Guest pantagruel Posted January 9, 2009 Posted January 9, 2009 Hi, I've been getting attacked today. Basically what is happening is as follows: 1. I have a running instance of the Apache webservice on my Windows Box where I'm developing a website under localhost. 2. The HTML page that I'm working on is constructed by a number of XSLT and XML files running in the client, in fact most of the page is constructed on the client. Much of the page is constructed via transformation of RSS and Atom. 3. There are a number of complicated Javascripts. Not all of the scripts are owned locally, but the non local ones are owned by google. the nonlocal ones are jQuery as hosted by google, http://www.google.com/jsapi , and the google feeds api. 4. I have an input box that I can write commands to open new urls - 2 google urls, a yahoo url, and a Wikipedia one. This is done by typing in the word Search 5. I open a number of URLs dynamically from a function in the script - this works fine. 6. If I go to open the same inputbox and try to type in Search by the time I get to finish the word the attack is underway with a number of popups popping. Basically the attack tries to scan localhost by opening multiple windows to find something - firefox shuts it down after 20 or so windows with a message that it was attempted to open 90+. It tries to open very simple urls that are a variation of the location from which the search is launched. 7. The attack from what I can see is only prompted if I type in Viagra or Search in the search box. If I close down the browser and go back to the application the problem is gone, until of course I do the command to open new urls. in which case I can start the whole thing over again. So the first question is: What attack does this sound like? Second what is it trying to do. And third what is the likely source of the attack in the scenario I have outlined. Thanks, Quote
Guest 1PW Posted January 9, 2009 Posted January 9, 2009 On 01/08/2009 10:32 PM, pantagruel sent:<span style="color:blue"> > Hi, > > I've been getting attacked today. Basically what is happening is as > follows: > > 1. I have a running instance of the Apache webservice on my Windows > Box where I'm developing a website under localhost. > 2. The HTML page that I'm working on is constructed by a number of > XSLT and XML files running in the client, in fact most of the page is > constructed on the client. Much of the page is constructed via > transformation of RSS and Atom. > 3. There are a number of complicated Javascripts. Not all of the > scripts are owned locally, but the non local ones are owned by google. > the nonlocal ones are jQuery as hosted by google, http://www.google.com/jsapi > , and the google feeds api. > 4. I have an input box that I can write commands to open new urls - 2 > google urls, a yahoo url, and a Wikipedia one. This is done by typing > in the word Search > 5. I open a number of URLs dynamically from a function in the script - > this works fine. > 6. If I go to open the same inputbox and try to type in Search by the > time I get to finish the word the attack is underway with a number of > popups popping. Basically the attack tries to scan localhost by > opening multiple windows to find something - firefox shuts it down > after 20 or so windows with a message that it was attempted to open > 90+. It tries to open very simple urls that are a variation of the > location from which the search is launched. > 7. The attack from what I can see is only prompted if I type in Viagra > or Search in the search box. > > If I close down the browser and go back to the application the problem > is gone, until of course I do the command to open new urls. in which > case I can start the whole thing over again. > > So the first question is: What attack does this sound like? > > Second what is it trying to do. > > And third what is the likely source of the attack in the scenario I > have outlined. > > Thanks,</span> Hello pantagruel: 1) Various antimalware vendor applications will call the same malware by different names. One vendor might call it "X", another "Y" and yet another "Z". 2) Overwhelm the target system. 3) The possible source vectors are legion. I'm mildly surprised you aren't trying to protect yourself from the attack but merely wish to study its "entomology". Or, seek possible eradication steps. How very curious... Best wishes to you. Pete -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t] Quote
Guest Leythos Posted January 9, 2009 Posted January 9, 2009 In article <6b82eab1-45fd-43d7-9467- 1299e0daf7dd@s14g2000vbp.googlegroups.com>, rasmussen.bryan@gmail.com says...<span style="color:blue"> > Hi, > > I've been getting attacked today. Basically what is happening is as > follows: > > 1. I have a running instance of the Apache webservice on my Windows > Box where I'm developing a website under localhost.</span> [snip]<span style="color:blue"> > 6. If I go to open the same inputbox and try to type in Search by the > time I get to finish the word the attack is underway with a number of > popups popping. Basically the attack tries to scan localhost by > opening multiple windows to find something - firefox shuts it down > after 20 or so windows with a message that it was attempted to open > 90+. It tries to open very simple urls that are a variation of the > location from which the search is launched. > 7. The attack from what I can see is only prompted if I type in Viagra > or Search in the search box.</span> Two things - either you've exposed your box to the internet and/or you're compromised by malware. When developing apps for the web on a windows box, never expose the development box to the public internet. Always scan/test your box for malware - try downloading MBAM and running a full scan. -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.