lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 16 Dec 2008 17:23:52 +1030
From: Malformation Guy <malformation@...mail.com>
To: Malformation Guy <malformation@...mail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: "Index Of" redirection malware attack?


Oops, sorry for the horrible English.

I just re-read it.

-Malformation

From: malformation@...mail.com
To: full-disclosure@...ts.grok.org.uk
Date: Tue, 16 Dec 2008 16:41:23 +1030
Subject: [Full-disclosure] "Index Of" redirection malware attack?








Hello fellow FD,

I recently came across an interesting website redirecting and delivering malware and I'd like to ask a few questions

An "Index of" that checks your referrer to see if you've found the site through a Google search. The index.php script is made to look just like a real 'Index of', except...it is a PHP script. If you are, it redirects you to http://us-euro.biz/in.cgi?4&parameter=htac and that site serves you pop-ups and other spyware. Use refspoof and TamperData and check http://vtes.vega.id.au/%3Fp=67/wp-login.php/wp-includes/?p=67/wp-login.php/wp-includes

They're looking for any Google referrer like this: http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=something&btnG=Search&meta=

Not only that, but http://site.com/? would use index.php and http://site.com would give index.html
Am I correct?

They're really crafty I reckon, and it's the first time I've seen where they've used a fake index of AND checked your referrer.
Can someone confirm my thoughts and theories here?

-Malformation

Find your ideal job with SEEK Time for change?
_________________________________________________________________
It's simple! Sell your car for just $40 at CarPoint.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641&_t=762955845&_r=tig_OCT07&_m=EXT
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists