|
Update: Barracuda posted a more detailed analysis and packet capture showing that php.net may indeed have been compromissed and delivered a malicious flash file: http://barracudalabs.com/2013/10/php-net-compromise/ (thx David for pointing to this)
Earlier today, Google had php.net added to its list of malicious sites. The listing was the result of a false positive triggered by an obfuscated javascript file that is a legitimate part of the php.net site. At this point, the false positive appears to be resolved. Sadly, Google is notoriously slow in removing false positives like this. It helps if the site's administrator is signed up with Google Webmaster tools. In this case, a request for review can be filed via webmaster tools, and the administrator will be notified via e-mail if the site is added to the blocklist. For more details, see: https://productforums.google.com/forum/#!topic/webmasters/puLmvjtK0m8%5B1-25-false%5D ------
Johannes B. Ullrich, Ph.D. |
Johannes 3908 Posts ISC Handler Oct 24th 2013 |
| Subscribe |
Oct 24th 2013 6 years ago |
|
They pcap file barracuda posted had this udp traffic.
I've never seen malware with that wide of a variety in one executable. These addresses had back and forth udp communications. 124.43.201.66 SRI LANKA 190.206.224.248 VENEZUELA, BOLIVARIAN REPUBLIC OF 202.29.179.251 THAILAND 24.142.33.67 CANADA These addresses were sent udp but never answered back 105.129.8.196 MOROCCO 112.200.137.206 PHILIPPINES 113.162.57.138 VIET NAM 114.207.201.74 KOREA, REPUBLIC OF 118.175.165.41 THAILAND 121.73.83.62 NEW ZEALAND 153.166.2.103 JAPAN 178.34.223.52 RUSSIAN FEDERATION 182.160.5.97 MONGOLIA 185.12.43.63 MONTENEGRO 186.55.140.138 URUGUAY 186.88.99.237 VENEZUELA, BOLIVARIAN REPUBLIC OF 187.245.116.205 MEXICO 197.228.246.213 SOUTH AFRICA 197.7.33.65 TUNISIA 202.123.181.178 LAO PEOPLE'S DEMOCRATIC REPUBLIC 203.81.69.155 MYANMAR 212.85.174.80 SLOVENIA 218.186.195.105 SINGAPORE 219.68.96.128 TAIWAN, PROVINCE OF CHINA 31.169.11.208 KAZAKHSTAN 37.237.75.66 IRAQ 37.243.218.70 SAUDI ARABIA 46.40.32.154 SERBIA 5.102.206.178 ISRAEL 5.12.127.206 ROMANIA 5.234.117.85 IRAN, ISLAMIC REPUBLIC OF 5.254.141.186 SWEDEN 70.45.207.23 PUERTO RICO 72.252.207.108 UNITED STATES 78.177.67.219 TURKEY 79.54.68.43 ITALY 84.202.148.220 NORWAY 92.245.193.137 SLOVAKIA 93.116.10.207 MOLDOVA, REPUBLIC OF 95.180.241.120 MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF 95.68.74.55 LATVIA |
techhelplist.com 9 Posts |
| Quote |
Oct 24th 2013 6 years ago |
|
PHP.net have now acknowledged a compromise:
http://php.net/archive/2013.php#id2013-10-24-1 |
DR 4 Posts |
| Quote |
Oct 24th 2013 6 years ago |
|
AFAK this is Magnitude EK exploiting CVE-2013-2551
/userprefs.js (Malicious JS) hxxp://url.whichusb.co.uk/stat.html (Redir) hxxp://url.whichusb.co.uk/PluginDetect_All.js (Plugin Detect) hxxp://url.whichusb.co.uk/stat.htm (POST) hxxp://aes.whichdigitalphoto.co.uk/nid?1 (Redir) hxxp://zivvgmyrwy.3razbave.info/?695e6cca27beb62ddb0a8ea707e4ffb8=43 (Magnitude Gate) hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/8fdc5f9653bb42a310b96f5fb203815b.swf (404) hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/b7fc797c851c250e92de05cbafe98609 (CVE-2013-2551) |
DR 1 Posts |
| Quote |
Oct 24th 2013 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
