| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040215224005.645CE97B52@cpo.tn.tudelft.nl> From: emvs.fd.3FB4D11C at cpo.tn.tudelft.nl (Erik van Straten) Subject: http://federalpolice.com:article872@...5686747 Hi Nicola, It's not a zip file, not an applet, but a plain EXE file. Seems compressed somehow, no time to figure it out now. Dunno why Mozilla runs this (I don't like it). If something showed up in your status bar, you should definitely assume your box was compromised. Take care out there, Erik On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote: > hi jedi > > On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote: > > This is equivalent to http://64.29.173.91/ > > ok, and the html of the index page is as following: > > <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff> > <h2>SERVER ERROR 550</h2> > <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1></applet></body></html> > > now, the "SERVER ERROR 550" is clearly a fake - the java applet below > just starts fine. strangely, the 'javautil.zip' is not a valid zip-file, > yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :) > happily start the applet without any hickups or exceptions and mozilla > states 'Applet BlackBox started' in the status bar. > > is there anybody knowledgable interested in un-zipping, de-compiling and > analysing this surely malicious applet? I would like to know what > mozilla just executed on my behalf there... :( > > FYI, the file 'javautil.zip' attached is directly taken from the site > mentioned above. > > regards > nicola >
Powered by blists - more mailing lists