False Positive: php.net Malware Alert

Published: 2013-10-24
Last Updated: 2013-10-24 16:38:43 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Update: Barracuda posted a more detailed analysis and packet capture showing that php.net may indeed have been compromissed and delivered a malicious flash file: http://barracudalabs.com/2013/10/php-net-compromise/ (thx David for pointing to this)

 

Earlier today, Google had php.net added to its list of malicious sites. The listing was the result of a false positive triggered by an obfuscated javascript file that is a legitimate part of the php.net site. At this point, the false positive appears to be resolved. 

Sadly, Google is notoriously slow in removing false positives like this. It helps if the site's administrator is signed up with Google Webmaster tools. In this case, a request for review can be filed via webmaster tools, and the administrator will be notified via e-mail if the site is added to the blocklist.

For more details, see:

https://productforums.google.com/forum/#!topic/webmasters/puLmvjtK0m8%5B1-25-false%5D

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

3 comment(s)

Comments

They pcap file barracuda posted had this udp traffic.
I've never seen malware with that wide of a variety in one executable.

These addresses had back and forth udp communications.
124.43.201.66 SRI LANKA
190.206.224.248 VENEZUELA, BOLIVARIAN REPUBLIC OF
202.29.179.251 THAILAND
24.142.33.67 CANADA

These addresses were sent udp but never answered back
105.129.8.196 MOROCCO
112.200.137.206 PHILIPPINES
113.162.57.138 VIET NAM
114.207.201.74 KOREA, REPUBLIC OF
118.175.165.41 THAILAND
121.73.83.62 NEW ZEALAND
153.166.2.103 JAPAN
178.34.223.52 RUSSIAN FEDERATION
182.160.5.97 MONGOLIA
185.12.43.63 MONTENEGRO
186.55.140.138 URUGUAY
186.88.99.237 VENEZUELA, BOLIVARIAN REPUBLIC OF
187.245.116.205 MEXICO
197.228.246.213 SOUTH AFRICA
197.7.33.65 TUNISIA
202.123.181.178 LAO PEOPLE'S DEMOCRATIC REPUBLIC
203.81.69.155 MYANMAR
212.85.174.80 SLOVENIA
218.186.195.105 SINGAPORE
219.68.96.128 TAIWAN, PROVINCE OF CHINA
31.169.11.208 KAZAKHSTAN
37.237.75.66 IRAQ
37.243.218.70 SAUDI ARABIA
46.40.32.154 SERBIA
5.102.206.178 ISRAEL
5.12.127.206 ROMANIA
5.234.117.85 IRAN, ISLAMIC REPUBLIC OF
5.254.141.186 SWEDEN
70.45.207.23 PUERTO RICO
72.252.207.108 UNITED STATES
78.177.67.219 TURKEY
79.54.68.43 ITALY
84.202.148.220 NORWAY
92.245.193.137 SLOVAKIA
93.116.10.207 MOLDOVA, REPUBLIC OF
95.180.241.120 MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF
95.68.74.55 LATVIA
PHP.net have now acknowledged a compromise:

http://php.net/archive/2013.php#id2013-10-24-1
AFAK this is Magnitude EK exploiting CVE-2013-2551

/userprefs.js (Malicious JS)
hxxp://url.whichusb.co.uk/stat.html (Redir)
hxxp://url.whichusb.co.uk/PluginDetect_All.js (Plugin Detect)
hxxp://url.whichusb.co.uk/stat.htm (POST)
hxxp://aes.whichdigitalphoto.co.uk/nid?1 (Redir)
hxxp://zivvgmyrwy.3razbave.info/?695e6cca27beb62ddb0a8ea707e4ffb8=43 (Magnitude Gate)
hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/8fdc5f9653bb42a310b96f5fb203815b.swf (404)
hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/b7fc797c851c250e92de05cbafe98609 (CVE-2013-2551)

Diary Archives