[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.62.0801151121400.25038@linuxbox.org>
Date: Tue, 15 Jan 2008 11:22:03 -0600 (CST)
From: Gadi Evron <ge@...uxbox.org>
To: crazy frog crazy frog <i.m.crazy.frog@...il.com>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: what is this?
On Tue, 15 Jan 2008, crazy frog crazy frog wrote:
> nick,
> ur not getting my point,the url is techicorner.com/{random string
> here},i have already mentioned it in previous posts.
> i have read the link sent by denis,and i would have to conclude that:
> 1)The problem does not occurs always,instead it occurs randomly based
> on IP or something like tht.
In recent kits, it is more likely it is user-agent based.
> 2)if u look at the pages on techicorner.com u will not find any
> malicious code,so its possible that the server is compromised and its
> an LKM
> please refer to these links:
> http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]
>
> Thanks again everyone for your valuable suggestion,i posted here to
> share this stuff with everyone and may be u can learn from it.
>
> regards,
> _CF
>
> On Jan 15, 2008 12:15 PM, Nick FitzGerald <nick@...us-l.demon.co.uk> wrote:
>> crazy frog crazy frog wrote:
>>
>>> well,
>>> i received many response but no one is perfact.i checked the files and
>>> didn't find anything embeded in my scripts or pages.still i have to
>>> figure out why my antivirus randomly popsup?i mean most of the times
>>> it doesnt detect any infection but then suddenly this thing happnes
>>> and then everything seems ok.
>>> i dont think its a problem with my script otherwise i could have find
>>> the code or it should be repeating consistly.has any one still facing
>>> this issue in the techicorner.com or on tubeley.com or on
>>> secgeeks.com?
>>>
>>> let me know i m trying hard to digg this issue.
>>
>> If you would tell us the _actual_ URL where this behaviour is being
>> seen we would have a reasonable chance of actually diagnosing it. As
>> it is, we're having to guess based on matching your half-arsed
>> descriptions of what you think is happening with our knowledge of what
>> has been seen going on out there.
>>
>> This may surprise you, but many thousands and thousands of sites are
>> compromised each day to display "similar" activity to what you've asked
>> to us to diagnose (aka "guess").
>>
>> If we could look at the actual site and see what is really happening
>> should have a better (if not perfect) chance of success.
>>
>>
>> Regards,
>>
>> Nick FitzGerald
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists