors).  .htaccess files are where a lot of this stuff
likes to hide, as well as PHP pre-include files.

(As an aside, I've never seen FIPS-compliant OpenSSL "in the wild" before)

- Matt

More information about the AusNOG mailing list