ok people, now something i found out...this is new to me since today (since 2hours).
i'm on a website (not on everyone it works, sometimes it does, sometimes not). when i press reload with the mouse in my browser (IE5.5; all actual patches) it reloads the page as he should. when i press CTRL-R he comes with the same window, as it comes when you're trying to reload a POSTed website. then the strange thin happens (i had to sniff myself to see what happens): 1. my browser asks the dns server for the host: ie.search.msn.com 2. my dns passes 207.68.185.58 / 207.68.176.190 / 207.68.176.250 back 3. my browser makes a POSTING with folowing data: -------------------- SNIP 1 ------------ POST /de-ch/srchasst/srchasst.htm HTTP/1.1 Referer: http://ie.search.msn.com/de-ch/srchasst/srchasst.htm Content-Type: application/x-www-form-urlencoded Host: ie.search.msn.com Connection: Keep-Alive Cache-Control: no-cache Cookie: smc_cid=id=be26e06f8186b14ab4674961a2997e46&dob=20031024; smc_bid=0c7f30e6f9fc4836a0eabe4e0a75b8b6 searchOptions=0&Web_default_SearchText=dd%3Aw&searchType=Web_default&searchP roviders=msnHTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Fri, 24 Oct 2003 14:40:42 GMT P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" and then gets back: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Fri, 24 Oct 2003 14:40:42 GMT P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 4637 with some iframe results, jacascript, mouse overs, etc... strange.. then my browser makes a second and third GET: GET /static/srchcommon.enc HTTP/1.1 Accept: */* Referer: http://ie.search.msn.com/de-ch/srchasst/srchasst.htm Accept-Language: de-ch Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 25 Sep 2003 10:31:08 GMT If-None-Match: "1258db215083c31:857" User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Host: ie.search.msn.com Connection: Keep-Alive Cookie: smc_cid=id=be26e06f8186b14ab4674961a2997e46&dob=20031024; smc_bid=0c7f30e6f9fc4836a0eabe4e0a75b8b6 HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.0 Date: Fri, 24 Oct 2003 14:40:43 GMT P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Cache-Control: max-age=604800 Expires: Fri, 31 Oct 2003 14:40:43 GMT ETag: "1258db215083c31:8af" Content-Length: 0 GET /static/srchasst.enc HTTP/1.1 Accept: */* Referer: http://ie.search.msn.com/de-ch/srchasst/srchasst.htm Accept-Language: de-ch Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 25 Sep 2003 10:31:08 GMT If-None-Match: "962ff3215083c31:857" User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Host: ie.search.msn.com Connection: Keep-Alive Cookie: smc_cid=id=be26e06f8186b14ab4674961a2997e46&dob=20031024; smc_bid=0c7f30e6f9fc4836a0eabe4e0a75b8b6 HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.0 Date: Fri, 24 Oct 2003 14:40:43 GMT P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Cache-Control: max-age=604800 Expires: Fri, 31 Oct 2003 14:40:43 GMT ETag: "962ff3215083c31:8af" Content-Length: 0 -------------------- /SNIP 1 ------------ 4. the browser connects to: g.msn.ch: ------------------- SNIP 2 -------- GET /0SEDECH/SAWS01?!dd%3aw&FORM=IE5 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */* Referer: http://ie.search.msn.com/de-ch/srchasst/srchasst.htm Accept-Language: de-ch Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Host: g.msn.ch Connection: Keep-Alive Cookie: MSNADS=UM= HTTP/1.1 302 Object moved Server: Microsoft-IIS/5.0 Date: Fri, 24 Oct 2003 14:40:43 GMT Location: http://search.msn.ch/spresults.aspx?q=dd%3aw&FORM=IE5 <HTML> <HEAD><TITLE>Document moved</TITLE></HEAD> <BODY><H1>Object Moved</H1>This document may be found <A HREF="http://search.msn.ch/spresults.aspx?q=dd%3aw&FORM=IE5";>here</A> </BODY> </HTML> ------------------- /SNIP 2 -------- 5. one other GET to sc.msn.com GET /global/scr/lg/hdr35.js HTTP/1.1 Accept: */* Referer: http://search.msn.ch/spresults.aspx?q=dd%3aw&FORM=IE5 Accept-Language: de-ch Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 09 Sep 2003 20:42:11 GMT If-None-Match: "b28456d81277c31:88b" User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Host: sc.msn.com Connection: Keep-Alive HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.0 Date: Fri, 24 Oct 2003 14:40:45 GMT Cache-Control: max-age=1209600 Expires: Fri, 07 Nov 2003 14:40:45 GMT ETag: "b28456d81277c31:88b" Content-Length: 0 6. other GET's are coming: GET /static/helppane26.js HTTP/1.1 Accept: */* Referer: http://search.msn.ch/spresults.aspx?q=dd%3aw&FORM=IE5 Accept-Language: de-ch Accept-Encoding: gzip, deflate If-Modified-Since: Fri, 19 Sep 2003 09:01:19 GMT If-None-Match: "321312978c7ec31:8b2" User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Host: search.msn.ch Connection: Keep-Alive Cookie: MSNADS=UM=; smc_cid=id=f4f67a1bf3b6cd4f906f30998cbaba80&dob=20031024; smc_g=v=1&pvs=classic&ssp=1&df=1; smc_classic=df=1&af=1&rc=15&nw=0&sc=&rs=1; smc_bid=38fbb76aa0e342a6920c8c987d720147 HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.0 Date: Fri, 24 Oct 2003 14:40:43 GMT P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" Cache-Control: max-age=604800 Expires: Fri, 31 Oct 2003 14:40:43 GMT ETag: "321312978c7ec31:878" Content-Length: 0 GET /cfgs/cfg/loc/de-ch/images/msnlogo_pane.gif HTTP/1.1 Accept: */* Referer: http://search.msn.ch/spresults.aspx?q=dd%3aw&FORM=IE5 Accept-Language: de-ch Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 09 Sep 2003 09:01:31 GMT If-None-Match: "ea4713f6b076c31:8b2" User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Host: search.msn.ch Connection: Keep-Alive Cookie: MSNADS=UM=; smc_cid=id=f4f67a1bf3b6cd4f906f30998cbaba80&dob=20031024; smc_g=v=1&pvs=classic&ssp=1&df=1; smc_classic=df=1&af=1&rc=15&nw=0&sc=&rs=1; smc_bid=38fbb76aa0e342a6920c8c987d720147 HTTP/1.1 304 Not Modified Server: Microsoft-IIS/5.0 Date: Fri, 24 Oct 2003 14:40:44 GMT P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" ETag: "ea4713f6b076c31:878" Content-Length: 0 so, question to all microsoft guru's: WHAT IS THIS SHIT?????? i checked my system for trojans, for viruses, for hidden running processes, etc. i found nothing. new kind of spyware? -steven ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
