Javascript Redirect Hidden Frame

If a Javascript Redirect Hidden Frame is being installed where is it residing?
In the browser? Is it being installed for each session upon connecting?
It seems to be looking for search terms.

Code:

<script language="JavaScript">
.
function resizeFix().

{.
if(document.layers).

{.
if(window.innerWidth!=origWidth||window.innerHeight!=origHeight).

{.
window.view_frame.location.reload();.
}
.
}
.
}
.
var showWacp=-1
.
var theSearch=document.location.search;
.
var theTag="?wacp=true";
.
showWacp=theSearch.indexOf(theTag);.

</SCRIPT>.

<FRAMESET ROWS="*,0" border=0 onResize="resizeFix();">.

<FRAME SRC="index.asp" name="view_frame">.

<FRAME SRC="indexHidden.asp" name="hidden_frame" scrolling="no" noresize>.

</FRAMESET>

 

Javascript isn't installed anywhere. Period.
When you "close" it, it's gone. An exploit might install a malicious payload, however that's for another topic.

 

Well, the HTML portion is providing a 302 redirect for search terms, Google I assume.
First, in the packets, comes the Javascript above then the HTML frame 302 redirect diverting to another address, then finally another HTML frame.

It occurs in the log infrequently, so how would it persist in the browser? Is it persisting in the browser?
It always appears after the Add-ons call out for what they need, then infrequently there after.

I saved the pcap as text in Linux, when I migrated to Windows the format was lost in the file. Like trying to pickup melted butter with a knife.

As soon as I can I'll post the other 2 items related to it.

 

If an addon is running the script that would indeed be pretty persistent, it can be stored locally or fetched from remote.
As you probably know Javascript is usually isolated, so one script in one tab can't access data of another tab/domain. (Firefox) Addons however have chrome (don't confuse ) privileges, they have effectively the same rights as the user. Chrome Extensions are a bit different in this regard but if they are malicious they can still do lot of damage.

about Linux>Windows textfiles: Use notepad++ or something similar that understands UNIX EOLs and so forth.

 

That JavaScript code doesn't do anything important by itself, it searches for "?wacp=true" in the url and sets variable "showWacp" accordingly for use by "index.asp" or "indexHidden.asp".

location.search

 

After formatting the text I realized the data was from a different capture, missing the downloads from other than Godaddy for Godaddy certs.
This should provide the gist of what is occuring.
I don't understand what is causing the 302 redirect to stick around for my later searches, unless I'm misconstruing two separate instances.

Code:

Calls out from the computer to DNS rquesting informaction (Noscript).
Router calls computer, protocol NBNS, NBSTAT *<00><00><00>etc.
Computer returns ICMP, destination unreachable.
DNS standard query response returns.
Noscript begins https comunication.
After ssl client hello, router calls computer, protocol NBNS, NBSTAT ...
Computer returns ICMP destination unreachable
The previous Noscript conversation is retransmitted.
Godaddy certs are downloaded from Godaddy.
Next, Noscript TLSv1 conversation.

Now,

HTTP/1.1
    Host: xx.xxx.xxx.xx\r\n
    User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)\r\n
    Pragma: no-cache\r\n
    Cache-Control: no-cache\r\n
    \r\n

HTTP/1.0 302 Redirect\r\n
        [Expert Info (Chat/Sequence): HTTP/1.0 302 Redirect\r\n]
            [Message: HTTP/1.0 302 Redirect\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Version: HTTP/1.0
        Response Code: 302
    Server: GoAhead-Webs\r\n
    Date: Mon Jan 31 13:28:19 2011\r\n
    Pragma: no-cache\r\n
    Cache-Control: no-cache\r\n
    Content-Type: text/html\r\n
    Location: http://xx.xxx.xxx.xx/htmlV/welcomeMain.htm\r\n
    \r\n
Line-based text data: text/html
    <html><head></head><body>\r\n
    \t\tThis document has moved to a new <a href="http://xx.xxx.xxx.xx/htmlV/welcomeMain.htm">location</a>.\r\n
    \t\tPlease update your documents to reflect the new location.\r\n
    \t\t</body></html>\r\n
    \r\n

