NEWS FROM THE LAB - Monday, August 17, 2009

IntegrIT Web Server Compromised, Redirects to Porn Site? Posted by WebSecurity @ 10:29 GMT

We received a report that the popular IntegrIT website was suspected to be compromised and performing a redirect-link to a pornography website. The case occurred when the user searched for "integrit" (without quotes) in a search engine.


We inspected the www.integrit.ru contents and found no suspicious code, hence we suspect that the www.integrit.ru Web server configuration files (htaccess, etc.) redirecting the client browsers were compromised.


This was the page we were redirected to when the HTTP Header containing the "referer" parameter (above) was detected:


This is what you would get without the "referer":


A few search engines were tested and only two search engines (Yahoo! and Google) were redirecting users to the pornography website; the other search engines (Bing, Altavista, Ask, and Lycos) were not affected.

Users who type the web address "www.integrit.ru" directly into their browsers won't see this redirection.

The website owner was informed and our users are protected.

Web Security team post by — Chu Kian


Updated to add: Currently the .ru domain is not resolving, though the redirect is still occurring.