Re: what is this?

To: "crazy frog crazy frog" <i.m.crazy.frog@xxxxxxxxx>
Subject: Re: what is this?
From: "Robert McArdle" <robertmcardle@xxxxxxxxx>
Date: Mon, 14 Jan 2008 15:44:08 +0000
Cc: Untitled <full-disclosure@xxxxxxxxxxxxxxxxx>, PenTest <pen-test@xxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=UrGsLeaQHPpbsgI5kErQkiuE2mOSnocygIzIl2NJy2E=; b=s4BN3pwx6NwyYFm6+gzKiPi9JUB/2dhXSifTvBiGJimLxXUHqVkKXzbNhYi+JqVx0irP05adcgnKhAefvXKao2hBYzKU5v8xdeZw38JCFg/YV87b+xH0f+B64HDEZ24yfdaQBAreP1unfxQMdONgifaM3wn3mlPZ89YtyTYSOuE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ceBNopH7aPHY+uuqNLqCPE43wjYi9bRB7ccGNWJ1Ztewhq+831DL3Sq0COkGKQMXvq5lN6/7OYZtcKATCIaBos+M2sGfuyZXKL3j46/upuMBn10+/9wKrPxSS3hC4cBmyCptIB3wWf8ZtCuaX8cTX+jwWjO7eZS0PF43bcg3GW0=
In-reply-to: <51a898650801140741s1ec61adcnf38424fadc85a632@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <41011d980801130801x67eb0243r6ed73ac8a16d0d2a@xxxxxxxxxxxxxx> <51a898650801140741s1ec61adcnf38424fadc85a632@xxxxxxxxxxxxxx>

Looks like your site was compromised along with several hundred others
in the last day or so.

A full account is up on
http://blog.trendmicro.com/e-commerce-sites-invaded/ but the JS you
posted is the exact same as the one used in those attacks. I'm
guessing you have Javascripts embedded in your pages that pointed to a
randomly named js in the same directory, right?

Robert McArdle
-- 
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

On Jan 13, 2008 4:01 PM, crazy frog crazy frog <
i.m.crazy.frog@xxxxxxxxx> wrote:
> Hi,
>
> Recently on opening one of my site,my antivirus pops up saying that it
> has found on malicious script.the url is random and i have managed to
> get tht script.it is using some flaw in apple quick time.
> u can get the zip file for java script here:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>

References:
- what is this?
  - From: crazy frog crazy frog

Prev by Date: Re: what is this?
Next by Date: [SECURITY] [DSA 1459-1] New gforge packages fix SQL injection
Previous by thread: Re[2]: [Full-disclosure] what is this?
Next by thread: Re: what is this?
Index(es):
- Date
- Thread