LISTSERV - HP3000-L Archives

HP3000-L Archives

May 2000, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L May 2000, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT: Suspected hacker attack - Can anyone advise?
From:	Jim McCoy <[log in to unmask]>
Reply To:	Jim McCoy <[log in to unmask]>
Date:	Mon, 22 May 2000 15:38:34 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (73 lines)

Thanks Mark,

I hope I didn't unnecessarily waste your time today.
I was curious about the message and did some poking around to see what it
did
to my system.  When I looked in to what types of files were accessed and saw
they
were all related to mail and internet access I thought it best to alert
people quickly.
Especially when I saw that it went through my HP-3000L folder.

I'm not as rattled as I was when the first alert went out.

I don't want to get emails from hundreds of people asking if their IP
Address was involved.  But if anyone knows how to look up the owner of an IP
Address (like a whois
on a URL) I will do that and contact those individuals just in case.

I am reasonably sure that there was no actual transfer of data though.

Jim Mc Coy

----- Original Message -----
From: Mark Bixby <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, May 22, 2000 3:11 PM
Subject: Re: OT: Suspected hacker attack - Can anyone advise?


> You can safely view the message as I received it at:
>
> http://www.bixby.org/mark/howareyou.txt
>
> The first thing to notice is the javascript code beginning with
"<script>".
> This creates a new window of 1 pixel in size that executes the specified
CGI.
> There should be no reason to do a 1 pixel window unless you have something
to
> hide.  Because I unfortunately had Javascript enabled for my Netscape
> Communicator 4.73 e-mail, this did open a new window for me, but it was
bigger
> than one pixel.  I didn't see any content in that window, so I immediately
> closed it.  I have just disabled Javascript for e-mail.
>
> When I view that javascript CGI URL directly from a browser, it does a
redirect
> to some music-oriented web page.  If I view source on it, I don't see
anything
> blatantly evil.
>
> If I manually view the other URLs in the bottom of the message, they all
do
> similar redirects to pages in Chinese.  Again, by doing View Source on
them, I
> don't see anything blatantly evil.
>
> Now it's quite possible that these redirecting CGIs can detect if you're
> running Outlook and then do something evil.  So I'm not willing to forward
this
> message over to my Outlook mailbox.  ;-)
>
> If I try to view any of these URLs with MSIE5, it goes into an auto-update
mode
> trying to download additional browser components.  At this point, I do
> Ctrl-Alt-Del and then "End task" to prevent any further action.  It's
possible
> this is to deal with Chinese character sets, but I'm not willing to find
out.
>
> - Mark B.
>

ATOM RSS1 RSS2

RAVEN.UTC.EDU