lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 Dec 2008 16:41:23 +1030
From: Malformation Guy <malformation@...mail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: "Index Of" redirection malware attack?


Hello fellow FD,

I recently came across an interesting website redirecting and delivering malware and I'd like to ask a few questions

An "Index of" that checks your referrer to see if you've found the site through a Google search. The index.php script is made to look just like a real 'Index of', except...it is a PHP script. If you are, it redirects you to http://us-euro.biz/in.cgi?4&parameter=htac and that site serves you pop-ups and other spyware. Use refspoof and TamperData and check http://vtes.vega.id.au/%3Fp=67/wp-login.php/wp-includes/?p=67/wp-login.php/wp-includes

They're looking for any Google referrer like this: http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=something&btnG=Search&meta=

Not only that, but http://site.com/? would use index.php and http://site.com would give index.html
Am I correct?

They're really crafty I reckon, and it's the first time I've seen where they've used a fake index of AND checked your referrer.
Can someone confirm my thoughts and theories here?

-Malformation

_________________________________________________________________
Time for change? Find your ideal job with SEEK.
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Atl%3Ask%3Anine%3A0%3Ahottag%3Achange&_t=757263783&_r=SEEK_tagline&_m=EXT
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