Full Disclosure mailing list archives

RE: Is there a 0day vuln in this phisher's site?

From: <lists-security () nettracers com>
Date: Sat, 29 Jan 2005 22:49:39 -0800

Paul Kurczaba said :
"When I went to the page, McAfee VirusScan notified me of an script it
blocked on the page. The blocked script, a virus, was called
"JS/Stealus.gen". After some research, I found the script "exploit(s) an
Internet Explorer vulnerability resulting in Internet Explorer displaying
one location in the Address bar, but actually loading the content from a
different site." -http://vil.nai.com/vil/content/v_126246.htm "


I can see the attempted exploit from the site in my IE browser...but is
shows up in the wrong place on the screen so does not cover the URL bar.

Also my Fortinet firewall does NOT detect that JS/Stealus.gen ....but it did
give me this once when going to this site:

 tcp_decoder: tcp_bad_checksum, len: 0x14, checksum: 0x631d, should be
0xee26,[Reference: http://www.fortinet.com/ids/ID108658693]

...and allows this attempt to get through.


- Bryan K. Watson
- bwatson () nettracers com
 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Is there a 0day vuln in this phisher's site? lists-security (Jan 29)
- RE: Is there a 0day vuln in this phisher's site? Paul Kurczaba (Jan 29)
  - RE: Is there a 0day vuln in this phisher's site? lists-security (Jan 29)
    - Re: Is there a 0day vuln in this phisher's site? morning_wood (Jan 30)
  - Re: Is there a 0day vuln in this phisher's site? Andrew Clover (Jan 30)
    - RE: Is there a 0day vuln in this phisher's site? Larry Seltzer (Jan 30)
    - Re: Is there a 0day vuln in this phisher's site? Thierry Zoller (Jan 30)
    - Re: Is there a 0day vuln in this phisher's site? Andrew Clover (Jan 30)