DONT UPGRADE

A place for security related announcements and discussions - please check this forum frequently!
twc
Posts: 233
Joined: Fri Jun 18, 2010 12:25 am
Location: Netherlands

Re: DONT UPGRADE

Post by twc » Fri Oct 19, 2012 9:05 pm

cmb wrote:
twc wrote:fter delit all htm files on server and replace my backup files to ftp....no popup malware
That indicates, that your FTP client is "clean".

But I really don't know where to look. Could you please send me one of the infected files?
i found file....cant send it email block it so i drop it on my ftp... its html file

i have send you email for link

cmb
Posts: 12719
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Fri Oct 19, 2012 9:29 pm

Thanks! I'll have a look at it immediately.
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

cmb
Posts: 12719
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Fri Oct 19, 2012 11:43 pm

Hello Community,

to keep you updated: the file twc sent me indeed contained injected code. It was a <script src="...">. Most of the time I browsed the given URL (it had no file extension, but apparently is expecting a GET parameter), I was redirected, but once it returned a JS, that would have been inserted an invisible IFrame. :evil:

Unfortunately I wasn't able to find out more about this malware, yet. But I have my doubts, that it is contained in the CMSimple_XH ZIP files, though. In the meantime I have installed the test version of Eset Smart Security 5 and updated the database -- but the file isn't reported as containing malware :?

I'll wait what my virus scan reports when it's finished (probably tomorrow morning), and investigate further.

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

cmb
Posts: 12719
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Sat Oct 20, 2012 11:34 am

Hello Community,

the scan took longer than expected (nearly 14h). It didn't find any Trojan:JS/BlacoleRef.A (MS's name for ESET's HTML/ScrInject.B.Gen) despite the fact, that I have several versions of CMSimple_XH 1.5.5 on my PC, and that MS states, that recent versions of MSSE are able to detect the trojan.

Unfortunately the information in the mentioned MS malware encyclopedia entry doesn't reveal many details about the trojan, besides that it's JS based. It seems that ESET doesn't even reveal any details about the malware, besides that it was the top threat in December 2011.

However, the scan found an instance of Trojan:Win32/Sisron, which seems to be a severe threat. So I have to take further measures to check my PC for malware. This might well take the weekend; I'll report back as soon as I have more information.

In the meantime it would be nice, if others could confirm that either there are problems with the ZIPs or not.

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

jojorun
Posts: 41
Joined: Sat Feb 14, 2009 2:41 pm

Re: DONT UPGRADE

Post by jojorun » Mon Oct 22, 2012 8:19 pm

hi,

I´m also no problem found.

The files CMSimple_XH_155.zip and CMSimple_XH_Upgrade_15_to_155.zip are checked with Kaspersky 13.0.1.4190 and ESET Nod32 Version 5.0.95.0
No messages while downloading and after unzip.

tanavots
Posts: 69
Joined: Sat Feb 25, 2012 4:18 pm

Re: DONT UPGRADE

Post by tanavots » Tue Oct 23, 2012 5:31 am

Also, no problem found with F-Secure 9.20. Turned on F-Secure Browsing Protection Toolbar and Web Traffic Scanning and nothing suspicious found during surfing in CM_Simple 1.5.5 website.
Scanned files in PC with Malwarebytes Anti-Malware with same result - nothing found.

cmb
Posts: 12719
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Tue Oct 23, 2012 7:56 pm

Hello Community,

@jojorun and tanavots: thanks for your feedback. :)

After I scanned my computer with MS Security Essentials, I did another scan with Malwarebytes Anti Malware, and that found another trojan. After deleting it, I've scanned with Gmer, and this reported a suspicious hidden service. After deleting this service, my system was nearly unusable (no taskbar, no more networking, no more moving and copying of files from the explorer), so I decided to set it up anew (it needed some thorough cleaning anyway).

In the meantime I further looked for information about the HTML/SrcInject.B.Gen virus, but was not able to find something really useful. So I still have no clue, where to look for possibly infected files (checking all <script>s manually is quite pointless due to the many JS files of tinyMCE, which could be infected as well). I furthermore searched for related information (e.g. any infection of tinyMCE or jQuery), but I didn't find anything (besides that there are domains with similar names to http://jquery.com/ that offer manipulated jQuery files).

Something really useful I found while googling is http://sitecheck.sucuri.net/scanner/, where one can scan a website for malware.

As others haven't found anything suspicious, I assume the ZIPs don't contain any malware.

@twc: do you have any news about the issue?

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Korvell
Posts: 93
Joined: Thu May 22, 2008 10:33 pm

Re: DONT UPGRADE

Post by Korvell » Tue Oct 23, 2012 8:29 pm

How about checking up with VirusTotal?

twc
Posts: 233
Joined: Fri Jun 18, 2010 12:25 am
Location: Netherlands

Re: DONT UPGRADE

Post by twc » Wed Oct 24, 2012 7:39 am

i build this script in my website.............
think this are the problem !

http://www.phpjunkyard.com/php-click-counter.php

Trojan.Win32.Obfuscated.f

[ external image ]

cmb
Posts: 12719
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: DONT UPGRADE

Post by cmb » Wed Oct 24, 2012 10:57 am

Hi twc, hi Korvell,
twc wrote:i build this script in my website.............
think this are the problem !

http://www.phpjunkyard.com/php-click-counter.php

Trojan.Win32.Obfuscated.f
Actually this is a false positive. The script uses an obfuscation technique to protect the intellectual property of the author, which is apparently used by malware too, but in this case it's harmless. But I won't recommend using this script for other reasons (see the discussion in http://cmsimpleforum.com/viewtopic.php? ... 728#p28451).
Korvell wrote:How about checking up with VirusTotal?
I checked my 1.5.5 site with VirusTotal yesterday. Everything ok. But uploading all 649 files contained in the full version ZIP to check them would take too much time. I'll have a look at the API to see, if that can be automated with a reasonable amount of work.

Christoph
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Post Reply