Troy, To answer your questions: 1) It is rather trivial to add someone to a remote users buddy list (or add a group). I don't remember the exact syntax and I don't remember where I stashed the sample code I had. You might want to try searching on securityfocus or doing a google search. 2)Don't know why you had a problem viewing the source of the page. Other than the fact it was all on one line, nothing unusual about it. In any event, here it is.... <html><head><title>Browser Plugin Requried</title><meta http-equiv="refresh" content="1; url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser Plugin Required:</h1><br>You may need to restart your browser for changes to take affect.<br>Security Certificate by <a href="http://www.verisign.com">Verisign</a> 2002.<br>MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose "Run" to install.</body></html> -----Original Message----- From: Troy Ablan [mailto:bugtraqat_private] Sent: Thursday, September 26, 2002 3:52 PM To: incidentsat_private Subject: AIM-based worm? A coworker of mine (Tim) recently found a buddy on his buddy list who he didn't know (JDogg786). When Tim sent a message to him/her, he got a response back "Hmmmm.. http://24.74.206.239:8180/" When he clicked on the link, it took him to a page which redirected to a download of a file ending in .com, which he promptly alerted me to and did not run it. I tried to go to this link, it tried to download the file. I hit cancel, then I tried to view the source of the page. From the View menu, or right clicking on the page, and clicking View Source, nothing happened. I eventually got the source using wget, which is shown below. Question 1: Is there a way a web page can add a buddy to your AIM list without your knowledge? Question 2: How was I prevented from viewing the source of the HTML page in IE? I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well for anyone who wants to look at it, just in case the above link does not work any more. -- BEGIN SOURCE -- <html><head><title>Browser Plugin Requried</title><meta http-equiv="refresh" content="1; url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser Plugin Required:</h1><br>You may need to restart your browser for changes to take affect.<br>Security Certificate by <a href="http://www.verisign.com">Verisign</a> 2002.<br>MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose "Run" to install.</body></html> -- END SOURCE -- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 15:44:24 PDT