Recently on opening one of my site,my antivirus pops up saying that it
has found on malicious script.the url is random and i have managed to
get tht script.it is using some flaw in apple quick time.
u can get the zip file for java script here:
http://secgeeks.com/what.zip
password is 12345
can somebody guide/help me what is this and how can i remove it?
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de
Clear your computer from trojan, change FTP password for you site
hosting access, because it's stolen, access your hosting account via
FTP and remove additional text (usually at the end of the file, after
</html>) from all HTML/PHP pages.
--Sunday, January 13, 2008, 7:01:34 PM, you wrote to full-di...@lists.grok.org.uk:
cfcf> Hi,
cfcf> Recently on opening one of my site,my antivirus pops up saying that it
cfcf> has found on malicious script.the url is random and i have managed to
cfcf> get tht script.it is using some flaw in apple quick time.
cfcf> u can get the zip file for java script here:
cfcf> http://secgeeks.com/what.zip
cfcf> password is 12345
cfcf> can somebody guide/help me what is this and how can i remove it?
--
~/ZARAZA http://securityvulns.com/
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
> Dear crazy frog crazy frog,
>
> Clear your computer from trojan, change FTP password for you site
> hosting access, because it's stolen, access your hosting account via
> FTP and remove additional text (usually at the end of the file, after
> </html>) from all HTML/PHP pages.
Ummmm -- the only part of that likely to be relevant here is the last.
These kinds of web page "compromises" are typically achieved through
bad/ill-configured/non-updated server-side web applications (or their
underlying script engines) and are typically achieved without requiring
any more special or privileged access to the victim sites than the
ability to run a clever Google search or your own brute-force spidering
via a bot-net, etc.
Of course, simply removing the undesired iframe/script/etc tags from
your compromised pages is not enough. Although doing so does not mean
that this attacker will come back, it equally does nothing to close the
hole they used in the first place, and the next attacker searching for
that hole will hit you just as easily and indiscriminately...
Regards,
Nick FitzGerald
On Jan 14, 2008 5:22 PM, Nick FitzGerald <ni...@virus-l.demon.co.uk> wrote:
> 3APA3A wrote:
>
> > Dear crazy frog crazy frog,
> >
> > Clear your computer from trojan, change FTP password for you site
> > hosting access, because it's stolen, access your hosting account via
> > FTP and remove additional text (usually at the end of the file, after
> > </html>) from all HTML/PHP pages.
>
> Ummmm -- the only part of that likely to be relevant here is the last.
>
> These kinds of web page "compromises" are typically achieved through
> bad/ill-configured/non-updated server-side web applications (or their
> underlying script engines) and are typically achieved without requiring
> any more special or privileged access to the victim sites than the
> ability to run a clever Google search or your own brute-force spidering
> via a bot-net, etc.
>
> Of course, simply removing the undesired iframe/script/etc tags from
> your compromised pages is not enough. Although doing so does not mean
> that this attacker will come back, it equally does nothing to close the
> hole they used in the first place, and the next attacker searching for
> that hole will hit you just as easily and indiscriminately...
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
--
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
te file you sent here contains a bunch of embeded nulls (every other
character is 00). stripping those out reveals ...
that it's a collection of browser exploits. by the looks of it it's MPack
and uses the heapspray slide stuff.
the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
as a local file c:\\mosvs8.exe and then run it.
very common exploit scenario these days (but they usually have some form
of js obfuscation going on).
i hope this helps.
________
jose nazario, ph.d. http://monkey.org/~jose/
A full account is up on
http://blog.trendmicro.com/e-commerce-sites-invaded/ but the JS you
posted is the exact same as the one used in those attacks. I'm
guessing you have Javascripts embedded in your pages that pointed to a
randomly named js in the same directory, right?
Robert McArdle
--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings
On Jan 13, 2008 4:01 PM, crazy frog crazy frog <
On Jan 14, 2008 9:14 PM, Jose Nazario <jo...@monkey.org> wrote:
> On Sun, 13 Jan 2008, crazy frog crazy frog wrote:
>
> > http://secgeeks.com/what.zip
> > password is 12345
> > can somebody guide/help me what is this and how can i remove it?
>
> te file you sent here contains a bunch of embeded nulls (every other
> character is 00). stripping those out reveals ...
