[Dshield] Site suspect

Johannes Ullrich jullrich at euclidian.com
Fri Oct 24 13:35:08 GMT 2003


As said earlier, the page is just a cyber squatter page. Someone who got
lucky and reserved the domain before Hyatt got it (I guess Hyatt could
get it if they have a trademark for 'Hyatt Regency').

The javascript is a harmless popup ad. I guess its a bit broken as
it is likely supposed to advertise a virus scanner / fire wall if you
click 'yes'.

I modified the javascript so it is not triggering any virus scanners
and will not execute on any client. (Replaced 'O' with '0' and 'I' with
'1')

<B0DY 0nl0ad="c0nfirmG0t0()">
<SCR1PT>
 var exit=true;
 function confirmG0t0() {
 if (ex1t) {
 if (c0nf1rm("W32 RPC V1rus Warn1ng !!!\n\n Your PC may be 1nfected     
\n\n
     CLICK on 0K\n    to Scan and Clean !")) {
w1ndow.0pen('http://ad1.zendmedia.com/ad-rpc.php?id=adru606');
l0cation="http://www1.vipfares.com/c/205/50"
} else {
l0cation="http://www1.vipfares.com/c/205/50"
}
 }
}
</SCR1PT>

The remainder is just junk to feed search engines.





On Fri, 2003-10-24 at 01:21, Kenneth Coney wrote:
> Tried it.  Nothing happened.  No pop up.  Probably clicking ok would have 
> started to download a virus.  Can't really tell without seeing it.
> Walrus
> 
> 
> Subject: [Dshield] Site suspect
> From: "john beck" <jbeck80 at hotmail.com>
> Date: Thu, 23 Oct 2003 13:55:57 -0500
> To: list at dshield.org
> 
> I have been alerted to a website that someone was going to book a room at 
> Hyatt Regency and they went to www.hyattregency.com and there it, will give 
> a popup that says you have the rpc virus and it wants you to click ok to 
> scan your machine, I am now blocking the site and have not begun to check 
> out what it is doing or planting but wanted to let everyone know, if anyone 
> checks this or has info on it, please post or send to me off list.
> 
> Thank You
> John
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list