Re: [Full-disclosure] what is this?

To: crazy frog crazy frog <i.m.crazy.frog@xxxxxxxxx>
Subject: Re: [Full-disclosure] what is this?
From: Gadi Evron <ge@xxxxxxxxxxxx>
Date: Tue, 15 Jan 2008 11:22:03 -0600 (CST)
Cc: nick@xxxxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <41011d980801150026n58044b29gef2aeb3bfeb90bea@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <41011d980801130801x67eb0243r6ed73ac8a16d0d2a@xxxxxxxxxxxxxx> <20080115160930.897C.SP23@xxxxxxxxxxxxxxxx> <41011d980801142212l7fdb2b33n632dfacdeedba631@xxxxxxxxxxxxxx> <478D0D51.11716.A08283B1@xxxxxxxxxxxxxxxxxxxxxxxx> <41011d980801150026n58044b29gef2aeb3bfeb90bea@xxxxxxxxxxxxxx>

On Tue, 15 Jan 2008, crazy frog crazy frog wrote:

nick,
ur not getting my point,the url is techicorner.com/{random string
here},i have already mentioned it in previous posts.
i have read the link sent by denis,and i would have to conclude that:
1)The problem does not occurs always,instead it occurs randomly based
on IP or something like tht.


In recent kits, it is more likely it is user-agent based.

2)if u look at the pages on techicorner.com u will not find any
malicious code,so its possible that the server is compromised and its
an LKM
please refer to these links:
http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]

Thanks again everyone for your valuable suggestion,i posted here to
share this stuff with everyone and may be u can learn from it.

regards,
_CF

On Jan 15, 2008 12:15 PM, Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx> wrote:

crazy frog crazy frog wrote:

well,
i received many response but no one is perfact.i checked the files and
didn't find anything embeded in my scripts or pages.still i have to
figure out why my antivirus randomly popsup?i mean most of the times
it doesnt detect any infection but then suddenly this thing happnes
and then everything seems ok.
i dont think its a problem with my script otherwise i could have find
the code or it should be repeating consistly.has any one still facing
this issue in the techicorner.com or on tubeley.com or on
secgeeks.com?

let me know i m trying hard to digg this issue.


If you would tell us the _actual_ URL where this behaviour is being
seen we would have a reasonable chance of actually diagnosing it.  As
it is, we're having to guess based on matching your half-arsed
descriptions of what you think is happening with our knowledge of what
has been seen going on out there.

This may surprise you, but many thousands and thousands of sites are
compromised each day to display "similar" activity to what you've asked
to us to diagnose (aka "guess").

If we could look at the actual site and see what is really happening
should have a better (if not perfect) chance of success.


Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com

Follow-Ups:
- Re: [Full-disclosure] what is this?
  - From: crazy frog crazy frog

References:
- what is this?
  - From: crazy frog crazy frog
- Re: what is this?
  - From: Denis
- Re: what is this?
  - From: crazy frog crazy frog
- Re: [Full-disclosure] what is this?
  - From: Nick FitzGerald
- Re: [Full-disclosure] what is this?
  - From: crazy frog crazy frog

Prev by Date: RE: what is this?
Next by Date: Re: [Full-disclosure] what is this?
Previous by thread: Re: [Full-disclosure] what is this?
Next by thread: Re: [Full-disclosure] what is this?
Index(es):
- Date
- Thread