>
> that it's a collection of browser exploits. by the looks of it it's MPack
> and uses the heapspray slide stuff.
>
> the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
> as a local file c:\\mosvs8.exe and then run it.
>
>
> very common exploit scenario these days (but they usually have some form
> of js obfuscation going on).
>
> i hope this helps.
>
> ________
> jose nazario, ph.d. http://monkey.org/~jose/
>
--
In this attack legitimate pages on a site are first populated with
html tags embedding Javascript like so
<script language='JavaScript' type='text/javascript' src='{random
name}.js'></script>
these all point to the page you sent on. All the Mp3, quicktime, etc
stuff are expoits that are launched against the browser of the victim
who browses to the site.
The full descriptions of the various exploits are linked off
http://blog.trendmicro.com/e-commerce-sites-invaded/
Robert McArdle
--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings
On Jan 13, 2008 5:33 PM, crazy frog crazy frog <i.m.cra...@gmail.com> wrote:
> more,its not a java script,looks like a html page[notice the <html>
> and <body> tag n the file] there is also a random function,which
> generate the random string which is used to store teh files on c drive
> and may be for the random url.its trying to play mp3 and other
> files.all looks like messed up.may be there is another script which is
> getting embeded in pages which infect calling this script?
>
>
> On Jan 13, 2008 9:31 PM, crazy frog crazy frog <i.m.cra...@gmail.com> wrote:
> > Hi,
> >
> > Recently on opening one of my site,my antivirus pops up saying that it
> > has found on malicious script.the url is random and i have managed to
> > get tht script.it is using some flaw in apple quick time.
> > u can get the zip file for java script here:
> > http://secgeeks.com/what.zip
> > password is 12345
> > can somebody guide/help me what is this and how can i remove it?
> >
> > --
> > advertise on secgeeks?
> > http://secgeeks.com/Advertising_on_Secgeeks.com
> > http://newskicks.com
> >
>
>
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>
--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings
var name = "c:\\win"+GetRandString(4)+".exe";
Kinda dumb though, as any non-admin class user won't have access to the
local folder on the root [c:\].
mar...@computer.org
http://securitymario.spaces.live.com/
-----Original Message-----
From: Jose Nazario [mailto:jo...@monkey.org]
Sent: Monday, January 14, 2008 10:44 AM
To: crazy frog crazy frog
Cc: Untitled; PenTest; bug...@securityfocus.com
Subject: Re: what is this?
On Sun, 13 Jan 2008, crazy frog crazy frog wrote:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
te file you sent here contains a bunch of embeded nulls (every other
character is 00). stripping those out reveals ...
that it's a collection of browser exploits. by the looks of it it's MPack
and uses the heapspray slide stuff.
the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
as a local file c:\\mosvs8.exe and then run it.
very common exploit scenario these days (but they usually have some form
of js obfuscation going on).
i hope this helps.
________
jose nazario, ph.d. http://monkey.org/~jose/
JN> te file you sent here contains a bunch of embeded nulls (every other
JN> character is 00). stripping those out reveals ... ________ jose
JN> nazario, ph.d. http://monkey.org/~jose/
This is Little Endian UCS-2 Unicode, not a bunch of embedded nulls.
Never stop to educate yourself.
--
~/ZARAZA http://securityvulns.com/
I did not look at the malware, but it is pretty obvious you have been
compromised.
Defacements today (unless for specific reason of being "seen") are about
leaving the site the same way you find it, and infecteing its user
base/visitors.
A second option is that you are secure but a "partner" such as ad sites
has been compromised and infects your users.
Naturally, a compromise can come from anywhere, but in most cases it is
something like RFI... Taosecurity linked to three great papers on the
subject of web botnets / cross-platform web malware:
http://taosecurity.blogspot.com/2007/11/great-papers-from-honeynet-project.html
Linking also to my original article here:
http://blogs.securiteam.com/index.php/archives/815
Gadi.
Each box serving the nasty javascript has been rooted. One person has
found a way to CLEAN the infection (ie. stop your server from serving
the bad javascript), however not the root hole ie. the servers in
question are still rooted as nobody so far has found what hole is being
exploited to gain root access in the first place.