GET /htmlV/welcomeMain.htm HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /htmlV/welcomeMain.htm HTTP/1.1\r\n]
            [Message: GET /htmlV/welcomeMain.htm HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /htmlV/welcomeMain.htm
        Request Version: HTTP/1.1
    Host: xx.xxx.xxx.xx\r\n
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15\r\n
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
    Accept-Language: en-us,en;q=0.5\r\n
    Accept-Encoding: gzip,deflate\r\n
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
    Keep-Alive: 300\r\n
    Connection: keep-alive\r\n
    Pragma: no-cache\r\n
    Cache-Control: no-cache\r\n
    \r\n

Hypertext Transfer Protocol
    HTTP/1.0 200 OK\r\n
        [Expert Info (Chat/Sequence): HTTP/1.0 200 OK\r\n]
            [Message: HTTP/1.0 200 OK\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Version: HTTP/1.0
        Response Code: 200
    Date: Mon Jan 31 13:28:19 2011\r\n
    Server: GoAhead-Webs\r\n
    Last-modified: Fri Oct 24 16:24:45 2008\r\n
    Content-length: 650\r\n
        [Content length: 650]
    Content-type: text/html\r\n
    \r\n
Line-based text data: text/html
    <HTML>\n
    <HEAD>\n
    <TITLE>Vendor name was here</TITLE>\n
    <META http-equiv="PRAGMA" content="NO-CACHE"></META>\n
    </HEAD>\n
    <script language="JavaScript">\n
    function resizeFix()\n
    {\n
    if(document.layers)\n
    {\n
    if(window.innerWidth!=origWidth||window.innerHeight!=origHeight)\n
    {\n
    window.view_frame.location.reload();\n
    }\n
    }\n
    }\n
    var showWacp=-1\n
    var theSearch=document.location.search;\n
    var theTag="?wacp=true";\n
    showWacp=theSearch.indexOf(theTag);\n
    </SCRIPT>\n
    <FRAMESET ROWS="*,0" border=0 onResize="resizeFix();">\n
    <FRAME SRC="index.asp" name="view_frame">\n
    <FRAME SRC="indexHidden.asp" name="hidden_frame" scrolling="no" noresize>\n
    </FRAMESET>\n
    <!-- Copyright (c)1999 - 2002 Router Device, Inc. -->\n
    </HTML>\n

 

If you turn off "WAN IP" in NoScript > Advanced > ABE I bet it will go away
I'm not sure what you are trying to prove anyway, do you suspect NoScript is doing something behind your back?

http://forums.informaction.com/viewtopic.php?f=7&t=4743

Edit: First I wasn't sure but the javascript must be part of your router's webui

 

This part I know, but it provides protection from a router attack.

I'm trying to determine what is causing the 302 redirects in Google search results.
(Do you suspect Noscript...)It was a thought but more information is required.

Or it's the MITM address, redirecting to another system to get the router password.

http://forums.informaction.com/viewtopic.php?f=7&t=4743
I disabled informaction.com in NoScript.
Thanks for the link.

[sidebar]Once attacker has access to the network, what attacks can be run to gain access to the router? telnet, ssh, .cgi
Can these be protected even if someone gains unauthorized access and attempts internal attacks?

 

http://forums.informaction.com/view...sid=5c6a5e261c3cd07ee5752ecf938a319a&start=15
So retrieving certs from Joe's Data Center is bad.

Code:

No.                                         
   364 
Time
   493.482326 
Source
   208.67.222.222
Destination
   my.int.i.p
Protocol
   DNS
Info
   Standard query response
   A 69.195.141.179
   A 82.103.140.42
   A 82.103.139.52
   A 82.103.140.40
   A 69.195.141.178

 

Which Google redirects? Above you where only speculating it could be google, but from what you posted so far this there is no evidence google searches have anything to do with this.

There are two entries into the router: a vulnerability and the password. The first one is obvious the second can be broken by sniffing/keylogging, brute-forcing or MITM.
But an attacker on the network doesn't have to break into the router at all, he can already arp spoof and MITM without having access.

Best protection is TLS just like on any untrusted network. Or don't let him get access to your network in the first place.

Did you notice this post:
http://forums.informaction.com/viewtopic.php?f=7&t=4743#p20261
it's the same script as yours and refers to a Verizon router it seems.

