[Owasp-delhi] Fwd: Fackbook Password Disclosure - Vulnerability

Deepayan (Dragon) deepayan.chanda at gmail.com
Thu Nov 18 13:22:51 EST 2010


guys some simple analysis to add
i scanned the files through some link analysers
below are the reports.


http://wepawet.iseclab.org/view.php?hash=3b023200b710ab390be685ef860570ad&t=1290102813&type=js
here you can see some unescape functions, you may try to decrypt it

http://vurldissect.co.uk/default.asp?url=http%3A%2F%2Fwww.mediafire.com%2F%3F9xllotl0n4nla6f&btnvURL=Dissect&selUAStr=1&selServer=1&ref=&cbxSource=on&cbxBlacklist=on

http://monkeywrench.de/result.html?id=2126671&displaykey=53w31m8u


also i found remote desktop open till now, screen shot attached, try brute
forcing have fun and let us know if you get to know something more from
these analysis.


[image: Untitled.png]





On Thu, Nov 18, 2010 at 9:45 PM, Sheik Nizamuddin <sheikn at promindsglobal.com
> wrote:

> @Atul Exactly..  It drops the server.exe and as you have mentioned the file
> itself is suspicious. I had some suspicious behavior on my system even
> though I blocked the server.exe file. My IDS immediately started picking up
> detection
>
> It made me even more curious and trying to figure out what all I have done
> on the recent past and I see only this JAR file which I tried to execute.
>
>
>
> Anyways this is my IDS Log
>
> 11/18/2010 4:17:30 PM  Intrusion.Win.MSSQL.worm.Helkern
> 219.146.143.209                UDP       1434
>
> 11/18/2010 4:19:37 PM  Intrusion.Win.MSSQL.worm.Helkern
> 218.201.144.133                UDP       1434
>
>
>
> They both track down to Chinese IP though.
>
>
>
> Speaking about all this did someone find any luck on the facebook
> vulnerability as mentioned on the first mail of this chain?
>
>
>
> Regards,
>
> A.Sheik Nizamuddin
>
> Security Analyst
>
> +91-8008001292
>
> *[image: cid:image001.png at 01CB3627.6A478E90]*
>
> *ProMinds Consulting Pvt Ltd* | SEI Transition Partner | CERT-In
> Empanelled Company | ISO 9001:2008 Certified | NASSCOM Member
>
> www.promindsglobal.com <http://www.promindsconsulting.com/> |
>
>
> P ProMinds assumes a responsibility towards our environment. Please
> consider printing this e-mail or any other document unless and absolutely
> necessary.
>
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *Confidentiality Notice & Disclaimer
> *This message and any attachments are solely intended for the
> addressee(s). It may also be ProMinds Consulting’s confidential, privileged
> and / or subject to copyright. Access to this email by anyone else is
> unauthorized. If you are not the intended recipient, any disclosure,
> copying, distribution or any action taken or omitted to be taken in reliance
> on it, is prohibited that may be unlawful. If you have received this in
> error, please notify the sender immediately by return e-mail and delete it
> from your computer. While all care has been taken, ProMinds Consulting's
> management disclaims all liabilitIes for loss or damages to person(s) or
> properties arising from misuse of any information provided or the message
> being infected by computer virus or other contamination.
>
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Atul Agarwal
> *Sent:* Thursday, November 18, 2010 5:19 PM
> *To:* dhruv.soi at owasp.org
>
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* Re: [Owasp-delhi] Fwd: Fackbook Password Disclosure -
> Vulnerability
>
>
>
> After some basic analysis, it appears to me that the JAR finally drops a
> server.exe (2/40 - VT
> http://www.virustotal.com/file-scan/report.html?id=ebc79807e87ec1171a085569f7eee866f6cbea50d15e643573bdb77641e918ea-1290077246
> ).
>
> The server.exe appears to be meterpreter_reverse_https which injects into
> iexplore.exe and tries to connect to
> 121.242.69.84.static-delhi.vsnl.net.in.
>
> 21/tcp   open   ftp?
> 25/tcp   closed smtp
> 53/tcp   closed domain
> 80/tcp   closed http
> 443/tcp  closed https
> 3389/tcp open   ms-term-serv?
> 4444/tcp closed krb524
> 5555/tcp closed freeciv
> 5800/tcp open   vnc-http?
> 5900/tcp open   vnc?
>
> The listener however, seems down ATM. Hmm..
>
> Thanks,
> Atul Agarwal
> Secfence Technologies
> www.secfence.com
>
>
> On Thu, Nov 18, 2010 at 2:48 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
>
> Or may be, passed the BUG to save own time ;-)
>
>
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Chintan Dave
> *Sent:* 18 November 2010 13:51
> *To:* Muslim Koser
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* Re: [Owasp-delhi] Fwd: Fackbook Password Disclosure -
> Vulnerability
>
>
>
> Or is it social engineering to entice security professionals, thinking they
> might not understand whats happening? :P
>
> Wait a minute..... Should this be tried here? May be not!
>
> On Thu, Nov 18, 2010 at 12:43 PM, Muslim Koser <mkoser at isightpartners.com>
> wrote:
>
> Hi Komal,
>
> Have you tested this before posting on the list ? I found this to be a
> possible malware dropper.
>
> There are two suspicious files in the /data folder which write in to remote
> process memory.
> /data/app.exe and /data/dummy.exe
>
>
> Best Regards,
> Muslim
>
>
> On 17/11/10 10:47 PM, "Komal Taneja - DHL Delhi" <komal.dhl.1665 at gmail.com>
> wrote:
>
>
> Facebook recently launched its email and it created a vulnerability ,
>
> Malicous user can change the passowrd of victim.
>
> Download the POC tool and tutorial from
> http://www.mediafire.com/?9xllotl0n4nla6f , Hurry before facebook fix the
> gap.
>
> Komal
> ------------------------------
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
>
> --
> Regards,
> Chintan Dave,
>
> LinkedIn: http://in.linkedin.com/in/chintandave
> Blog:http://www.chintandave.com
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>


-- 
With Regards

Deepayan
MBA(IT), GCIA (GIAC), CEH, CHFI
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101118/3664fc08/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 59154 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101118/3664fc08/attachment-0001.png 


More information about the Owasp-delhi mailing list