False Positive: php.net Malware Alert - SANS Internet Storm Center

False Positive: php.net Malware Alert
Update: Barracuda posted a more detailed analysis and packet capture showing that php.net may indeed have been compromissed and delivered a malicious flash file: http://barracudalabs.com/2013/10/php-net-compromise/ (thx David for pointing to this) Earlier today, Google had php.net added to its list of malicious sites. The listing was the result of a false positive triggered by an obfuscated javascript file that is a legitimate part of the php.net site. At this point, the false positive appears to be resolved. Sadly, Google is notoriously slow in removing false positives like this. It helps if the site's administrator is signed up with Google Webmaster tools. In this case, a request for review can be filed via webmaster tools, and the administrator will be notified via e-mail if the site is added to the blacklist. For more details, see: https://productforums.google.com/forum/#!topic/webmasters/puLmvjtK0m8%5B1-25-false%5D ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Intrusion Detection In-Depth - SANS Madrid March 2019	Johannes 3390 Posts ISC Handler
Reply Subscribe	Oct 24th 2013 5 years ago
They pcap file barracuda posted had this udp traffic. I've never seen malware with that wide of a variety in one executable. These addresses had back and forth udp communications. 124.43.201.66 SRI LANKA 190.206.224.248 VENEZUELA, BOLIVARIAN REPUBLIC OF 202.29.179.251 THAILAND 24.142.33.67 CANADA These addresses were sent udp but never answered back 105.129.8.196 MOROCCO 112.200.137.206 PHILIPPINES 113.162.57.138 VIET NAM 114.207.201.74 KOREA, REPUBLIC OF 118.175.165.41 THAILAND 121.73.83.62 NEW ZEALAND 153.166.2.103 JAPAN 178.34.223.52 RUSSIAN FEDERATION 182.160.5.97 MONGOLIA 185.12.43.63 MONTENEGRO 186.55.140.138 URUGUAY 186.88.99.237 VENEZUELA, BOLIVARIAN REPUBLIC OF 187.245.116.205 MEXICO 197.228.246.213 SOUTH AFRICA 197.7.33.65 TUNISIA 202.123.181.178 LAO PEOPLE'S DEMOCRATIC REPUBLIC 203.81.69.155 MYANMAR 212.85.174.80 SLOVENIA 218.186.195.105 SINGAPORE 219.68.96.128 TAIWAN, PROVINCE OF CHINA 31.169.11.208 KAZAKHSTAN 37.237.75.66 IRAQ 37.243.218.70 SAUDI ARABIA 46.40.32.154 SERBIA 5.102.206.178 ISRAEL 5.12.127.206 ROMANIA 5.234.117.85 IRAN, ISLAMIC REPUBLIC OF 5.254.141.186 SWEDEN 70.45.207.23 PUERTO RICO 72.252.207.108 UNITED STATES 78.177.67.219 TURKEY 79.54.68.43 ITALY 84.202.148.220 NORWAY 92.245.193.137 SLOVAKIA 93.116.10.207 MOLDOVA, REPUBLIC OF 95.180.241.120 MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF 95.68.74.55 LATVIA	techhelplist.com 9 Posts
Reply Quote	Oct 24th 2013 5 years ago
PHP.net have now acknowledged a compromise: http://php.net/archive/2013.php#id2013-10-24-1	DR 4 Posts
Reply Quote	Oct 24th 2013 5 years ago
AFAK this is Magnitude EK exploiting CVE-2013-2551 /userprefs.js (Malicious JS) hxxp://url.whichusb.co.uk/stat.html (Redir) hxxp://url.whichusb.co.uk/PluginDetect_All.js (Plugin Detect) hxxp://url.whichusb.co.uk/stat.htm (POST) hxxp://aes.whichdigitalphoto.co.uk/nid?1 (Redir) hxxp://zivvgmyrwy.3razbave.info/?695e6cca27beb62ddb0a8ea707e4ffb8=43 (Magnitude Gate) hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/8fdc5f9653bb42a310b96f5fb203815b.swf (404) hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/b7fc797c851c250e92de05cbafe98609 (CVE-2013-2551)	DR 1 Posts
Reply Quote	Oct 24th 2013 5 years ago

Update: Barracuda posted a more detailed analysis and packet capture showing that php.net may indeed have been compromissed and delivered a malicious flash file: http://barracudalabs.com/2013/10/php-net-compromise/ (thx David for pointing to this)

Earlier today, Google had php.net added to its list of malicious sites. The listing was the result of a false positive triggered by an obfuscated javascript file that is a legitimate part of the php.net site. At this point, the false positive appears to be resolved.

