Neohapsis / Archives / Daily posts / Message Index / Message #0004
RE: [Fwd: Re: AIM Password theft]
From: S G Masood (sgmasoodyahoo.com)
Date: Tue Sep 23 2003 - 17:50:23 CDT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------------------------------------------------------------------------
Hi Mark,
www.Haxr.org uses the "XML Page Object Type Validation
Vulnerability" [1] to infect IE users automatically.
Here is the code from the site:
]]>
This is almost an exact copy of the PoC exploit posted
for this vuln.
tracker.php points to the exec.vbs script that you
posted. This finally gets executed on the victim
machine and does its stuff.
>If this is new, its going to spread like wildfire.
It will infect many machines but IMO, it wouldn't
exactly spread like "wildfire" 'coz it has a "single
point of failure". Have you considered complaining to
the hosting service of www.haxr.org?
--
Regards,
S.G.Masood
Hyderabad,
India
--
Re: AIM Password theft
From: Brent Meshier (brentmeshier.com)
Date: Tue Sep 23 2003 - 14:13:04 CDT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--------------------------------------------------------------------------------
Mark,
The code you just sent looks familiar to a SPAM I received
attempting to hijack users' e-gold accounts. Out of curiosity I
followed that link which loaded start.html (attached). What worries me
is that I'm running IE 6.0.2800.1106 with all the latest patches from
Microsoft and this page (start.html) rewrote wmplayer.exe on my local
drive without notice. After closing the page, I found two .exe files on
my desktop (which loaded from http://doz.linux162.onway.net/eg/1.exe).
Is this a new unknown vulnerability?
Brent Meshier
Global Transport Logistics, Inc.
http://www.gtlogistics.com/
"Innovative Fulfillment Solutions"
-----Original Message-----
From: Mark Coleman [mailto:markc@uniontown.com]
Sent: Tuesday, September 23, 2003 11:43 AM
To: bugtraq@securityfocus.org
Subject: [Fwd: Re: AIM Password theft]
Hi, can anyone shed some light on this for me? If this is new, its
going to spread like wildfire. AOL or incidents lists have yet to
reply.... it appears to be a legitimate threat as I have at least one
user "infected" already.. Thank you..
-Mark Coleman