[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar

To: "fulldisclosure@xxxxxxxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar
From: James Tucker <jftucker@xxxxxxxxx>
Date: Sun, 12 Sep 2004 01:59:39 +0100

The site quoted, did not contain any malicious code when I just checked it.
The common.js file quoted contains only the framebreak code:
---------BEGIN---------
// common.js
// Copyright 2001-2003 by Christopher Heng. All rights reserved.
// $Id: common.js 2.3 2003/04/29 11:49:36 chris Exp $

function framebreaker()
{       // see http://www.thesitewizard.com/archive/framebreak.shtml
        // for an explanation of this script and how to use it on your own site
        if (top.location != location) {
                top.location.href = document.location.href ;
        }
}
---------END---------

Unless there is some kind of image based exploit on the site I don't
see mysearchbar having come from there.

I checked the CSS for :before and :after properties too.

On Sun, 12 Sep 2004 01:58:18 +0200, fulldisclosure@xxxxxxxxxxxxxxxxx
<fulldisclosure@xxxxxxxxxxxxxxxxx> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> All patches installed on w2k server ie6
> except :
> 
> journal viewer
> .net framework
> directx9.0b
> media player 9
> 
> googled for 'how to configure htaccess on apache', firts hit was this
> page :
> 
> www.thesitewizard.com/apache/index.shtml
> 
> i went there and found nothing ... like a page with links to stuff i
> didnt really want ..
> so i open a new window in IE .. bang ... 'MySearch toolbar' sitting
> there in my IE window.
> i know i shouldnt be browsing on a server, but i just wanted to look
> something up so i could configure the server
> now im sure i didnt click on OK anywhere, nothing even popped up when
> i went there.
> i checked back at the site and now something DID popup .. i was using
> a remote terminal server connection,
> so maybe i hit spacebar on accident before seeing the window ? i dont
> think so , the connection here is quite fast,
> i probably would have seen that ... anyway the second visit i did get
> a popup asking for an install of something.
> i checked the source and i did see a reference to
> ../include/common.jsp somewhere at the top,
> but its late here so im gonna leave it at that and maybe check on it
> tomorrow.
> 
> just thought i'd give some ppl who might be interested a heads up
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> 
> iQA/AwUBQUORGpNqa4mRthN9EQI3EQCgi0vP/7xW4vJMKyA+2vL0AM1JHCkAn0HB
> J7gy3LFF6FvE+1FYv8FQ3A92
> =ImDN
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] New security tools and papers released
  - From: raize
- [Full-Disclosure] drive by shooting - got hit by mysearch toolbar
  - From: fulldisclosure

Prev by Date: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar
Next by Date: Re: [Full-Disclosure] Does the following...
Previous by thread: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar
Next by thread: Re: [Full-Disclosure] drive by shooting - got hit by mysearch toolbar
Index(es):
- Date
- Thread