Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Bugtraq: Bugtraq

what is this?

 

 

Bugtraq bugtraq RSS feed   Index | Next | Previous | View Threaded


i.m.crazy.frog at gmail

Jan 13, 2008, 8:01 AM

Post #1 of 18 (11659 views)
Permalink
what is this?

Hi,

Recently on opening one of my site,my antivirus pops up saying that it
has found on malicious script.the url is random and i have managed to
get tht script.it is using some flaw in apple quick time.
u can get the zip file for java script here:
http://secgeeks.com/what.zip
password is 12345
can somebody guide/help me what is this and how can i remove it?

--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com


i.m.crazy.frog at gmail

Jan 13, 2008, 9:33 AM

Post #2 of 18 (11329 views)
Permalink
Re: what is this? [In reply to]

more,its not a java script,looks like a html page[notice the <html>
and <body> tag n the file] there is also a random function,which
generate the random string which is used to store teh files on c drive
and may be for the random url.its trying to play mp3 and other
files.all looks like messed up.may be there is another script which is
getting embeded in pages which infect calling this script?

On Jan 13, 2008 9:31 PM, crazy frog crazy frog <i.m.crazy.frog [at] gmail> wrote:
> Hi,
>
> Recently on opening one of my site,my antivirus pops up saying that it
> has found on malicious script.the url is random and i have managed to
> get tht script.it is using some flaw in apple quick time.
> u can get the zip file for java script here:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>



--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com


admin at tkroupa

Jan 14, 2008, 7:29 AM

Post #3 of 18 (11338 views)
Permalink
Re: what is this? [In reply to]

Well, was this embedded at your page source code? Or the link was just posted to it ? Its using some apple quicktime exploit to drop probably some botnet program to victims harddisk, into c://win<4 character random string here>.exe. If im right the original file was located at techicorner.com/bcuoixqf, although i cant find it now. Hope this helps


robertmcardle at gmail

Jan 14, 2008, 7:44 AM

Post #4 of 18 (11328 views)
Permalink
Re: what is this? [In reply to]

Looks like your site was compromised along with several hundred others
in the last day or so.

A full account is up on
http://blog.trendmicro.com/e-commerce-sites-invaded/ but the JS you
posted is the exact same as the one used in those attacks. I'm
guessing you have Javascripts embedded in your pages that pointed to a
randomly named js in the same directory, right?

Robert McArdle
--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings



On Jan 13, 2008 4:01 PM, crazy frog crazy frog <
i.m.crazy.frog [at] gmail> wrote:
> Hi,
>
> Recently on opening one of my site,my antivirus pops up saying that it
> has found on malicious script.the url is random and i have managed to
> get tht script.it is using some flaw in apple quick time.
> u can get the zip file for java script here:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>


jose at monkey

Jan 14, 2008, 7:44 AM

Post #5 of 18 (11337 views)
Permalink
Re: what is this? [In reply to]

On Sun, 13 Jan 2008, crazy frog crazy frog wrote:

> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?

te file you sent here contains a bunch of embeded nulls (every other
character is 00). stripping those out reveals ...

that it's a collection of browser exploits. by the looks of it it's MPack
and uses the heapspray slide stuff.

the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
as a local file c:\\mosvs8.exe and then run it.


very common exploit scenario these days (but they usually have some form
of js obfuscation going on).

i hope this helps.

________
jose nazario, ph.d. http://monkey.org/~jose/


i.m.crazy.frog at gmail

Jan 14, 2008, 7:56 AM

Post #6 of 18 (11330 views)
Permalink
Re: what is this? [In reply to]

yep ther eis one yahoo messenger exploit too.

On Jan 14, 2008 9:14 PM, Jose Nazario <jose [at] monkey> wrote:
> On Sun, 13 Jan 2008, crazy frog crazy frog wrote:
>
> > http://secgeeks.com/what.zip
> > password is 12345
> > can somebody guide/help me what is this and how can i remove it?
>
> te file you sent here contains a bunch of embeded nulls (every other
> character is 00). stripping those out reveals ...
>
> that it's a collection of browser exploits. by the looks of it it's MPack
> and uses the heapspray slide stuff.
>
> the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
> as a local file c:\\mosvs8.exe and then run it.
>
>
> very common exploit scenario these days (but they usually have some form
> of js obfuscation going on).
>
> i hope this helps.
>
> ________
> jose nazario, ph.d. http://monkey.org/~jose/
>



--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com


robertmcardle at gmail

Jan 14, 2008, 7:59 AM

Post #7 of 18 (11339 views)
Permalink
Re: what is this? [In reply to]

Apologies I should clarify.

