Here’s something ugly, the whois response for pirate book site readanybooks.net. Below is an extract of the interesting parts that both MacOS and Debian’s whois display.

$ whois readanybooks.net

   Domain Name: READANYBOOKS.NET
   Registrar: XIN NET TECHNOLOGY CORPORATION
   Whois Server: whois.paycenter.com.cn
   Name Server: RICK.NS.CLOUDFLARE.COM

Billing Contact:
  Name           : li xiaoing
  Email          : jr361005@126.com
<script src=
  "http://img2.xinnet.com/d/js/acmsd/thea178.js">
  </script>&nbsp;

Huh? What’s an HTML tag doing in this whois response? And under what circumstances might that script tag be executed? I can imagine a na├»ve Web interface just injecting that script wholesale into my browser. Every way I load the referenced script it seems benign (right now), but that’s an attack vector waiting to happen.

techbad
  2013-11-15 16:44 Z