See the following urls for a lot more info on this exploit:
http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
starts on page 3 or so)
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
Time for some honey pot action to find out how they're gaining root
access to begin with. From all reports so far it does not appear to be a
kernel vulnerability (as some of the affected servers were using latest
kernels)
Cheers,
Denis
On Sun, 13 Jan 2008 21:31:34 +0530
"crazy frog crazy frog" <i.m.cra...@gmail.com> wrote:
---> Hi,
--->
---> Recently on opening one of my site,my antivirus pops up saying that it
---> has found on malicious script.the url is random and i have managed to
---> get tht script.it is using some flaw in apple quick time.
---> u can get the zip file for java script here:
---> http://secgeeks.com/what.zip
---> password is 12345
---> can somebody guide/help me what is this and how can i remove it?
--->
---> --
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com
Denis
let me know i m trying hard to digg this issue.
--
> well,
> i received many response but no one is perfact.i checked the files and
> didn't find anything embeded in my scripts or pages.still i have to
> figure out why my antivirus randomly popsup?i mean most of the times
> it doesnt detect any infection but then suddenly this thing happnes
> and then everything seems ok.
> i dont think its a problem with my script otherwise i could have find
> the code or it should be repeating consistly.has any one still facing
> this issue in the techicorner.com or on tubeley.com or on
> secgeeks.com?
>
> let me know i m trying hard to digg this issue.
If you would tell us the _actual_ URL where this behaviour is being
seen we would have a reasonable chance of actually diagnosing it. As
it is, we're having to guess based on matching your half-arsed
descriptions of what you think is happening with our knowledge of what
has been seen going on out there.
This may surprise you, but many thousands and thousands of sites are
compromised each day to display "similar" activity to what you've asked
to us to diagnose (aka "guess").
If we could look at the actual site and see what is really happening
should have a better (if not perfect) chance of success.
Regards,
Nick FitzGerald
Thanks again everyone for your valuable suggestion,i posted here to
share this stuff with everyone and may be u can learn from it.
regards,
_CF
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
--
the servers are definately 'rooted' - as in, root access required for
what the exploit does ie. it's dug itself deep into the kernel and you
can't even compile a new kernel on the infected machine or even create
files or directories that start with a digit. So yeah, the servers are
rooted in every sense of the word (even the Aussie slang interpretation)
I don't believe the exploit would be nearly as damaging or dangerous if
it didn't involve root compromise.
Scott.MC explains it better on the webhostingtalk.com link posted
earlier. Cheers
Denis
On Tue, 15 Jan 2008 16:28:32 +0000
"Jamie Riden" <jamie...@gmail.com> wrote:
---> On 15/01/2008, Denis <sp...@internode.on.net> wrote:
---> > This is a very serious new threat affecting Linux servers and thousands
---> > of boxes have been compromised since December 2007.
---> >
---> > Each box serving the nasty javascript has been rooted. One person has
---> > found a way to CLEAN the infection (ie. stop your server from serving
---> > the bad javascript), however not the root hole ie. the servers in
---> > question are still rooted as nobody so far has found what hole is being
---> > exploited to gain root access in the first place.
--->
---> You don't need root to deface web servers in general. Even if the
---> attackers want to run bots, they often stay as the unprivileged user
---> they get in as. Sometimes a few privilege escalation exploits are
---> tried, but even then people seem willing to make use of normal users
---> if they can't get root.
--->
---> (Unless you meant 'root' as in 'root cause', or the Aussie sense of
---> rooted, as in 'f**ed' :)
--->
---> cheers,
---> Jamie
---> --
---> Jamie Riden / jam...@europe.com / ja...@honeynet.org.uk
---> UK Honeynet Project: http://www.ukhoneynet.org/
However it could and be a privilege escalation scenario through the
application layer .. maybe PHP, knowing its history and the fact it's
present on all the infected machines.
Anyway, nobody really knows how the initial root compromise is achieved
but it's definately one (root compromise that is).
Denis
On Tue, 15 Jan 2008 11:33:27 -0500
"Memisyazici, Aras" <ar...@vt.edu> wrote:
---> @Dennis:
--->
---> <quote>
---> (...)
