Full Disclosure mailing list archives

Re: drive by shooting - got hit by mysearch toolbar

From: Über GuidoZ <uberguidoz () gmail com>
Date: Mon, 13 Sep 2004 00:27:27 -0400

I peeked at the site too. The "common.js" is nothing to worry about.
It just pops the page out of a frame if it opens in one (like from a
Hotmail link, for example). You can see it being called with the Body
OnLoad tag (<body onload="framebreaker()">). Here's the full code in
it:
--------------
// common.js
// Copyright 2001-2003 by Christopher Heng. All rights reserved.
// $Id: common.js 2.3 2003/04/29 11:49:36 chris Exp $

function framebreaker()
{       // see http://www.thesitewizard.com/archive/framebreak.shtml
        // for an explanation of this script and how to use it on your own site
        if (top.location != location) {
                top.location.href = document.location.href ;
        }
}
--------------

For the record, nothing ever popped up for me. Plus, I looked at the
source as well - there isn't any calls to ActiveX, popups, etc. In
fact, besides the CSS, the only thing that IS called is the javascript
above. I would say this page is innocent.

Check the server for something else. It's obvious you have
spyware/adware on it if you are seeing the MySearch bar. Definately
get rid of that, then run a Spybot or AdAware scan to be sure it's
completely clean.

-- 
Peace. ~G


On Sun, 12 Sep 2004 10:35:57 +0300, Andrei Galca-Vasiliu
<andrei.galca () rdsnet ro> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How long was that machine connected until you patched it?
Try installing some anti virus program first thing, then connect, update virus
definitions, and then update windows.
You´ll have a big surprise :) I got 7 alerts while updating, 3 spybots and 4
viruses.

Intr-un mail de pe data de Sunday 12 September 2004 02:58,
fulldisclosure () wateraxe demon nl povestea:

All patches installed on w2k server ie6
except :

journal viewer
.net framework
directx9.0b
media player 9

googled for 'how to configure htaccess on apache', firts hit was this
page :

www.thesitewizard.com/apache/index.shtml

i went there and found nothing ... like a page with links to stuff i
didnt really want ..
so i open a new window in IE .. bang ... 'MySearch toolbar' sitting
there in my IE window.
i know i shouldnt be browsing on a server, but i just wanted to look
something up so i could configure the server
now im sure i didnt click on OK anywhere, nothing even popped up when
i went there.
i checked back at the site and now something DID popup .. i was using
a remote terminal server connection,
so maybe i hit spacebar on accident before seeing the window ? i dont
think so , the connection here is quite fast,
i probably would have seen that ... anyway the second visit i did get
a popup asking for an install of something.
i checked the source and i did see a reference to
../include/common.jsp somewhere at the top,
but its late here so im gonna leave it at that and maybe check on it
tomorrow.

just thought i'd give some ppl who might be interested a heads up



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


- --
Andrei Galca-Vasiliu
Technical Support
Brasov Branch
Romania Data Systems
T: +402 68 474133  F: +402 68 474133
www.rdsnet.ro
- --
Privileged/Confidential Information may be contained in this message.
If you are not the addressee indicated in this message (or responsable
for delivery of the message to such person), you may not copy or
deliver this message to anyone. In such a case, you should destroy
this message and kindly notify the sender by reply e-mail.
- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iQCVAwUBQUP8YCSMIH0khc/mAQKa6wP/XXOSOY3lRKYtRkBOZXZnTskDqysd60z+
pEZqnvLHRYMvhNOdjcHETcHlog6aThJI7MAMsahA3imhZ7ndugnfgQm3gLCVpn6O
57vQIuPNNDREUHQFhJICcMIy6fIR0CrcC58GIPhgsggHF4l+URiwofGsdkGMhj/2
acjxy+Uocwg=
=TyOU
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

New security tools and papers released shadown (Sep 01)
- <Possible follow-ups>
- Re: New security tools and papers released raize (Sep 01)
  - drive by shooting - got hit by mysearch toolbar fulldisclosure (Sep 11)
    - Re: drive by shooting - got hit by mysearch toolbar James Tucker (Sep 11)
    - Re: drive by shooting - got hit by mysearch toolbar Gregh (Sep 11)
    - Re: drive by shooting - got hit by mysearch toolbar Andrei Galca-Vasiliu (Sep 12)
    - Re: drive by shooting - got hit by mysearch toolbar Über GuidoZ (Sep 12)