lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 14 Jan 2008 15:59:25 +0000
From: "Robert McArdle" <robertmcardle@...il.com>
To: "crazy frog crazy frog" <i.m.crazy.frog@...il.com>
Cc: Untitled <full-disclosure@...ts.grok.org.uk>,
	PenTest <pen-test@...urityfocus.com>, bugtraq@...urityfocus.com
Subject: Re: what is this?

Apologies I should clarify.

In this attack legitimate pages on a site are first populated with
html tags embedding Javascript like so

<script language='JavaScript' type='text/javascript' src='{random
name}.js'></script>

these all point to the page you sent on. All the Mp3, quicktime, etc
stuff are expoits that are launched against the browser of the victim
who browses to the site.

The full descriptions of the various exploits are linked off
http://blog.trendmicro.com/e-commerce-sites-invaded/

Robert McArdle
-- 
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

On Jan 13, 2008 5:33 PM, crazy frog crazy frog <i.m.crazy.frog@...il.com> wrote:
> more,its not a java script,looks like a html page[notice the <html>
> and <body> tag n the file] there is also a random function,which
> generate the random string which is used to store teh files on c drive
> and may be for the random url.its trying to play mp3 and other
> files.all looks like messed up.may be there is another script which is
> getting embeded in pages which infect calling this script?
>
>
> On Jan 13, 2008 9:31 PM, crazy frog crazy frog <i.m.crazy.frog@...il.com> wrote:
> > Hi,
> >
> > Recently on opening one of my site,my antivirus pops up saying that it
> > has found on malicious script.the url is random and i have managed to
> > get tht script.it is using some flaw in apple quick time.
> > u can get the zip file for java script here:
> > http://secgeeks.com/what.zip
> > password is 12345
> > can somebody guide/help me what is this and how can i remove it?
> >
> > --
> > advertise on secgeeks?
> > http://secgeeks.com/Advertising_on_Secgeeks.com
> > http://newskicks.com
> >
>
>
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>



-- 
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