Re: [PLUG] Fw: OT: Suspected hacker attack

Mike Wilson on Mon, 22 May 2000 15:54:44 -0400 (EDT)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

From: "Mike Wilson" <mwilson@wiltech.com>

To: <plug@lists.nothinbut.net>

Subject: Re: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

Date: Mon, 22 May 2000 15:47:58 -0400

Reply-to: plug@lists.nothinbut.net

Sender: plug-admin@lists.nothinbut.net

It was chinese char sets. I got this once before a few weeks ago. took the same action. no consequences yet. ----- Original Message ----- From: "Jim McCoy" <JIM@JIMMCCOY.COM> To: "plug" <plug@lists.nothinbut.net> Sent: Monday, May 22, 2000 3:18 PM Subject: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise? > What is known about this mornings attack.. > > ----- Original Message ----- > From: Mark Bixby <mbixby@power.net> > To: Jim McCoy <JIM@JIMMCCOY.COM> > Cc: <HP3000-L@RAVEN.UTC.EDU> > Sent: Monday, May 22, 2000 3:11 PM > Subject: Re: OT: Suspected hacker attack - Can anyone advise? > > > > You can safely view the message as I received it at: > > > > http://www.bixby.org/mark/howareyou.txt > > > > The first thing to notice is the javascript code beginning with > "<script>". > > This creates a new window of 1 pixel in size that executes the specified > CGI. > > There should be no reason to do a 1 pixel window unless you have something > to > > hide. Because I unfortunately had Javascript enabled for my Netscape > > Communicator 4.73 e-mail, this did open a new window for me, but it was > bigger > > than one pixel. I didn't see any content in that window, so I immediately > > closed it. I have just disabled Javascript for e-mail. > > > > When I view that javascript CGI URL directly from a browser, it does a > redirect > > to some music-oriented web page. If I view source on it, I don't see > anything > > blatantly evil. > > > > If I manually view the other URLs in the bottom of the message, they all > do > > similar redirects to pages in Chinese. Again, by doing View Source on > them, I > > don't see anything blatantly evil. > > > > Now it's quite possible that these redirecting CGIs can detect if you're > > running Outlook and then do something evil. So I'm not willing to forward > this > > message over to my Outlook mailbox. ;-) > > > > If I try to view any of these URLs with MSIE5, it goes into an auto-update > mode > > trying to download additional browser components. At this point, I do > > Ctrl-Alt-Del and then "End task" to prevent any further action. It's > possible > > this is to deal with Chinese character sets, but I'm not willing to find > out. > > > > - Mark B. > > > ______________________________________________________________________ > Philadelphia Linux Users Group - http://plug.nothinbut.net > Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce > General Discussion - http://lists.nothinbut.net/mail/listinfo/plug > > ______________________________________________________________________ Philadelphia Linux Users Group - http://plug.nothinbut.net Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce General Discussion - http://lists.nothinbut.net/mail/listinfo/plug

Follow-Ups:

RE: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?
From: "Michael Leone" <turgon@pil.net>

References:

[PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?
From: "Jim McCoy" <JIM@JIMMCCOY.COM>

Prev by Date: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

Next by Date: Re: [PLUG] lilo

Previous by thread: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

Next by thread: RE: [PLUG] Fw: OT: Suspected hacker attack - Can anyone advise?

Index(es):

Date

Thread