[PLUG] Fw: OT: Suspected hacker attack

Jim McCoy on Mon, 22 May 2000 15:18:27 -0400 (EDT)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

From: "Jim McCoy" <JIM@JIMMCCOY.COM>

To: "plug" <plug@lists.nothinbut.net>

Subject: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

Date: Mon, 22 May 2000 15:18:40 -0400

Reply-to: plug@lists.nothinbut.net

Sender: plug-admin@lists.nothinbut.net

What is known about this mornings attack.. ----- Original Message ----- From: Mark Bixby <mbixby@power.net> To: Jim McCoy <JIM@JIMMCCOY.COM> Cc: <HP3000-L@RAVEN.UTC.EDU> Sent: Monday, May 22, 2000 3:11 PM Subject: Re: OT: Suspected hacker attack - Can anyone advise? > You can safely view the message as I received it at: > > http://www.bixby.org/mark/howareyou.txt > > The first thing to notice is the javascript code beginning with "<script>". > This creates a new window of 1 pixel in size that executes the specified CGI. > There should be no reason to do a 1 pixel window unless you have something to > hide. Because I unfortunately had Javascript enabled for my Netscape > Communicator 4.73 e-mail, this did open a new window for me, but it was bigger > than one pixel. I didn't see any content in that window, so I immediately > closed it. I have just disabled Javascript for e-mail. > > When I view that javascript CGI URL directly from a browser, it does a redirect > to some music-oriented web page. If I view source on it, I don't see anything > blatantly evil. > > If I manually view the other URLs in the bottom of the message, they all do > similar redirects to pages in Chinese. Again, by doing View Source on them, I > don't see anything blatantly evil. > > Now it's quite possible that these redirecting CGIs can detect if you're > running Outlook and then do something evil. So I'm not willing to forward this > message over to my Outlook mailbox. ;-) > > If I try to view any of these URLs with MSIE5, it goes into an auto-update mode > trying to download additional browser components. At this point, I do > Ctrl-Alt-Del and then "End task" to prevent any further action. It's possible > this is to deal with Chinese character sets, but I'm not willing to find out. > > - Mark B. ______________________________________________________________________ Philadelphia Linux Users Group - http://plug.nothinbut.net Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce General Discussion - http://lists.nothinbut.net/mail/listinfo/plug

Follow-Ups:

Re: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?
From: "Mike Wilson" <mwilson@wiltech.com>

Prev by Date: Re: [PLUG] This mornings attack

Next by Date: Re: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

Previous by thread: Re: [PLUG] This mornings attack

Next by thread: Re: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

Index(es):

Date

Thread