In this attack legitimate pages on a site are first populated with
html tags embedding Javascript like so

<script language='JavaScript' type='text/javascript' src='{random
name}.js'></script>

these all point to the page you sent on. All the Mp3, quicktime, etc
stuff are expoits that are launched against the browser of the victim
who browses to the site.

The full descriptions of the various exploits are linked off
http://blog.trendmicro.com/e-commerce-sites-invaded/

Robert McArdle
--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings

On Jan 13, 2008 5:33 PM, crazy frog crazy frog <i.m.crazy.frog [at] gmail> wrote:
> more,its not a java script,looks like a html page[notice the <html>
> and <body> tag n the file] there is also a random function,which
> generate the random string which is used to store teh files on c drive
> and may be for the random url.its trying to play mp3 and other
> files.all looks like messed up.may be there is another script which is
> getting embeded in pages which infect calling this script?
>
>
> On Jan 13, 2008 9:31 PM, crazy frog crazy frog <i.m.crazy.frog [at] gmail> wrote:
> > Hi,
> >
> > Recently on opening one of my site,my antivirus pops up saying that it
> > has found on malicious script.the url is random and i have managed to
> > get tht script.it is using some flaw in apple quick time.
> > u can get the zip file for java script here:
> > http://secgeeks.com/what.zip
> > password is 12345
> > can somebody guide/help me what is this and how can i remove it?
> >
> > --
> > advertise on secgeeks?
> > http://secgeeks.com/Advertising_on_Secgeeks.com
> > http://newskicks.com
> >
>
>
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>



--
www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings


marioc at computer

Jan 14, 2008, 11:09 AM

Post #8 of 18 (11335 views)
Permalink
RE: what is this? [In reply to]

Looks like the local name is actually more random:

var name = "c:\\win"+GetRandString(4)+".exe";

Kinda dumb though, as any non-admin class user won't have access to the
local folder on the root [c:\].

marioc [at] computer
http://securitymario.spaces.live.com/



-----Original Message-----
From: Jose Nazario [mailto:jose [at] monkey]
Sent: Monday, January 14, 2008 10:44 AM
To: crazy frog crazy frog
Cc: Untitled; PenTest; bugtraq [at] securityfocus
Subject: Re: what is this?

On Sun, 13 Jan 2008, crazy frog crazy frog wrote:

> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?

te file you sent here contains a bunch of embeded nulls (every other
character is 00). stripping those out reveals ...

that it's a collection of browser exploits. by the looks of it it's MPack
and uses the heapspray slide stuff.

the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
as a local file c:\\mosvs8.exe and then run it.


very common exploit scenario these days (but they usually have some form
of js obfuscation going on).

i hope this helps.

________
jose nazario, ph.d. http://monkey.org/~jose/


3APA3A at SECURITY

Jan 14, 2008, 1:39 PM

Post #9 of 18 (11352 views)
Permalink
Re[2]: [Full-disclosure] what is this? [In reply to]

Dear Jose Nazario,


JN> te file you sent here contains a bunch of embeded nulls (every other
JN> character is 00). stripping those out reveals ... ________ jose

JN> nazario, ph.d. http://monkey.org/~jose/

This is Little Endian UCS-2 Unicode, not a bunch of embedded nulls.
Never stop to educate yourself.

--
~/ZARAZA http://securityvulns.com/


ge at linuxbox

Jan 14, 2008, 1:46 PM

Post #10 of 18 (11331 views)
Permalink
Re: what is this? [In reply to]

> Hi,
>
> Recently on opening one of my site,my antivirus pops up saying that it
> has found on malicious script.the url is random and i have managed to
> get tht script.it is using some flaw in apple quick time.
> u can get the zip file for java script here:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?

I did not look at the malware, but it is pretty obvious you have been
compromised.

Defacements today (unless for specific reason of being "seen") are about
leaving the site the same way you find it, and infecteing its user
base/visitors.

