lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jftucker at gmail.com (James Tucker)
Subject: drive by shooting - got hit by mysearch toolbar

The site quoted, did not contain any malicious code when I just checked it.
The common.js file quoted contains only the framebreak code:
---------BEGIN---------
// common.js
// Copyright 2001-2003 by Christopher Heng. All rights reserved.
// $Id: common.js 2.3 2003/04/29 11:49:36 chris Exp $

function framebreaker()
{	// see http://www.thesitewizard.com/archive/framebreak.shtml
	// for an explanation of this script and how to use it on your own site
	if (top.location != location) {
		top.location.href = document.location.href ;
	}
}
---------END---------

Unless there is some kind of image based exploit on the site I don't
see mysearchbar having come from there.

I checked the CSS for :before and :after properties too.

On Sun, 12 Sep 2004 01:58:18 +0200, fulldisclosure@...eraxe.demon.nl
<fulldisclosure@...eraxe.demon.nl> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> All patches installed on w2k server ie6
> except :
> 
> journal viewer
> .net framework
> directx9.0b
> media player 9
> 
> googled for 'how to configure htaccess on apache', firts hit was this
> page :
> 
> www.thesitewizard.com/apache/index.shtml
> 
> i went there and found nothing ... like a page with links to stuff i
> didnt really want ..
> so i open a new window in IE .. bang ... 'MySearch toolbar' sitting
> there in my IE window.
> i know i shouldnt be browsing on a server, but i just wanted to look
> something up so i could configure the server
> now im sure i didnt click on OK anywhere, nothing even popped up when
> i went there.
> i checked back at the site and now something DID popup .. i was using
> a remote terminal server connection,
> so maybe i hit spacebar on accident before seeing the window ? i dont
> think so , the connection here is quite fast,
> i probably would have seen that ... anyway the second visit i did get
> a popup asking for an install of something.
> i checked the source and i did see a reference to
> ../include/common.jsp somewhere at the top,
> but its late here so im gonna leave it at that and maybe check on it
> tomorrow.
> 
> just thought i'd give some ppl who might be interested a heads up
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> 
> iQA/AwUBQUORGpNqa4mRthN9EQI3EQCgi0vP/7xW4vJMKyA+2vL0AM1JHCkAn0HB
> J7gy3LFF6FvE+1FYv8FQ3A92
> =ImDN
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists