[Dshield] need help decoding.
shaun at shaunc.com
Wed Sep 19 02:24:40 GMT 2007
On Tue, 18 Sep 2007 17:18:07 -0700 (PDT)
Dan Jackson <kybowhunter515 at yahoo.com> wrote:
> Recently several of my sites got hijacked and below is the code that
> was inserted, what I'm trying to do is to decode it to figure out what
> it's intent was and to see if it opened up any other holes in the
> server that I need to know about.
That code inserts an IFRAME into the current document. The target of the
IFRAME (munged to prevent accidental clickage) is
ht tp:/ / marcobernardoni . com/x/index.php
Loading that URI with a user-agent which mimics Windows Firefox, I get
The end result attempts to exploit a Windows Media Player vulnerability
(MS06-006). I didn't invoke the malicious .wmv file to see what the
final payload is, as I don't have a proper sandbox right now.
your server. That's not to say that the attacker hasn't installed other
malicious code in whatever manner he managed to deploy this little devil.
More information about the list