A second option is that you are secure but a "partner" such as ad sites
has been compromised and infects your users.

Naturally, a compromise can come from anywhere, but in most cases it is
something like RFI... Taosecurity linked to three great papers on the
subject of web botnets / cross-platform web malware:
http://taosecurity.blogspot.com/2007/11/great-papers-from-honeynet-project.html

Linking also to my original article here:
http://blogs.securiteam.com/index.php/archives/815

Gadi.


sp23 at internode

Jan 14, 2008, 9:16 PM

Post #11 of 18 (11335 views)
Permalink
Re: what is this? [In reply to]

This is a very serious new threat affecting Linux servers and thousands
of boxes have been compromised since December 2007.

Each box serving the nasty javascript has been rooted. One person has
found a way to CLEAN the infection (ie. stop your server from serving
the bad javascript), however not the root hole ie. the servers in
question are still rooted as nobody so far has found what hole is being
exploited to gain root access in the first place.

See the following urls for a lot more info on this exploit:

http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
starts on page 3 or so)

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

Time for some honey pot action to find out how they're gaining root
access to begin with. From all reports so far it does not appear to be a
kernel vulnerability (as some of the affected servers were using latest
kernels)

Cheers,
Denis


On Sun, 13 Jan 2008 21:31:34 +0530
"crazy frog crazy frog" <i.m.crazy.frog [at] gmail> wrote:

---> Hi,
--->
---> Recently on opening one of my site,my antivirus pops up saying that it
---> has found on malicious script.the url is random and i have managed to
---> get tht script.it is using some flaw in apple quick time.
---> u can get the zip file for java script here:
---> http://secgeeks.com/what.zip
---> password is 12345
---> can somebody guide/help me what is this and how can i remove it?
--->
---> --
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com

Denis


i.m.crazy.frog at gmail

Jan 14, 2008, 10:12 PM

Post #12 of 18 (11334 views)
Permalink
Re: what is this? [In reply to]

well,
i received many response but no one is perfact.i checked the files and
didn't find anything embeded in my scripts or pages.still i have to
figure out why my antivirus randomly popsup?i mean most of the times
it doesnt detect any infection but then suddenly this thing happnes
and then everything seems ok.
i dont think its a problem with my script otherwise i could have find
the code or it should be repeating consistly.has any one still facing
this issue in the techicorner.com or on tubeley.com or on
secgeeks.com?

let me know i m trying hard to digg this issue.

On Jan 15, 2008 10:46 AM, Denis <sp23 [at] internode> wrote:
> This is a very serious new threat affecting Linux servers and thousands
> of boxes have been compromised since December 2007.
>
> Each box serving the nasty javascript has been rooted. One person has
> found a way to CLEAN the infection (ie. stop your server from serving
> the bad javascript), however not the root hole ie. the servers in
> question are still rooted as nobody so far has found what hole is being
> exploited to gain root access in the first place.
>
> See the following urls for a lot more info on this exploit:
>
> http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
> starts on page 3 or so)
>
> http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
>
> Time for some honey pot action to find out how they're gaining root
> access to begin with. From all reports so far it does not appear to be a
> kernel vulnerability (as some of the affected servers were using latest
> kernels)
>
> Cheers,
> Denis
>
>
> On Sun, 13 Jan 2008 21:31:34 +0530
> "crazy frog crazy frog" <i.m.crazy.frog [at] gmail> wrote:
>
> ---> Hi,
>
> --->
> ---> Recently on opening one of my site,my antivirus pops up saying that it
> ---> has found on malicious script.the url is random and i have managed to
> ---> get tht script.it is using some flaw in apple quick time.
> ---> u can get the zip file for java script here:
> ---> http://secgeeks.com/what.zip
> ---> password is 12345
> ---> can somebody guide/help me what is this and how can i remove it?
> --->
> ---> --
> ---> advertise on secgeeks?
> ---> http://secgeeks.com/Advertising_on_Secgeeks.com
> ---> http://newskicks.com
>
> Denis
>



--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com


jamie.riden at gmail

Jan 15, 2008, 8:28 AM

Post #13 of 18 (11337 views)
Permalink
Re: what is this? [In reply to]

On 15/01/2008, Denis <sp23 [at] internode> wrote:
> This is a very serious new threat affecting Linux servers and thousands
> of boxes have been compromised since December 2007.
>
> Each box serving the nasty javascript has been rooted. One person has
> found a way to CLEAN the infection (ie. stop your server from serving
> the bad javascript), however not the root hole ie. the servers in
> question are still rooted as nobody so far has found what hole is being
> exploited to gain root access in the first place.

