INFECTION!!!

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

INFECTION!!!

Post by Tata » Tue Sep 17, 2013 4:08 pm

Almost all websites on my domain were infected agsain. I don't know how is it possible.
Infected files are:

FS JavaScript Popup Date Selector
root/index.php
login.php
content.htm

Also other index.php files and htm, html files are infected.

Infecting code starts and ends with commented "a9a007" and is written in two very long lines of encrypted script.

It is placed on various places, bud mostly corrupts files.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: INFECTION!!!

Post by Tata » Tue Sep 17, 2013 6:33 pm

here is the infecting code

http://prntscr.com/1rvh2n
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: INFECTION!!!

Post by cmb » Tue Sep 17, 2013 6:49 pm

Tata wrote:I don't know how is it possible.
It's hard to say. However, it might be useful to find it out. Maybe you have some success finding out more about this particular infection by googling for parts of the injected scripts. Searching for "infection a9a007" only brought up this: http://www.webhostingtalk.com/showthrea ... &p=8841808.
Tata wrote:Infected files are:
[...]
root/index.php
[...]
Has the file been writable by the webserver? If not, the attack probably had happened via FTP. :evil:

Ah, I've just seen the link you've posted. Can you please send me the code by email in a textual format (save as .txt and zip it, or so).
Christoph M. Becker – Plugins for CMSimple_XH

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: INFECTION!!!

Post by cmb » Tue Sep 17, 2013 8:27 pm

Well, I have quickly analysed the code, and it is a typical IFRAME insertion attack. The IFRAMES src attribute points to a PHP script, which seems to redirect to different sites/scripts depending on whatever (the USER_AGENT seems to play a role at least). So what actually may happen if someone visits an infected site, is not clear. In the worst case they might try to exploit a vulnerability of the browser or a browser plugin.

Further googling brought up not much more info. The only thing was an entry on http://sitecheck.sucuri.net/results/ber ... ncescan.nl, which list basically identical malware, and http://ninjafirewall.com/malware/index. ... 3-06-18.01 which is a close variation.
Christoph M. Becker – Plugins for CMSimple_XH

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: INFECTION!!!

Post by Tata » Tue Sep 17, 2013 8:50 pm

I can ask my ISP to restore the whole domain from the server backup .I made no changes a couple of days back, so there is a chance to have everythin fine. Now I found that all infected files have the same date of last change - 17/092013 14:00 - 14:50. So this was the attack time. Anyway, I load the antire doman to my MAC and will clean all files. Will see what happens tomorrow.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: INFECTION!!!

Post by Tata » Fri Jul 18, 2014 6:09 am

mariashina wrote:scripts are often thought as a virus.
Well, I would say VIRUSES ARE SCRIPTS. Anyway, if such script - which doesn't belong to your CMS - occures in it, it is always that somebody tries to make something on/by/due/with your website thta is sure out of oyur intention.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Post Reply