Author Topic: 62.211.68.58  (Read 3164 times)

0 Members and 1 Guest are viewing this topic.

May 22, 2009, 08:18:58 pm
Read 3164 times

xorrox

  • Special Access
  • Newbie

  • Offline
  • *

  • 3
This machine has been hacked. Its owned by the german ISP "Hansenet" which hosts several user-websites on that box. All their user-pages have some additional JavaScipt-code attached, which opens popup-windows as soon as you click on anything, loading these popups from a domain whose name varies with time/date.

I looked at the JavaScript with Malzilla (using it for the first time), really cool tool!
Attached you find the disassembled JavaScript, i guess this is well-known malware, seems to have been written back in 2007.

May 22, 2009, 08:29:07 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Uhh, it's Mebroot.

Have you already notified Hansenet about the problem ?
Ruining the bad guy's day

May 22, 2009, 09:47:30 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
I still have found only a single infected site.

Here is the wepawet report for it.

http://wepawet.cs.ucsb.edu/view.php?hash=610f7108f016e8e1d5292c8e2900d02a&t=1243029129&type=js
Ruining the bad guy's day

May 23, 2009, 08:09:13 am
Reply #3

xorrox

  • Special Access
  • Newbie

  • Offline
  • *

  • 3
I still have found only a single infected site.

Me too. There are hundreds of domains on that box, i checked something like 150 of them and found none of these infected. Only all the pages from that single user have Mebroot.

So the assumption of that user (that the server was hacked) might be wrong. He thinks so because he only uses static HTML and has not logged into that machine (via FTP) for a very long time.