I think you're giving RBNet a bit too much credit here. There are many different Russian hacker gangs operating in RBN space, and I know of no evidence to suggest RBN themselves orchestrated the attack.

Certainly the iframe-exploit-hub sites receiving the traffic are operated by known gangs with their own identity. Of course it's /possible/ that RBN could have a more direct finger in the pie (their organisational boundaries and affiliations being somewhat of a grey area).

That is not to absolve them of responsibility: they are amongst the very worst ISPs in the world for tolerance of abuse, happily hosting huge netblocks of nothing but hackers, spammers, exploits and illegal porn, and I can't understand how their upstreams can justify continuing to connect them.

It's got to the point where I'd condone regular ISPs simply blackholing the likes of rbnet, uaonline, esthost.
And Clover | Homepage | 09.04.07 - 10:46 am | #

Agreed on all points. But the signatures were very clearly RBN-associated. Perhaps that's the best way to put it.
alex eckelberry | 09.04.07 - 11:08 am | #

I'd like to know what vulnerability allowed the site to be hacked.

"[...]until they found that each time they changed the index page for the site, it was immediately replaced by the hackers."

That happened most likely because the vulnerability had not been patched. Unless the hole that allowed the hack in the first place is fixed, there isn't much point in just changing the page. I've seen the same scenario too many times, with sites being repeatedly hacked. Evidently some webmasters and admins don't understand why they got hacked in the first place.
suzi | Homepage | 09.04.07 - 12:38 pm | #

Is it now safe.

When i try to open the site today i was redirected to
www1.bankofindia.com/home/startpage.asp and in status bar i could see animated "bankofindia.com" instead of done.
kumar | 09.05.07 - 2:06 am | #