Re: [Full-Disclosure] New Santy-Worm attacks *all* PHP-skripts

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 01/06/05

  • Next message: Willem Koenings: "Re: [Full-Disclosure] Re: SQL injection worm ?"
    To: "Juergen Schmidt" <ju@heisec.de>, <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
    Date: Thu, 6 Jan 2005 01:23:01 -0800
    
    

    > The relevant code:
    > ---------
    > $procura = 'inurl:*.php?*=' . $numr;
    >
    > for($n=0;$n<900;$n += 10){
    > $sock = IO::Socket::INET->new(PeerAddr => "www.google.com.br", PeerPort =>
    > 80, Proto => "tcp") or next;
    > print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
    nothing new here...
    unless... we try the L337 G00GLE HAX0R S34RCH STR!NGZ
    http://www.google.com/search?q=inurl:*.php%3F*%3D&hl=en&lr=&newwindow=1&start=90&sa=N

    BUT !!! LIES !!! LIES I SAY !!!!
    GOOGLE IS TELLING ME I AM INFECTED ( lmfao )

    ------------------- / SNIP /------------------
    "and it appears that your computer or network has been infected"
    -------------------/ SNIP /------------------

    WRONG ANSWER WRONG EXPLAINATION WRONG JUST WRONG

    We're sorry...
    .. but we can't process your request right now. A computer virus or spyware
    application is sending us automated requests, and it appears that your
    computer or network has been infected.
    We'll restore your access as quickly as possible, so try again soon. In the
    meantime, you might want to run a virus checker or spyware remover to make
    sure that your computer is free of viruses and other spurious software.
    We apologize for the inconvenience, and hope we'll see you again on Google.

    bleh, now i need to find a new best friend... GOOGLE LIED :(
    m.w
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Willem Koenings: "Re: [Full-Disclosure] Re: SQL injection worm ?"