-----------------
I just created a poll
hxxp://ms9.by . ru/hot.html
-----------------
(I put spaces in the above url because ms9-dot-by-dot-ru is a
black-listed domain at uribl.com, and the news server I use filters
posts that contain blacklisted domains in the message body)
I got a blank page when I tried it.
However, I got a complete directory listing when I removed the html
file:
-----------------
hxxp://ms9.by . ru/
-----------------
And I was able to manually download "hot.html". Kaspersky id's it as
JS.Shadraem.a, and only 5 other AV packages ID it as malware (but they
give a generic ID).
Here's the complete directory listing. All these files and directories
appear to be fully browseable:
[Folder] again/ 01-Mar-2009 09:31 -
[Folder] country/ 19-May-2009 17:20 -
[Folder] cqi/ 05-Feb-2009 07:59 -
[Folder] glqcm/ 20-Nov-2009 13:45 -
[Folder] mf/ 18-Apr-2007 13:26 -
[Folder] pfv/ 20-Nov-2009 13:45 -
[Folder] thinking/ 07-May-2009 06:34 -
[Folder] took/ 30-Mar-2009 00:54 -
[Folder] trying/ 28-May-2009 20:54 -
[Folder] xbtqx/ 20-Nov-2009 13:46 -
[HTML Document] hot.html 19-Nov-2009 12:08 7.6K
[GIF Image] ode.gif 27-Aug-2009 18:35 30K
[GIF Image] proshedshee.g 19-Aug-2009 14:50 31K
[JPEG Image] all.jpg 26-Sep-2009 20:10 27K
[JPEG Image] edvaou.jpg 19-Aug-2009 01:07 86K
[JPEG Image] KINO-o.jpg 17-Aug-2009 15:44 23K
[JPEG Image] rasp.jpg 28-Sep-2009 13:53 21K
[JPEG Image] setup.jpg 20-Sep-2009 16:05 27K
[JPEG Image] stradal.jpg 20-Aug-2009 00:07 23K
[JPEG Image] vabit.jpg 18-Aug-2009 00:19 23K
[JPEG Image] zatmenii.jpg 18-Aug-2009 16:18 27K
[ ] class.phpmailer.php 06-Nov-2009 12:56 56K
[ ] class.smtp.php 06-Nov-2009 12:56 32K
[ ] htaccess.php 06-Nov-2009 12:56 79K
[ ] in.php 06-Nov-2009 12:56 9.8K
[ ] PE5BF5B95BE125.php 20-Nov-2009 13:45 6.8K
[ ] searchsg.php 06-Nov-2009 12:56 15K
[ ] test.php 20-Nov-2009 13:45 7.1K
My Avira AV must have given me about eight warnings before I was able to
view the "Crypted" HTML - which contains the URL
hxxp://amazingmedicalmy.com.cn
in plain text.
Looks familiar.
> > I got a blank page when I tried it.
>
> Opera crashes and offers an error report screen with javascript
> enabled but without it enabled I get a blank page whereas in OB1
> I get the full display of viagra advertisements
------------------
The Full Header Sent by Your Browser is:
HTTP_CONNECTION:keep-alive
HTTP_KEEP_ALIVE:300
HTTP_ACCEPT:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
HTTP_ACCEPT_CHARSET:ISO-8859-1,utf-8;q=0.7,*;q=0.7
HTTP_ACCEPT_ENCODING:gzip,deflate
HTTP_ACCEPT_LANGUAGE:en-us,en;q=0.5
HTTP_HOST:whatsmyuseragent.com
HTTP_REFERER:http://www.google.com/(etc)
HTTP_USER_AGENT:
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.20) Gecko/20081217
Firefox/2.0.0.20
-------------------
I guess most rogue web servers are not interested in my user agent...
I wonder if it's the "Firefox 2.0.0.20" or the "Win98" part.