You don't need root to deface web servers in general. Even if the
attackers want to run bots, they often stay as the unprivileged user
they get in as. Sometimes a few privilege escalation exploits are
tried, but even then people seem willing to make use of normal users
if they can't get root.

(Unless you meant 'root' as in 'root cause', or the Aussie sense of
rooted, as in 'f**ed' :)

cheers,
Jamie
--
Jamie Riden / jamesr [at] europe / jamie [at] honeynet
UK Honeynet Project: http://www.ukhoneynet.org/


arasm at vt

Jan 15, 2008, 8:33 AM

Post #14 of 18 (11340 views)
Permalink
RE: what is this? [In reply to]

@Dennis:

<quote>
(...)
From all reports so far it does not appear to be a
kernel vulnerability (as some of the affected servers were using latest
kernels)
</quote>

And... how can you assume that exactly? What if this is an
unpatched/unseen kernel vulnerability?

Aras "Russ" Memisyazici
IT/R&D/Security Specialist

Outreach Information Services
Virginia Tech

-----Original Message-----
From: Denis [mailto:sp23 [at] internode]
Sent: Tuesday, January 15, 2008 12:16 AM
To: crazy frog crazy frog
Cc: bugtraq [at] securityfocus
Subject: Re: what is this?

This is a very serious new threat affecting Linux servers and thousands
of boxes have been compromised since December 2007.

Each box serving the nasty javascript has been rooted. One person has
found a way to CLEAN the infection (ie. stop your server from serving
the bad javascript), however not the root hole ie. the servers in
question are still rooted as nobody so far has found what hole is being
exploited to gain root access in the first place.

See the following urls for a lot more info on this exploit:

http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
starts on page 3 or so)

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

Time for some honey pot action to find out how they're gaining root
access to begin with. From all reports so far it does not appear to be a
kernel vulnerability (as some of the affected servers were using latest
kernels)

Cheers,
Denis


On Sun, 13 Jan 2008 21:31:34 +0530
"crazy frog crazy frog" <i.m.crazy.frog [at] gmail> wrote:

---> Hi,
--->
---> Recently on opening one of my site,my antivirus pops up saying that
it
---> has found on malicious script.the url is random and i have managed
to
---> get tht script.it is using some flaw in apple quick time.
---> u can get the zip file for java script here:
---> http://secgeeks.com/what.zip
---> password is 12345
---> can somebody guide/help me what is this and how can i remove it?
--->
---> --
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com

Denis


sp23 at internode

Jan 15, 2008, 8:36 AM

Post #15 of 18 (11324 views)
Permalink
Re[2]: what is this? [In reply to]

Jamie,

the servers are definately 'rooted' - as in, root access required for
what the exploit does ie. it's dug itself deep into the kernel and you
can't even compile a new kernel on the infected machine or even create
files or directories that start with a digit. So yeah, the servers are
rooted in every sense of the word (even the Aussie slang interpretation)

I don't believe the exploit would be nearly as damaging or dangerous if
it didn't involve root compromise.

Scott.MC explains it better on the webhostingtalk.com link posted
earlier. Cheers

Denis


On Tue, 15 Jan 2008 16:28:32 +0000
"Jamie Riden" <jamie.riden [at] gmail> wrote:

