[olug] Lynx browser

Aric Aasgaard aric at omahax.com
Thu May 14 04:42:31 UTC 2009


I think the first thing to do it figure out a "signature" of the mal code,
something to search for.  

If the js outputs specific html code you can cURL to pin point it.  But....


Else if it is in dnn I would make a query script looking for the code in the
"content fields" of the db.

Something like

For each db connect

This = Select "content fields", "signature"  

return db and key.

I would prolly have a bot/cron for this and just add stuff to the signatures
list.

Fight bots with bots mang......

-----Original Message-----
From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of
DYNATRON tech
Sent: Wednesday, May 13, 2009 10:43 PM
To: Omaha Linux User Group
Subject: Re: [olug] Lynx browser

like aric, i was also going to suggest cURL.

On Wed, May 13, 2009 at 4:45 PM, Charles.Bird
<charles.bird at powerdnn.com>wrote:

> Yes, I do have filesystem access, I'm currently looking through tables in
> the database looking to see where the bs was placed.
>
>
>
>
>
> On Wed, May 13, 2009 at 4:40 PM, Aric Aasgaard <aric at omahax.com> wrote:
>
> > Do you have file system access?
> >
> > -----Original Message-----
> > From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of
> > Charles.Bird
> > Sent: Wednesday, May 13, 2009 4:18 PM
> > To: Omaha Linux User Group
> > Subject: Re: [olug] Lynx browser
> >
> > I have very little perl experience.
> >
> > I have seen some nifty perl scripts before though! Like the language
> > selection exploit for trixbox, blammo! reverse shell!
> >
> > The challenge may be in correctly identifying the malicious java script.
> >
> >
> >
> > On Wed, May 13, 2009 at 4:10 PM, Carl Lundstedt
> > <clundst at unlserve.unl.edu>wrote:
> >
> > > I'm not familiar with the way js works, so maybe this is bogus, but
> have
> > > you thought of using perl with the HTML libs?  I've done some limited
> > > things with that (polling NOAA for temp/humidity logs and page scrapes
> > > for nagios alerts for example).
> > > Carl
> > > On Wed, 2009-05-13 at 16:03 -0500, Charles.Bird wrote:
> > > > I am trying to find a way to detect malicious js on webpages from a
> set
> > > of
> > > > URLs. Most of the time when BS-JS is on a webpage its a result of
sql
> > > > injection.
> > > > I'm not really sure how to find bullsh*t js in an automated fashion
> > quite
> > > > yet, and I noticed that Lynx doesnt do js too well either :)
> > > > I love automating tasks with Lynx, I once made an automated online
> > voting
> > > > system with Lynx and had it change user agent, use a proxy from a
> list,
> > > etc
> > > > etc.
> > > >
> > > > Anyone around here done anything similar? I have about 60000-85000
> > > domains
> > > > to hit on the one environment that I'm looking at.
> > > >
> > > >
> > > >
> > > > Charles
> > > > _______________________________________________
> > > > OLUG mailing list
> > > > OLUG at olug.org
> > > > https://lists.olug.org/mailman/listinfo/olug
> > >
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > https://lists.olug.org/mailman/listinfo/olug
> > >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
> >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://lists.olug.org/mailman/listinfo/olug
> >
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



-- 
dynatron digital services
box 191 - 68037
www.dynatron.org
dynatron at gmail.com
_______________________________________________
OLUG mailing list
OLUG at olug.org
https://lists.olug.org/mailman/listinfo/olug




More information about the OLUG mailing list