Before reading: don't go to the URL in this post.

I got some spam yesterday, which isn't an unusual event in itself, but I happened to mouseover the URL and saw that the domain was 'oakfieldmiddleschool.com'. I was wondering if this was a hijacked real school domain so I went to the base URL to see if it was and to find out if it was possible to notify someone.

The base URL contained just a coming soon message - but it took ages to load and my browser chunked, which I thought was weird for such a simple page - so I checked out the source code.

The source is basically a heap of Javascript which attempts to install exploits (mostly via IE but there's one exploit for Firefox which I assume, and hope, didn't work :)

Anyway, though this might be of interest to anyone into web-related security/tech.

thats stange, after disabling javascript, i went to the page and it didn't have anything. just "under construction" in the source, not even a

You're right, I just checked it out and noticed the same thing. Fortunately I saved the output:

http://trog.qgl.org/up/oakfieldmiddleschool.com.html.txt

Edit: if you look towards the bottom, you'll see it tries to perform a firefox exploit by setting the location of one of the hidden iFrames to the following code:

http://trog.qgl.org/up/mfsa0601.htm.txt

last edited by trog at 11:48:12 16/Mar/06

Not that I'm tempted to write such things but it's a pleasure to see
such inherently/self commenting code in a browser hijack. Got to love
those ActiveX CLSIDs :)

I remember back in some of my relatively more naive days how annoying
it was trawling through the registry looking at those UIDs and
wondering how I could tell which ones were there and which ones
weren't after installing/removing an app.

imo if you dont use firefox without adblocker, noscript and have half a brain when it comes to pc stuff - you are asking to get hit somehow..
good warning though trog.

And just for the randomness; In the last 3 years i havent had to format my pc once nor have i had an infected computer and all i use to keep it maintained is:
firefox with - adblock and noscript
spybot s&d
symantec antivirus
and half a brain that says DONT execute random files without scanning them first.

and i havent installed that windows spyware removal tool.

adblock

b&

But do you have half a brain?

Yeh I just installed NoScript, its pretty cool - though the first few times it popped up I didn't even notice! imo it should popup at the top of the browser instead of the bottom by default.

I was using noscript for a while but then I realised all the sites that I visit are pretty trustworthy and I just had to keep letting them through, otherwise you get some funky behaviour.

good thing I'm using opera :)

I just went clicked on this text file which I still had lying around to delete it and McAfee suddenly picked it up - for anyone that cares, here's the exploit info page:

http://vil.mcafeesecurity.com/vil/content/v_130621.htm