---> On 15/01/2008, Denis <sp23 [at] internode> wrote:
---> > This is a very serious new threat affecting Linux servers and thousands
---> > of boxes have been compromised since December 2007.
---> >
---> > Each box serving the nasty javascript has been rooted. One person has
---> > found a way to CLEAN the infection (ie. stop your server from serving
---> > the bad javascript), however not the root hole ie. the servers in
---> > question are still rooted as nobody so far has found what hole is being
---> > exploited to gain root access in the first place.
--->
---> You don't need root to deface web servers in general. Even if the
---> attackers want to run bots, they often stay as the unprivileged user
---> they get in as. Sometimes a few privilege escalation exploits are
---> tried, but even then people seem willing to make use of normal users
---> if they can't get root.
--->
---> (Unless you meant 'root' as in 'root cause', or the Aussie sense of
---> rooted, as in 'f**ed' :)
--->
---> cheers,
---> Jamie
---> --
---> Jamie Riden / jamesr [at] europe / jamie [at] honeynet
---> UK Honeynet Project: http://www.ukhoneynet.org/


sp23 at internode

Jan 15, 2008, 8:41 AM

Post #16 of 18 (11338 views)
Permalink
Re[2]: what is this? [In reply to]

Good point, it could be an unknown kernel hole.

However it could and be a privilege escalation scenario through the
application layer .. maybe PHP, knowing its history and the fact it's
present on all the infected machines.

Anyway, nobody really knows how the initial root compromise is achieved
but it's definately one (root compromise that is).

Denis


On Tue, 15 Jan 2008 11:33:27 -0500
"Memisyazici, Aras" <arasm [at] vt> wrote:

---> @Dennis:
--->
---> <quote>
---> (...)
---> From all reports so far it does not appear to be a
---> kernel vulnerability (as some of the affected servers were using latest
---> kernels)
---> </quote>
--->
---> And... how can you assume that exactly? What if this is an
---> unpatched/unseen kernel vulnerability?
--->
---> Aras "Russ" Memisyazici
---> IT/R&D/Security Specialist
--->
---> Outreach Information Services
---> Virginia Tech
--->
---> -----Original Message-----
---> From: Denis [mailto:sp23 [at] internode]
---> Sent: Tuesday, January 15, 2008 12:16 AM
---> To: crazy frog crazy frog
---> Cc: bugtraq [at] securityfocus
---> Subject: Re: what is this?
--->
---> This is a very serious new threat affecting Linux servers and thousands
---> of boxes have been compromised since December 2007.
--->
---> Each box serving the nasty javascript has been rooted. One person has
---> found a way to CLEAN the infection (ie. stop your server from serving
---> the bad javascript), however not the root hole ie. the servers in
---> question are still rooted as nobody so far has found what hole is being
---> exploited to gain root access in the first place.
--->
---> See the following urls for a lot more info on this exploit:
--->
---> http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
---> starts on page 3 or so)
--->
---> http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
--->
---> Time for some honey pot action to find out how they're gaining root
---> access to begin with. From all reports so far it does not appear to be a
---> kernel vulnerability (as some of the affected servers were using latest
---> kernels)
--->
---> Cheers,
---> Denis
--->
--->
---> On Sun, 13 Jan 2008 21:31:34 +0530
---> "crazy frog crazy frog" <i.m.crazy.frog [at] gmail> wrote:
--->
---> ---> Hi,
---> --->
---> ---> Recently on opening one of my site,my antivirus pops up saying that
---> it
---> ---> has found on malicious script.the url is random and i have managed
---> to
---> ---> get tht script.it is using some flaw in apple quick time.
---> ---> u can get the zip file for java script here:
---> ---> http://secgeeks.com/what.zip
---> ---> password is 12345
---> ---> can somebody guide/help me what is this and how can i remove it?
---> --->
---> ---> --
---> ---> advertise on secgeeks?
---> ---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> ---> http://newskicks.com
--->
---> Denis


updates at digitalis

Jan 15, 2008, 9:26 AM

Post #17 of 18 (11341 views)
Permalink
Re[2]: what is this? [In reply to]

---> figure out why my antivirus randomly popsup?i

The exploit is served first time you load an infected page and then very
infrequently after that (it was originally thought that it is delivered
only ONCE per visiting IP, but some people put this to the test (and
found that the exploit will appear more than once to a single IP/visitor
- however, it will always appear the first time you hit an infected site).

More on this in the theregister.co.uk link - follow the Comments link in
that article and read the comments.

---> i dont think its a problem with my script otherwise i could have find
---> the code

The machine serving the malware has been rooted ie. an LKM rootkit is in
place which replaced several system binaries and even has self-defences
in place ( eg. you can't compile a new kernel on an infected machine AND
even if you take a kernel compiled on a clean box, and boot it, it will
be infected after boot) - read the webhostingtalk link/discussion for
more info.