---> From all reports so far it does not appear to be a
---> kernel vulnerability (as some of the affected servers were using latest
---> kernels)
---> </quote>
--->
---> And... how can you assume that exactly? What if this is an
---> unpatched/unseen kernel vulnerability?
--->
---> Aras "Russ" Memisyazici
---> IT/R&D/Security Specialist
--->
---> Outreach Information Services
---> Virginia Tech
--->
---> -----Original Message-----
---> From: Denis [mailto:sp...@internode.on.net]
---> Sent: Tuesday, January 15, 2008 12:16 AM
---> To: crazy frog crazy frog
---> Cc: bug...@securityfocus.com
---> Subject: Re: what is this?
--->
---> This is a very serious new threat affecting Linux servers and thousands
---> of boxes have been compromised since December 2007.
--->
---> Each box serving the nasty javascript has been rooted. One person has
---> found a way to CLEAN the infection (ie. stop your server from serving
---> the bad javascript), however not the root hole ie. the servers in
---> question are still rooted as nobody so far has found what hole is being
---> exploited to gain root access in the first place.
--->
---> See the following urls for a lot more info on this exploit:
--->
---> http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
---> starts on page 3 or so)
--->
---> http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
--->
---> Time for some honey pot action to find out how they're gaining root
---> access to begin with. From all reports so far it does not appear to be a
---> kernel vulnerability (as some of the affected servers were using latest
---> kernels)
--->
---> Cheers,
---> Denis
--->
--->
---> On Sun, 13 Jan 2008 21:31:34 +0530
---> "crazy frog crazy frog" <i.m.cra...@gmail.com> wrote:
--->
---> ---> Hi,
---> --->
---> ---> Recently on opening one of my site,my antivirus pops up saying that
---> it
---> ---> has found on malicious script.the url is random and i have managed
---> to
---> ---> get tht script.it is using some flaw in apple quick time.
---> ---> u can get the zip file for java script here:
---> ---> http://secgeeks.com/what.zip
---> ---> password is 12345
---> ---> can somebody guide/help me what is this and how can i remove it?
---> --->
---> ---> --
---> ---> advertise on secgeeks?
---> ---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> ---> http://newskicks.com
--->
---> Denis
<quote>
(...)
From all reports so far it does not appear to be a
kernel vulnerability (as some of the affected servers were using latest
kernels)
</quote>
And... how can you assume that exactly? What if this is an
unpatched/unseen kernel vulnerability?
Aras "Russ" Memisyazici
IT/R&D/Security Specialist
Outreach Information Services
Virginia Tech
-----Original Message-----
From: Denis [mailto:sp...@internode.on.net]
Sent: Tuesday, January 15, 2008 12:16 AM
To: crazy frog crazy frog
Cc: bug...@securityfocus.com
Subject: Re: what is this?
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
Cheers,
Denis
---> Hi,
--->
---> Recently on opening one of my site,my antivirus pops up saying that
it
---> has found on malicious script.the url is random and i have managed
to
---> get tht script.it is using some flaw in apple quick time.
---> u can get the zip file for java script here:
---> http://secgeeks.com/what.zip
---> password is 12345
---> can somebody guide/help me what is this and how can i remove it?
--->
---> --
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com
Denis
--
You don't need root to deface web servers in general. Even if the
attackers want to run bots, they often stay as the unprivileged user
they get in as. Sometimes a few privilege escalation exploits are
tried, but even then people seem willing to make use of normal users
if they can't get root.
(Unless you meant 'root' as in 'root cause', or the Aussie sense of
rooted, as in 'f**ed' :)
cheers,
Jamie
--
Jamie Riden / jam...@europe.com / ja...@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
--
In recent kits, it is more likely it is user-agent based.
On Jan 15, 2008 10:52 PM, Gadi Evron <g...@linuxbox.org> wrote:
> On Tue, 15 Jan 2008, crazy frog crazy frog wrote:
> > nick,
> > ur not getting my point,the url is techicorner.com/{random string
> > here},i have already mentioned it in previous posts.
> > i have read the link sent by denis,and i would have to conclude that:
> > 1)The problem does not occurs always,instead it occurs randomly based
> > on IP or something like tht.
>
> In recent kits, it is more likely it is user-agent based.
