lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5.2.0.9.2.20050519123651.03060780@mail.icorp.net>
Date: Thu, 19 May 2005 12:38:21 -0500
From: "M. Perri" <icc-mysql@...rp.net>
To: bugtraq@...urityfocus.com
Subject: worm "postcard" e-mail issue



Be advised there is a new worm spreading.  It says you have received a 
postcard with a link to click to see the postcard, however, the URL first 
goes to some dsl customer in canada who has been comprised and some sort of 
javascript is run on the local machine... nut sure what it does....

Can anyone confirm what systems may be vulnerable to this attack?

Initial suspicious code which performs a redirect:

#telnet 68.146.201.132 8180

Trying 68.146.201.132...
Connected to S010600c09f51432d.cg.shawcable.net.
Escape character is '^]'.
GET /090/

HTTP/1.0 200

<-------html><head><s----cript language="javascript">
var k,r,c,n,u=9 ;var h=document.links;function L(x){if(h[x].text)return 
h[x].text;var z,s=h[x].hash;if(s && s!="#"){if(s.substring(0,1)=="#")return 
s.substring(1,200);return 
s;}s=h[x].href;if(s){if(location.href.indexOf(s)==0)return 
"../";if(!x)return "../";z=s.lastIndexOf("#");if(z>=0)return 
s.substring(z+1,200);z=s.lastIndexOf("/");if(z>=0){if(z>=(s.length-1))z=s.lastIndexOf("/",z-1);if(z>=0)return 
s.substring(z+1,200);}return s;}return h[x].pathname;}function M(a,b){var 
x,y;x=L(a*3+k+6);y=L(b*3+k+6);if(k==1 || k==4){x*=2;y*=2;}if(x>y)return 
r;if(x<y)return -r;return 0;};function A(x,y){var z=x+3;return "<b><a 
href='javascript:O("+x+");'>"+y+" /&#92; </a> - <a 
href='javascript:O("+z+");'>&#92;/</a></b></td>";};function S(){return 
"cript>";}function F(x,y){return "<td><a href='" + L(y) + ((y==x)?"":"#" + 
L(x)) + "'>" + L(x) + "</a></td>";};function O(z){var 
i,j,w,o;r=1;k=z;if(k>=3){r=-1;k-=3;}c=(document.links.length-u)/3; 
u=6;n=new Array(c);for(i=0;i<c;++i)n[i]=i;n.sort(M);o="<scr"+"ipt 
language=javascript>var k,r,c,n,u=6; var 
h=document.links;"+L.toString()+M.toString()+A.toString()+F.toString()+O.toString()+S.toString()+"\n</s";o+=S() 
+ "<table border=0 width=100% bgcolor=#f0f0ff><tr bgcolor=#aaaaff><td 
width=50%>"+A(0,"Name")+"<td 
width=15%>"+A(1,"Size")+"<td>"+A(2,"Date")+"</tr>";for(i=0;i<c;++i){j=n[i]*3+6;o+="<tr>" 
+ F(j,j) + F(j+1,j) + F(j+2,j) + 
"</tr>";};w=document;o+="</table><hr>";w.open();w.write(o);w.close();o="";delete 
n;}
</script></head><body><table border=0 width=100% bgcolor=#f0f0ff><tr 
bgcolor=#aaaaff><td width=50%><b><a href="javascript:O(0);">Name /\</a> - 
<a href="javascript:O(3);">\/</a></b></td><td><b><a 
href="javascript:O(1);">Size /\</a> - <a 
href="javascript:O(4);">\/</a></b></td><td><b><a 
href="javascript:O(2);">Date /\</a> - <a 
href="javascript:O(5);">\/</a></b></td></tr></table><hr><br><center><table 
width=500 height=60 border=1 cellspacing=0 cellpadding=1><tr vallign=top 
cellpadding=0 cellspacing=0><td height=4 bgcolor=#8030e0> <table width=494 
height=8 border=0 cellspacing=0 cellpadding=1><tr cellpadding=1 
cellspacing=0><td bgcolor=#5030a0 width=60 height=4><font size=0 
color=#ffffff class=f3>Unregistred</font></td><td bgcolor=#6030b0 width=60 
height=4><font size=0 color=#ffffff class=f3>copy</font></td><td 
bgcolor=#7030c0 width=60 height=4 align=right><font size=0 color=#ffffff 
class=f3>of <b>Small</b></font></td><td bgcolor=#8030d0 height=4><font 
size=0 color=#ffffff class=f3><b>HTTP server</b></font></td><td 
bgcolor=#9030e0 width=60 height=4><font size=0 
class=f3>&nbsp;</font></td><td bgcolor=#a030f0 width=60 height=4><font 
size=0 class=f3>&nbsp;</font></td><td bgcolor=#b030ff width=60 
height=4><font size=0 class=f3>&nbsp;</font></td><td bgcolor=#c0c0c0 
width=12 height=4><a href=http://srv.mf.inc.ru/news.htm><font size=0 
color=#00c0f0 class=f3><b>/\\</b></font></a></td>àòü 
ðåêëàìó</font></b></a></td></tr></table></center><br>Connection closed by 
foreign host.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