http://metatalk.metafilter.com/tags/exploit Posts tagged with 'exploit' at MetaTalk. Tue, 02 Dec 2008 11:38:12 -0800 Tue, 02 Dec 2008 11:38:12 -0800 en-us http://blogs.law.harvard.edu/tech/rss 60 http://metatalk.metafilter.com/17082/Getting%2Dit%2Dfrom%2Dthe%2Dhorses%2Dmouth <a href="http://www.metafilter.com/77017/Oh-shit-I-just-broke-the-Internet#2360115">This</a> is why I still read MetaFilter. tag:metatalk.metafilter.com,2008:site.17082 Tue, 02 Dec 2008 11:38:12 -0800 attack dns exploit hack internet kaminsky wiredmagazine timeistight http://metatalk.metafilter.com/16580/the%2Dbad%2Dbad%2Dinternets so, about this post --> http://www.metafilter.com/73909/History-of-the-DC-Universe ... please read all of more inside first before looking at the post. it looks like pixie already figured it out, but, for the benefit of all the other Mefi Jr. Detectives out there, let's break this thing down piece by piece. <li> The second link in the post is http://dcu.smartmemes.com/ and it's infected by something. But, what? Let's look at the source. On the last line of the page is a script: <blockquote><small><small>eval(unescape("%77%69%6e% .... %3e%27%29"));</small></small></blockquote><li>if you expand out the unescape portion, you get the following:<blockquote>[clever shit making people's browsers go gaga elided]</blockquote><li>How did we get from that gobbleygook of % signs and hexadecimal to actual that? Easiest way to figure it is out is to cut out the eval() part (which actually causes the code to run) and change it to a alert(), which causes it to open a prompt in your browser <a href="http://farm4.static.flickr.com/3131/2740540925_2d4260e0a3_o.png">like so</a>. You can even run it from your browser via a javascript: handler like shown in the pic <li><b>Now, what you should never ever do is change the eval() to a document.write()</b> Why? Because in the case of this code for example, the iframe html tag will actually get written to the page and you won't even know it! Which is what probably happened to <a href="http://www.metafilter.com/73909/History-of-the-DC-Universe#2211205">Leon</a>, I'm guessing. (Yeah, this whole metatalk post is really just a callout about that.) <li>Anyway, now that we can actually see what the code is, and as pixie points out, it loads an iframe opening a webpage: hxxp://58.xxx.xxx.33/gpack/index.php (please don't actually visit that site). That site has more iframes which load something called the <a href="http://www.secgeeks.com/gpack.html">gpack exploit</a>. <li>Anyway, the gpack exploit itself is beyond the scope of this post, but, the important thing to remember is to keep ALL of your software up to date with security patches, because you'll never know when a site could be infected with something. (Or, if you're super paranoid like me, but, also an idiot who runs IE, add all of china to your IE restricted sites list. I had http://58-61.* in there, among other things. saved my ass it did!) Oh. Since I'm here anyway, can we get a "this site infected with badware/malware" pony, er, flag?</li></li></li></li></li></li> tag:metatalk.metafilter.com,2008:site.16580 Thu, 07 Aug 2008 04:51:55 -0800 badlinkdeletion exploit gpack javascript mefi security yeoz