In short, if you need to stop the system from serving the malware there
IS a way to do it (contact Scott.MC from WHT) - he will clean the
exploit. However the thing that is still unknown is how the initial root
compromise is achieved in order for the rootkit to be installed in the
first place ie. your box is still rootable even when it gets cleaned by
Scott

.---> this issue in the techicorner.com or on tubeley.com or on
---> secgeeks.com?

None of those sites load for me, I'm guessing you took the box offline
for an OS reload. Most people who performed an OS reload had the same
exploit hit them again after a very short time. Only way to stop the
exploit (not the root compromise) is to boot into a clean kernel with
the grsec patch which is set to deny writing to /dev/mem (according to
Scott) - but if your box is already compromised, you will also need to
replace the system binaries that were replaced by the rootkit, with
clean ones.

Maybe I've said too much ... all of this info is on those 2 links in my
initial reply. Read them from start to finish if you really want to
'digg this issue'

Cheers
Denis




On Tue, 15 Jan 2008 11:42:33 +0530
"crazy frog crazy frog" <i.m.crazy.frog [at] gmail> wrote:

---> well,
---> i received many response but no one is perfact.i checked the files and
---> didn't find anything embeded in my scripts or pages.still i have to
---> figure out why my antivirus randomly popsup?i mean most of the times
---> it doesnt detect any infection but then suddenly this thing happnes
---> and then everything seems ok.
---> i dont think its a problem with my script otherwise i could have find
---> the code or it should be repeating consistly.has any one still facing
---> this issue in the techicorner.com or on tubeley.com or on
---> secgeeks.com?
--->
---> let me know i m trying hard to digg this issue.
--->
---> On Jan 15, 2008 10:46 AM, Denis <sp23 [at] internode> wrote:
---> > This is a very serious new threat affecting Linux servers and thousands
---> > of boxes have been compromised since December 2007.
---> >
---> > Each box serving the nasty javascript has been rooted. One person has
---> > found a way to CLEAN the infection (ie. stop your server from serving
---> > the bad javascript), however not the root hole ie. the servers in
---> > question are still rooted as nobody so far has found what hole is being
---> > exploited to gain root access in the first place.
---> >
---> > See the following urls for a lot more info on this exploit:
---> >
---> > http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
---> > starts on page 3 or so)
---> >
---> > http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
---> >
---> > Time for some honey pot action to find out how they're gaining root
---> > access to begin with. From all reports so far it does not appear to be a
---> > kernel vulnerability (as some of the affected servers were using latest
---> > kernels)
---> >
---> > Cheers,
---> > Denis
---> >
---> >
---> > On Sun, 13 Jan 2008 21:31:34 +0530
---> > "crazy frog crazy frog" <i.m.crazy.frog [at] gmail> wrote:
---> >
---> > ---> Hi,
---> >
---> > --->
---> > ---> Recently on opening one of my site,my antivirus pops up saying that it
---> > ---> has found on malicious script.the url is random and i have managed to
---> > ---> get tht script.it is using some flaw in apple quick time.
---> > ---> u can get the zip file for java script here:
---> > ---> http://secgeeks.com/what.zip
---> > ---> password is 12345
---> > ---> can somebody guide/help me what is this and how can i remove it?
---> > --->
---> > ---> --
---> > ---> advertise on secgeeks?
---> > ---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> > ---> http://newskicks.com
---> >
---> > Denis
---> >
--->
--->
--->
---> --
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com


yousef.syed at gmail

Jan 16, 2008, 12:57 AM

Post #18 of 18 (11329 views)
Permalink
Re: what is this? [In reply to]

Just to add to what has already passed, Security Focus has put up this
article regarding this issue.
http://www.securityfocus.com/news/11501

ys

On 13/01/2008, crazy frog crazy frog <i.m.crazy.frog [at] gmail> wrote:
> Hi,
>
> Recently on opening one of my site,my antivirus pops up saying that it
> has found on malicious script.the url is random and i have managed to
> get tht script.it is using some flaw in apple quick time.
> u can get the zip file for java script here:
> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>



--
Yousef Syed
CISSP

http://www.linkedin.com/in/musashi

Bugtraq bugtraq RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.