Hi Steven Winderlich
IDS alert for ETPRO WEB_CLIENT Microsoft Internet Explorer remote code execution via option element *
On this website 1 page has suspicious code
Firekeeper alert is for === Triggered rule ===
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
htxp://www.google.com/search?q=0%5D%7D%3Bfunction+s%28%29%7B+a.P%28r%29%3Bf%5Bz%5D%28r%29%7Df.addEventListener%3Ff.addEventListener%28r%2Cs%2Cfalse%29%3Af.attachEvent%28%22on%22%2Br%2Cs%29%3Bvar+ld%3Dfunction%28%29%7Bfunction+p%28hd%29%7B+hd%3D%22head%22%3Breturn%5B%22%3C%22%2Chd%2C%22%3E%3C%2F%22%2Chd%2C%22%3E%3C%22%2Ci%2C%27+onl%27+%2B+%27oad%3D%22var+d%3D%27%2Cg%2C%22%3Bd.getElementsByTagName%28%27head%27%29%5B0%5D.%22%2C&client=flock&channel=fds&oe=utf-8&oq=0%5D%7D%3Bfunction+s%28%29%7B+a.P%28r%29%3Bf%5Bz%5D%28r%29%7Df.addEventListener%3Ff.addEventListener%28r%2Cs%2Cfalse%29%3Af.attachEvent%28%22on%22%2Br%2Cs%29%3Bvar+ld%3Dfunction%28%29%7Bfunction+p%28hd%29%7B+hd%3D%22head%22%3Breturn%5B%22%3C%22%2Chd%2C%22%3E%3C%2F%22%2Chd%2C%22%3E%3C%22%2Ci%2C%27+onl%27+%2B+%27oad%3D%22var+d%3D%27%2Cg%2C%22%3Bd.getElementsByTagName%28%27head%27%29%5B0%5D.%22%2C&gs_l=heirloom-serp.12...168869.173826.0.189025.41.14.0.0.0.7.416.1858.1j7j2j0j1.11.0....0...1ac.1j2.24.heirloom-serp..39.2.225.JuQszQRyOMk
Decoded script (complex functions -environment)
function s() {
a.P(r);
f[z](r);
}
* Available. remote exploit. alias conficker worm like...
pol
