After yesterday's incident where a Microsoft France website was hacked and defaced by a Turkish cracker going by the handle of TIThack, Zone-H investigated a bit and contacted the cracker and asked to detail the intrusion methodology [the cracker originally reported  a generic "web server intrusion"].

So, are we looking at a new win2k3 / IIS 6.0 0day exploit here?

Today security company Websense is reporting conformation that a site hosting Googlepages contains malicious code.

According to the article the malware contains a banking information stealing component that captures user banking credentals and keylogger components. Accordingly it appears that this was caught before any infections could begin.

At the current time we are unaware if the hacker is using a browser vulnerability  to trigger the attack, or was a prelude to phishing attacks using Google's trusted domain to lure users into clicking and downloading the Trojan file.

Microsoft France was defaced today by Turkish crackers, going by the handle TiTHacK

Zone-h received notification at 2006/06/18 19:19 (GMT+2) that the experts site was defaced "just for fun".

The defacement reads:

Hi Master (: Your System 0wned By Turkish Hackers!

redLine ownz y0u!

Special Thanx And Gretz RudeBoy |SacRedSeer|

The_Bekir And All Turkish HacKers

next target: microsoft.com

date: 18/06/2006 @ 19:06

The attackers notified Zone-H that this was by "WEB SERVER INTRUSION", which could mean a possibility of either a vulnerability in IIS6 or a web-application running on the site...

A mirror of the defacement may be viewed here...

At Zone-h we are privy to a first look at a large number of defaced sites before the fact of the defacement has been made public via our mirrors. As one who verifies sites to the mirror, the author often visits the site before looking at and verifying the mirror, which our site captures immediately when the defacer submits his site, and more than often, later, at the time of the mirror verification the site appears to be normal. By normal we mean that there is no defacement anymore and everything looks as it should. In our estimate 99.9% of the sites have no mention of any intrusion period... and this troubles us.

A defacement may be just that, a defacement, or it is possible that the defacer has also captured valuable data. The most valuable data, apart from identity and credit card data, is information of your users...

In a statement issued, The New York State Consumer Protection Board [CBP] is warning parents that Google is providing easy access to material containing "videos with sexual themes and off-color material". In particular they are targeting Google Video because in it's present form it does not allow for safe searching options that should restrict content to exclude inappropriate content.

Since Google has become a de facto standard as well as it's globalization and privatization, it now has separate and distinct geographical search engine Points Of Presence (hint: China), Google has become, as far as I can see, a body that can be regulated and governed under each of its global server entities and that nations rules and laws.

Despite Yahoo fixing a serious bug in its webmail within 30 minutes of public notification on the Full Disclosure  mailing list, it was once again vulnerable today. Creative hackers had found ways to modify the scripting that causes the flaw and it was once again vulnerable to attack.

At least one security researcher even has a page that lets you test the flaw. Also on the page they give a timeline of the problem, the fixes and the modified vulnerability status...