malicious website hacking into my router or just bad coding?

Discussion in 'other security issues & news' started by katio, Jan 15, 2011.

Thread Status:
Not open for further replies.
  1. katio

    katio Guest

    When I go to this site I get prompted by my router to enter the credentials. (With NoScript I just get an ABE warning). The problem it seems are image files embedded on the site which are missing on the server.
    Could someone check what's causing that behaviour?
    hxxp://rmccurdy.com/scripts/downloaded/www.offensive-security.com/_013_msfgui.html

    Thank you.
     
  2. katio

    katio Guest

  3. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    This is what causing that behaviour:

    iframe.PNG

    redirect.png
     
  4. katio

    katio Guest

    Thank you.
    Any idea why it might be doing that?
     
  5. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
  6. katio

    katio Guest

    That was my first thought too but where is the malicious payload? No obfuscated javascript, online scanner come out clean...
     
  7. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
  8. katio

    katio Guest

    What's got written to disk got to do with anything? This is not about malware being downloaded and executed.

    About http response splitting and smuggling
    I assume you like almost everybody else who posted in these threads didn't read the whitepapers
    http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
    http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html

    I'll make it brief: Checking html source and http headers would reveal response splitting, it doesn't magically hide the payload. This weakness in html is primarely relevant if you are behind a caching proxy and to a lesser extent if you follow "untrusted links" ("funny looking strings") to a trusted site (i.e. alway enter bankofamerica, paypal what ever manually into the address bar, basic anti-phishing knowledge really).

    This has nothing to do with DNS rebinding. If you think XSS and CSRF there's a slight connection but still totally irrelevant for this case.

    ------

    My conclusion, if there is no malicious script this is not a malicious hacking attempt. It's an error and I'd like to know how this works on the server side. How comes some resources on this site redirect always to your public IP?
     
  9. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    Don't know if you can make some use of it but here are all the scripts that can be found on this very page. I know about nothing on this stuff so I'll let you have a check on and try to decipher ;) :
    Hope it could help.
     
  10. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Yes, it's not a hacking attempt, it redirects to your IP when a resource doesn't exist, instead of showing a 404 page. :rolleyes: The .htaccess file probably contains something like this:

     
  11. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    I said this thread just reminded me of those threads and I didn't exactly say http splitting did that to your router. Ok, so those threads were irrelevant to the topic at hand. If you say so. You're the expert here.

    Thanks for the clarifications and for those links. Like almost everybody else on those threads including the threadstarter there fully admitted that we don't fully understand the mechanics of these things and not as knowledgeable like you. You're the man, idol. :u LOL -embarassed
     
Loading...
Thread Status:
Not open for further replies.