[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e92364c304091117592fb6e6b5@mail.gmail.com>
From: jftucker at gmail.com (James Tucker)
Subject: drive by shooting - got hit by mysearch toolbar
The site quoted, did not contain any malicious code when I just checked it.
The common.js file quoted contains only the framebreak code:
---------BEGIN---------
// common.js
// Copyright 2001-2003 by Christopher Heng. All rights reserved.
// $Id: common.js 2.3 2003/04/29 11:49:36 chris Exp $
function framebreaker()
{ // see http://www.thesitewizard.com/archive/framebreak.shtml
// for an explanation of this script and how to use it on your own site
if (top.location != location) {
top.location.href = document.location.href ;
}
}
---------END---------
Unless there is some kind of image based exploit on the site I don't
see mysearchbar having come from there.
I checked the CSS for :before and :after properties too.
On Sun, 12 Sep 2004 01:58:18 +0200, fulldisclosure@...eraxe.demon.nl
<fulldisclosure@...eraxe.demon.nl> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All patches installed on w2k server ie6
> except :
>
> journal viewer
> .net framework
> directx9.0b
> media player 9
>
> googled for 'how to configure htaccess on apache', firts hit was this
> page :
>
> www.thesitewizard.com/apache/index.shtml
>
> i went there and found nothing ... like a page with links to stuff i
> didnt really want ..
> so i open a new window in IE .. bang ... 'MySearch toolbar' sitting
> there in my IE window.
> i know i shouldnt be browsing on a server, but i just wanted to look
> something up so i could configure the server
> now im sure i didnt click on OK anywhere, nothing even popped up when
> i went there.
> i checked back at the site and now something DID popup .. i was using
> a remote terminal server connection,
> so maybe i hit spacebar on accident before seeing the window ? i dont
> think so , the connection here is quite fast,
> i probably would have seen that ... anyway the second visit i did get
> a popup asking for an install of something.
> i checked the source and i did see a reference to
> ../include/common.jsp somewhere at the top,
> but its late here so im gonna leave it at that and maybe check on it
> tomorrow.
>
> just thought i'd give some ppl who might be interested a heads up
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
>
> iQA/AwUBQUORGpNqa4mRthN9EQI3EQCgi0vP/7xW4vJMKyA+2vL0AM1JHCkAn0HB
> J7gy3LFF6FvE+1FYv8FQ3A92
> =ImDN
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists