lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <41412E2B.8080309@austarnet.com.au>
From: spamtrap2 at austarnet.com.au (James Woodcock)
Subject: Any idea about that?

I sent a mesage to abuse@...ages as soon as I found out. Kudos to 
www.PCPages.com for removing it so quickly!


 > document write
 > ("<A 
HREF='http://banner2.inet-traffic.com/oasisc.php?s=3&w=300&h=60&cb=" + 
spreeaddatestr + "'>")
 > document write ("<IMG 
SRC='http://banner2.inet-traffic.com/oasisi.php?s=3&w=300&h=60&cb=" + 
spreeaddatestr + "?' WIDTH=468 HEIGHT=60 BORDER=0 ALT='Click Here'></A>")

Actually, on further investigation, I think it's just advertising stuff 
added by pcpages. The webpage that www.pcpages.com/imbonga displays is 
very basic and extremely sparse. no links to it on google or alltheweb, 
so maybe imbonga doesn't know that his page has been compromised.

[later]
I didn't know if imbonga knew if his page had been compromised or not, 
but there was an interesting thing happening when you attempt to go to a 
non-existant page in his directory.

http://www.pcpages.com/imbonga/nonesuch.html

got

 > Warning: stat failed for /usr/local/www/pcpages/imbonga/noschpg.html
 > (errno=13 - Permission denied) in /drive2/pcpages/redo-html.php on
 > line 19

 > Warning: Cannot add header information - headers already sent by
 > (output started at /drive2/pcpages/redo-html.php:19) in
 > /drive2/pcpages/redo-html.php on line 21

Well, it doesn't anymore, as the whole page is gone now. As are the 
other pages they were hosting that google said had the same reference to 
/drive2/pcpages/redo-html.php.

It definitely wasn't the regular 404 for pcpages, so does it look like 
something was up with that?

According to google again, there are another 58 websites that are having 
something done to them by redo-html.php, all giving errors that 
reference an absolute path on the server.

http://www.google.com/search?hl=en&ie=UTF-8&q=%22redo-html.php%22&btnG=Search&meta=

Errr?

http://www.phphub.com/gtk_manual/index.php?p=scn.gtkscintilla.method.redo.html

James

--
And I'll tell you something else - I didn't spend two million years
climbing up the food chain just to become a vegetarian!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DangerLiveTrojan.zip
Type: application/x-zip-compressed
Size: 127587 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040910/8722ff7d/DangerLiveTrojan.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