>
>
> > 2)if u look at the pages on techicorner.com u will not find any
> > malicious code,so its possible that the server is compromised and its
> > an LKM
> > please refer to these links:
> > http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]
> >
> > Thanks again everyone for your valuable suggestion,i posted here to
> > share this stuff with everyone and may be u can learn from it.
> >
> > regards,
> > _CF
> >
> > On Jan 15, 2008 12:15 PM, Nick FitzGerald <ni...@virus-l.demon.co.uk> wrote:
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> > --
> > advertise on secgeeks?
> > http://secgeeks.com/Advertising_on_Secgeeks.com
> > http://newskicks.com
> >
>
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
--
The exploit is served first time you load an infected page and then very
infrequently after that (it was originally thought that it is delivered
only ONCE per visiting IP, but some people put this to the test (and
found that the exploit will appear more than once to a single IP/visitor
- however, it will always appear the first time you hit an infected site).
More on this in the theregister.co.uk link - follow the Comments link in
that article and read the comments.
---> i dont think its a problem with my script otherwise i could have find
---> the code
The machine serving the malware has been rooted ie. an LKM rootkit is in
place which replaced several system binaries and even has self-defences
in place ( eg. you can't compile a new kernel on an infected machine AND
even if you take a kernel compiled on a clean box, and boot it, it will
be infected after boot) - read the webhostingtalk link/discussion for
more info.
In short, if you need to stop the system from serving the malware there
IS a way to do it (contact Scott.MC from WHT) - he will clean the
exploit. However the thing that is still unknown is how the initial root
compromise is achieved in order for the rootkit to be installed in the
first place ie. your box is still rootable even when it gets cleaned by
Scott
.---> this issue in the techicorner.com or on tubeley.com or on
---> secgeeks.com?
None of those sites load for me, I'm guessing you took the box offline
for an OS reload. Most people who performed an OS reload had the same
exploit hit them again after a very short time. Only way to stop the
exploit (not the root compromise) is to boot into a clean kernel with
the grsec patch which is set to deny writing to /dev/mem (according to
Scott) - but if your box is already compromised, you will also need to
replace the system binaries that were replaced by the rootkit, with
clean ones.
Maybe I've said too much ... all of this info is on those 2 links in my
initial reply. Read them from start to finish if you really want to
'digg this issue'
Cheers
Denis
On Tue, 15 Jan 2008 11:42:33 +0530
"crazy frog crazy frog" <i.m.cra...@gmail.com> wrote:
---> well,
---> i received many response but no one is perfact.i checked the files and
---> didn't find anything embeded in my scripts or pages.still i have to
---> figure out why my antivirus randomly popsup?i mean most of the times
---> it doesnt detect any infection but then suddenly this thing happnes
---> and then everything seems ok.
---> i dont think its a problem with my script otherwise i could have find
---> the code or it should be repeating consistly.has any one still facing
---> this issue in the techicorner.com or on tubeley.com or on
---> secgeeks.com?
--->
---> let me know i m trying hard to digg this issue.
--->
---> > On Sun, 13 Jan 2008 21:31:34 +0530
---> > "crazy frog crazy frog" <i.m.cra...@gmail.com> wrote:
---> >
---> > ---> Hi,
---> >
---> > --->
---> > ---> Recently on opening one of my site,my antivirus pops up saying that it
---> > ---> has found on malicious script.the url is random and i have managed to
---> > ---> get tht script.it is using some flaw in apple quick time.
---> > ---> u can get the zip file for java script here:
---> > ---> http://secgeeks.com/what.zip
---> > ---> password is 12345
---> > ---> can somebody guide/help me what is this and how can i remove it?
---> > --->
---> > ---> --
---> > ---> advertise on secgeeks?
---> > ---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> > ---> http://newskicks.com
---> >
---> > Denis
---> >
--->
--->
--->
---> --
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com
--
ys
On 13/01/2008, crazy frog crazy frog <i.m.cra...@gmail.com> wrote:
> Hi,
>
> Recently on opening one of my site,my antivirus pops up saying that it
> has found on malicious script.the url is random and i have managed to
> get tht script.it is using some flaw in apple quick time.
> u can get the zip file for java script here:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>
--
Yousef Syed
CISSP
http://www.linkedin.com/in/musashi