[Dshield] Site suspect

John Hardin johnh at aproposretail.com
Thu Oct 23 22:04:12 GMT 2003

On Thu, 2003-10-23 at 11:55, john beck wrote:
> I have been alerted to a website that someone was going to book a room at 
> Hyatt Regency and they went to www.hyattregency.com and there it, will give 
> a popup that says you have the rpc virus and it wants you to click ok to 
> scan your machine, I am now blocking the site and have not begun to check 
> out what it is doing or planting but wanted to let everyone know, if anyone 
> checks this or has info on it, please post or send to me off list.

Javascript popup. It looks like somebody (zendmedia? vipfares?) cracked
their webserver or hijacked their DNS, as the web page definitely does
not look professional... (assuming the Big Name Hotel Chain does indeed
own this domain :)

< html>< head>
< title>Cheap airline tickets Discount Hotels and Car Rental Travel<
< /head>
< BODY onload="confirmGoto()">
 var exit=true;
 function confirmGoto() {
 if (exit) {
 if (confirm("W32 RPC Virus Warning !!!\n\n Your PC may be Infected     
\n\n        CLICK on OK\n    to Scan and Clean !")) {
} else {
