Re: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar
From: Qber_GuidoZ?= (uberguidoz_at_gmail.com)
Date: 09/13/04
- Previous message: dreamer_at_darkness.gr: "Re: [Full-Disclosure] Please *stop* with the GMAIL invites"
- In reply to: Andrei Galca-Vasiliu: "Re: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar"
- Next in thread: Iadnah: "Re: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: andrei.galca@rdsnet.ro Date: Mon, 13 Sep 2004 00:27:27 -0400
I peeked at the site too. The "common.js" is nothing to worry about.
It just pops the page out of a frame if it opens in one (like from a
Hotmail link, for example). You can see it being called with the Body
OnLoad tag (<body onload="framebreaker()">). Here's the full code in
it:
--------------
// common.js
// Copyright 2001-2003 by Christopher Heng. All rights reserved.
// $Id: common.js 2.3 2003/04/29 11:49:36 chris Exp $
function framebreaker()
{ // see http://www.thesitewizard.com/archive/framebreak.shtml
// for an explanation of this script and how to use it on your own site
if (top.location != location) {
top.location.href = document.location.href ;
}
}
--------------
For the record, nothing ever popped up for me. Plus, I looked at the
source as well - there isn't any calls to ActiveX, popups, etc. In
fact, besides the CSS, the only thing that IS called is the javascript
above. I would say this page is innocent.
Check the server for something else. It's obvious you have
spyware/adware on it if you are seeing the MySearch bar. Definately
get rid of that, then run a Spybot or AdAware scan to be sure it's
completely clean.
-- Peace. ~G On Sun, 12 Sep 2004 10:35:57 +0300, Andrei Galca-Vasiliu <andrei.galca@rdsnet.ro> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > How long was that machine connected until you patched it? > Try installing some anti virus program first thing, then connect, update virus > definitions, and then update windows. > YouŽll have a big surprise :) I got 7 alerts while updating, 3 spybots and 4 > viruses. > > Intr-un mail de pe data de Sunday 12 September 2004 02:58, > fulldisclosure@wateraxe.demon.nl povestea: > > All patches installed on w2k server ie6 > > except : > > > > journal viewer > > .net framework > > directx9.0b > > media player 9 > > > > googled for 'how to configure htaccess on apache', firts hit was this > > page : > > > > www.thesitewizard.com/apache/index.shtml > > > > i went there and found nothing ... like a page with links to stuff i > > didnt really want .. > > so i open a new window in IE .. bang ... 'MySearch toolbar' sitting > > there in my IE window. > > i know i shouldnt be browsing on a server, but i just wanted to look > > something up so i could configure the server > > now im sure i didnt click on OK anywhere, nothing even popped up when > > i went there. > > i checked back at the site and now something DID popup .. i was using > > a remote terminal server connection, > > so maybe i hit spacebar on accident before seeing the window ? i dont > > think so , the connection here is quite fast, > > i probably would have seen that ... anyway the second visit i did get > > a popup asking for an install of something. > > i checked the source and i did see a reference to > > ../include/common.jsp somewhere at the top, > > but its late here so im gonna leave it at that and maybe check on it > > tomorrow. > > > > just thought i'd give some ppl who might be interested a heads up > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > - -- > Andrei Galca-Vasiliu > Technical Support > Brasov Branch > Romania Data Systems > T: +402 68 474133 F: +402 68 474133 > www.rdsnet.ro > - -- > Privileged/Confidential Information may be contained in this message. > If you are not the addressee indicated in this message (or responsable > for delivery of the message to such person), you may not copy or > deliver this message to anyone. In such a case, you should destroy > this message and kindly notify the sender by reply e-mail. > - -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iQCVAwUBQUP8YCSMIH0khc/mAQKa6wP/XXOSOY3lRKYtRkBOZXZnTskDqysd60z+ > pEZqnvLHRYMvhNOdjcHETcHlog6aThJI7MAMsahA3imhZ7ndugnfgQm3gLCVpn6O > 57vQIuPNNDREUHQFhJICcMIy6fIR0CrcC58GIPhgsggHF4l+URiwofGsdkGMhj/2 > acjxy+Uocwg= > =TyOU > -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: dreamer_at_darkness.gr: "Re: [Full-Disclosure] Please *stop* with the GMAIL invites"
- In reply to: Andrei Galca-Vasiliu: "Re: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar"
- Next in thread: Iadnah: "Re: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
Loading