Sadly, Google is notoriously slow in removing false positives like this. It helps if the site's administrator is signed up with Google Webmaster tools. In this case, a request for review can be filed via webmaster tools, and the administrator will be notified via e-mail if the site is added to the blacklist.

For more details, see:

https://productforums.google.com/forum/#!topic/webmasters/puLmvjtK0m8%5B1-25-false%5D

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Madrid March 2019

Johannes

3390 Posts
ISC Handler

They pcap file barracuda posted had this udp traffic.
I've never seen malware with that wide of a variety in one executable.

These addresses had back and forth udp communications.
124.43.201.66 SRI LANKA
190.206.224.248 VENEZUELA, BOLIVARIAN REPUBLIC OF
202.29.179.251 THAILAND
24.142.33.67 CANADA

These addresses were sent udp but never answered back
105.129.8.196 MOROCCO
112.200.137.206 PHILIPPINES
113.162.57.138 VIET NAM
114.207.201.74 KOREA, REPUBLIC OF
118.175.165.41 THAILAND
121.73.83.62 NEW ZEALAND
153.166.2.103 JAPAN
178.34.223.52 RUSSIAN FEDERATION
182.160.5.97 MONGOLIA
185.12.43.63 MONTENEGRO
186.55.140.138 URUGUAY
186.88.99.237 VENEZUELA, BOLIVARIAN REPUBLIC OF
187.245.116.205 MEXICO
197.228.246.213 SOUTH AFRICA
197.7.33.65 TUNISIA
202.123.181.178 LAO PEOPLE'S DEMOCRATIC REPUBLIC
203.81.69.155 MYANMAR
212.85.174.80 SLOVENIA
218.186.195.105 SINGAPORE
219.68.96.128 TAIWAN, PROVINCE OF CHINA
31.169.11.208 KAZAKHSTAN
37.237.75.66 IRAQ
37.243.218.70 SAUDI ARABIA
46.40.32.154 SERBIA
5.102.206.178 ISRAEL
5.12.127.206 ROMANIA
5.234.117.85 IRAN, ISLAMIC REPUBLIC OF
5.254.141.186 SWEDEN
70.45.207.23 PUERTO RICO
72.252.207.108 UNITED STATES
78.177.67.219 TURKEY
79.54.68.43 ITALY
84.202.148.220 NORWAY
92.245.193.137 SLOVAKIA
93.116.10.207 MOLDOVA, REPUBLIC OF
95.180.241.120 MACEDONIA, THE FORMER YUGOSLAV REPUBLIC OF
95.68.74.55 LATVIA

techhelplist.com

9 Posts

PHP.net have now acknowledged a compromise:

http://php.net/archive/2013.php#id2013-10-24-1

DR

4 Posts

AFAK this is Magnitude EK exploiting CVE-2013-2551

/userprefs.js (Malicious JS)
hxxp://url.whichusb.co.uk/stat.html (Redir)
hxxp://url.whichusb.co.uk/PluginDetect_All.js (Plugin Detect)
hxxp://url.whichusb.co.uk/stat.htm (POST)
hxxp://aes.whichdigitalphoto.co.uk/nid?1 (Redir)
hxxp://zivvgmyrwy.3razbave.info/?695e6cca27beb62ddb0a8ea707e4ffb8=43 (Magnitude Gate)
hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/8fdc5f9653bb42a310b96f5fb203815b.swf (404)
hxxp://zivvgmyrwy.3razbave.info/b0047396f70a98831ac1e3b25c324328/b7fc797c851c250e92de05cbafe98609 (CVE-2013-2551)

DR
1 Posts