Full Disclosure mailing list archives
Re: any idea what is going on here?
From: ascii <ascii () katamail com>
Date: Fri, 05 Jan 2007 07:47:13 +0100
Andrew Farmer wrote:
All files are available on request, if anyone's interested in doing some further analysis of their own. That was fun :)
hi andrew, the main page try to load three different expoits: - a variant of Java/ClassLoader (the applet) - Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) - MoBB #18: WebViewFolderIcon setSlice all these are http 1.1 download exec shellcodes pointed to some exe files on nownames.org and the0count.com http://www.now[REMOVEME]names.org/welded/get_exe.php http://www.the[REMOVEME]0count.com/serv.exe http://www.now[REMOVEME]names.org/images/funny.php so nothing new, just a botnet gang read the attachment for extended notes regards, Francesco 'ascii' Ongaro http://www.ush.it
Attachment:
findings.txt.bz2
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- any idea what is going on here? Ian Shaw (Jan 04)
- Re: any idea what is going on here? Andrew Farmer (Jan 04)
- Re: any idea what is going on here? ascii (Jan 04)
- Re: any idea what is going on here? Andrew Farmer (Jan 04)