 

What's DNS got to do with certificates?

 

Yes I did. Part of the fingerprint process. So I can rule that out as an issue of mischief in my situation.

That leaves the 302 redirect and the certs not coming from Giorgio Maone or GoDaddy.

Because the certs are being downloaded from Joe's Data Center instead of the ones Mr. Maone set up.
That would explain why some of my search results are Missouri, St. Louis, Houston, PDA, Lofiversion, mobile, and not my location.

 

Can you show me the capture of certs NOT being downloaded from godaddy? All I see is a DNS lookup involving an IP from this joesdatacenter.
That response you posted is the response to the secure.informaction.com query and not to ocsp.godaddy.com or is it not?

Where does Google come into play, is there a google IP in your pcap? I don't see one.

The javascript does not appear to be part of the fingerprinting (well it is, it's what your router looks like and that is fingerprinted or that's how I understand it). In my testing it doesn't show up at all. Instead I see an attempt to access my routers webui which results in a 401 like I'd expect from a decent router.

What happens if you enter your external IP into the adress bar? Do you get a handshake with a GoAhead-Webs server? How does the source look like, does it contain the javascript code?

 

I made a post in the thread at Informaction, it has parts of the packets.
Giorgio Maone confirmed the addresses @ Joe's Data center as his.

That leaves the 302 redirect.

 

Once the MITM is successful inside the network, does the attacker become invisible to the target during scans, like with nmap, or is that only possible with MITM's outside the network (router out)?

 

"Do these, 69.195.141.179,69.195.141.178, belong to you?"

You could have checked yourself (though DNS could of course be compromised):
dig secure.informaction.com
gives 5 A records

The capture you sent looks OK from the certificate perspective. Everything as expected. However there are some funny malformed packages from "WestellT".

Ubuntu 8.10 and FF 3.0.15? I hope that's spoofed otherwise you are running unsupported software with lots of known exploits.

What about the other things, Google, the javascript...?

If it's ARP spoofing: http://en.wikipedia.org/wiki/ARP_spoofing#Defenses
I guess the nmap output will also look different.

ethernet sniffing through hardware (a hub for example) is completely transparent.

 

If I had used the command I could have saved ten posts hitting the HDD.
I hope I don't get blamed for filling the partition and crashing the server.

I'm learning, here a little, there a little. WIP, Packet structure, valid and different, seeing when something is not right. WIP, Application data, figuring out what the data is if not plain text strings.

Any suggestions for a Live CD similar to BackTrack 4 RC1?

Using Google, 302 redirects still occur. I've been using ssl searches other than Google for now.
The javascript redirect issue was based on a faulty premise which you helped me to uncover. Thank you.

So malformed data is coming from the router, Arp Spoofing is occurring, a MITM pretty much.
I've been trying to play with ArpOn. I can get it installed but I'm having trouble getting it running. I'll have to reread the documentation.
Do you know of any safe place to get NetCut?
I've got IPTables on the todo.

 

Google redirects with a 302 from google.com to google.ccTLD if your IP is detected as not coming from the US. If it's not that I need more details.

Please do tell me, is the javascript a webinterface of a router or something else? Pretty consistence there on the noscript forum.

Instead of the dubious netcut you might be interested in:
https://bitbucket.org/a_atalla/tuxcut/src

Ubuntu 8.10: I see, Live CD isn't that problematic. But BT R2 is out for some time

 

OMG look what I found:
http://www.increa.com/computers/verizon-dsl-hacked-my-network/index.html

 

Nothing yet, I've been trying my normal Google News searches that were problems.
Something has changed, yesterday I was getting the redirects.
I've respun the discs a few times, disabled ipv6 in the distro.
I'll have to see what Windows says when I get back to it.

Since I've been middled, I haven't been trying distros as much. Is BT R2 available in a magazine?

 

RC2 comes with the same outdated Firefox. But for a pentest and live environment it doesn't really matter.

Oh, and in case you use BT for real cracking I hope you get rooted by a counter attack

Disabling IPv6 greatly reduces the complexity of the network and improves the security significantly. If anything I'm worried about the IPv6 transition, it's security. Today it's a nightmare and there isn't much time to change that.