lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <b7bc1b1f040912212745e361be@mail.gmail.com>
From: uberguidoz at gmail.com (Über GuidoZ)
Subject: drive by shooting - got hit by mysearch toolbar

I peeked at the site too. The "common.js" is nothing to worry about.
It just pops the page out of a frame if it opens in one (like from a
Hotmail link, for example). You can see it being called with the Body
OnLoad tag (<body onload="framebreaker()">). Here's the full code in
it:
--------------
// common.js
// Copyright 2001-2003 by Christopher Heng. All rights reserved.
// $Id: common.js 2.3 2003/04/29 11:49:36 chris Exp $

function framebreaker()
{	// see http://www.thesitewizard.com/archive/framebreak.shtml
	// for an explanation of this script and how to use it on your own site
	if (top.location != location) {
		top.location.href = document.location.href ;
	}
}
--------------

For the record, nothing ever popped up for me. Plus, I looked at the
source as well - there isn't any calls to ActiveX, popups, etc. In
fact, besides the CSS, the only thing that IS called is the javascript
above. I would say this page is innocent.

Check the server for something else. It's obvious you have
spyware/adware on it if you are seeing the MySearch bar. Definately
get rid of that, then run a Spybot or AdAware scan to be sure it's
completely clean.

-- 
Peace. ~G


On Sun, 12 Sep 2004 10:35:57 +0300, Andrei Galca-Vasiliu
<andrei.galca@...net.ro> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> How long was that machine connected until you patched it?
> Try installing some anti virus program first thing, then connect, update virus
> definitions, and then update windows.
> You?ll have a big surprise :) I got 7 alerts while updating, 3 spybots and 4
> viruses.
> 
> Intr-un mail de pe data de Sunday 12 September 2004 02:58,
> fulldisclosure@...eraxe.demon.nl povestea:
> > All patches installed on w2k server ie6
> > except :
> >
> > journal viewer
> > .net framework
> > directx9.0b
> > media player 9
> >
> > googled for 'how to configure htaccess on apache', firts hit was this
> > page :
> >
> > www.thesitewizard.com/apache/index.shtml
> >
> > i went there and found nothing ... like a page with links to stuff i
> > didnt really want ..
> > so i open a new window in IE .. bang ... 'MySearch toolbar' sitting
> > there in my IE window.
> > i know i shouldnt be browsing on a server, but i just wanted to look
> > something up so i could configure the server
> > now im sure i didnt click on OK anywhere, nothing even popped up when
> > i went there.
> > i checked back at the site and now something DID popup .. i was using
> > a remote terminal server connection,
> > so maybe i hit spacebar on accident before seeing the window ? i dont
> > think so , the connection here is quite fast,
> > i probably would have seen that ... anyway the second visit i did get
> > a popup asking for an install of something.
> > i checked the source and i did see a reference to
> > ../include/common.jsp somewhere at the top,
> > but its late here so im gonna leave it at that and maybe check on it
> > tomorrow.
> >
> > just thought i'd give some ppl who might be interested a heads up
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> - --
> Andrei Galca-Vasiliu
> Technical Support
> Brasov Branch
> Romania Data Systems
> T: +402 68 474133  F: +402 68 474133
> www.rdsnet.ro
> - --
> Privileged/Confidential Information may be contained in this message.
> If you are not the addressee indicated in this message (or responsable
> for delivery of the message to such person), you may not copy or
> deliver this message to anyone. In such a case, you should destroy
> this message and kindly notify the sender by reply e-mail.
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iQCVAwUBQUP8YCSMIH0khc/mAQKa6wP/XXOSOY3lRKYtRkBOZXZnTskDqysd60z+
> pEZqnvLHRYMvhNOdjcHETcHlog6aThJI7MAMsahA3imhZ7ndugnfgQm3gLCVpn6O
> 57vQIuPNNDREUHQFhJICcMIy6fIR0CrcC58GIPhgsggHF4l+URiwofGsdkGMhj/2
> acjxy+Uocwg=
> =TyOU
> -----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