Subject: | |
From: | |
Reply To: | |
Date: | Mon, 22 May 2000 15:38:34 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Thanks Mark,
I hope I didn't unnecessarily waste your time today.
I was curious about the message and did some poking around to see what it
did
to my system. When I looked in to what types of files were accessed and saw
they
were all related to mail and internet access I thought it best to alert
people quickly.
Especially when I saw that it went through my HP-3000L folder.
I'm not as rattled as I was when the first alert went out.
I don't want to get emails from hundreds of people asking if their IP
Address was involved. But if anyone knows how to look up the owner of an IP
Address (like a whois
on a URL) I will do that and contact those individuals just in case.
I am reasonably sure that there was no actual transfer of data though.
Jim Mc Coy
----- Original Message -----
From: Mark Bixby <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, May 22, 2000 3:11 PM
Subject: Re: OT: Suspected hacker attack - Can anyone advise?
> You can safely view the message as I received it at:
>
> http://www.bixby.org/mark/howareyou.txt
>
> The first thing to notice is the javascript code beginning with
"<script>".
> This creates a new window of 1 pixel in size that executes the specified
CGI.
> There should be no reason to do a 1 pixel window unless you have something
to
> hide. Because I unfortunately had Javascript enabled for my Netscape
> Communicator 4.73 e-mail, this did open a new window for me, but it was
bigger
> than one pixel. I didn't see any content in that window, so I immediately
> closed it. I have just disabled Javascript for e-mail.
>
> When I view that javascript CGI URL directly from a browser, it does a
redirect
> to some music-oriented web page. If I view source on it, I don't see
anything
> blatantly evil.
>
> If I manually view the other URLs in the bottom of the message, they all
do
> similar redirects to pages in Chinese. Again, by doing View Source on
them, I
> don't see anything blatantly evil.
>
> Now it's quite possible that these redirecting CGIs can detect if you're
> running Outlook and then do something evil. So I'm not willing to forward
this
> message over to my Outlook mailbox. ;-)
>
> If I try to view any of these URLs with MSIE5, it goes into an auto-update
mode
> trying to download additional browser components. At this point, I do
> Ctrl-Alt-Del and then "End task" to prevent any further action. It's
possible
> this is to deal with Chinese character sets, but I'm not willing to find
out.
>
> - Mark B.
>
|
|
|