New Exploit

according to the link you provided enyo, , the .exe is in fact changing the location of the hosts file as I first posted...

from the link;

A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file,

the following registry key is created to change the HOSTS path
]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
 
Originally posted by dealer
enyo, you told us about this vulnerability some time ago here
Click to expand...

Yup :) I was aware of the hole. Did not expect it to be used in this way however.

You were right on the hosts file being moved, I was not the one that doubted you :D

Quick Countermeasures:

1) Change permissions on registry keys so Administrators only can write to them.

2) Remove MMIE for HTA

3) Use something like Script Sentry http://www.jasons-toolbox.com/scriptsentry.asp

4) Block 207.44.194.56 and 69.57.146.14 and 69.57.146.175

5) Block access to fortune city.com where the script resides.

See http://tinyurl.com/pgtj for more and a app to disable HTA.

I said in the thread about this hole:

Website based vulnerabilitys generally are not too popular so hopefully people wont get affected by it.
Click to expand...

Well. Hope seems not to be enough :p
 
Originally posted by dealer
according to the link you provided enyo, , the .exe is in fact changing the location of the hosts file as I first posted...

from the link;

A file named HOSTS is created in the %WinDir%\Help directory redirecting popular search URLs (such as google.com, altavista.com, etc) to the IP address 207.44.220.30 [note: this is not the default path to the HOSTS file,

the following registry key is created to change the HOSTS path
]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters "DataBasePath" = %SystemRoot%\help
Click to expand...
well, if we change the HOSTS path back to %SystemRoot%\system32\drivers\etc, isn't it supposed to work again?

i tried, but i still can't access to google.com. i even tried to delete all the URLs in the %SystemRoot%\help\hosts file, it still doesn't work... :(
 
uhhh, did you delete the host file in %SystemRoot%\system32\drivers\etc
 
this has been working for me

In registry you will need to delete the values of the following keys.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Look in all keys within Interfaces and look for the entry Name Server, anywhere you see anything for Name Server other than 10.240.4.8,10.241.4.8, edit the entry and delete the value.

Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP
Delete the values of these keys…
EnableDNS
NameServer
HostName
Domain

Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Search
If you see the value http://www.google.com in the SearchAssistant key then delete that value.

Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EDIT the DataBasePath=%SystemRoot%\help
so that it reads:
%SystemRoot%\System32\drivers\etc

The following files will need to be deleted from the C: drive

C:\BDTMP This is Hidden
C:\BDTMP\TMP This is Hidden
C:\Windows\Help\hosts
C:\Windows\winlog
 
Invision...welcome to our board...I can see you are going to be quite an asset here

looking forward to reading more of your posts
 
Re: this has been working for me

Originally posted by Invision


Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP
Delete the values of these keys…
EnableDNS
NameServer
HostName
Domain
Click to expand...

These values are for 9x, and shouldn't be deleted if you have manually set your DNS servers. These keys shouldn't be affected by this exploit.

Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Search
If you see the value http://www.google.com in the SearchAssistant key then delete that value.
Click to expand...

This has nothing to do with the hijack, this just uses google for searching the web in IE instead of MSN.

I'm just pointing this out.:eek:
 
I found the following useful to resolve this issue earlier today...

1. Deleting all entries in the hosts file (%SystemRoot%\system32\drivers\etc) that showed a repeated (unknown) IP followed by a URL. In this case they were all search engine URLs.

2. Saving the edited hosts file.

3. Deleting the backup hosts file in the same directory. It had backed up the "hijacked" hosts file and used that after I edited the original.

Note: I didn't have to mess with the registry to resolve this guy's issue.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 406 (members: 0, guests: 406)

Affiliates

lunarsoft.net techzonez.com

- Contact us to trade links -

OSNN OSNN NTFS XP-erience

Latest profile posts

Steevo
Steevo
Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
•••
Steevo
Steevo
Any of the SP crew still out there?
•••
Xie
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
•••
N
Nismo83
hello peeps... is been some time since i last came here.
•••
Electronic Punk
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
•••

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back