« previous next »
Pages: [1]   Go Down

Author Topic: 62.211.68.58  (Read 4542 times)

0 Members and 1 Guest are viewing this topic.

May 22, 2009, 08:18:58 pm
Read 4542 times

xorrox

  • Special Access
  • Newbie
  • Offline
  • *
  • 3
62.211.68.58
This machine has been hacked. Its owned by the german ISP "Hansenet" which hosts several user-websites on that box. All their user-pages have some additional JavaScipt-code attached, which opens popup-windows as soon as you click on anything, loading these popups from a domain whose name varies with time/date.

I looked at the JavaScript with Malzilla (using it for the first time), really cool tool!
Attached you find the disassembled JavaScript, i guess this is well-known malware, seems to have been written back in 2007.
Logged
May 22, 2009, 08:29:07 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 3335
Re: 62.211.68.58
Uhh, it's Mebroot.

Have you already notified Hansenet about the problem ?
Logged
Ruining the bad guy's day
May 22, 2009, 09:47:30 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 3335
Re: 62.211.68.58
I still have found only a single infected site.

Here is the wepawet report for it.

http://wepawet.cs.ucsb.edu/view.php?hash=610f7108f016e8e1d5292c8e2900d02a&t=1243029129&type=js
Logged
Ruining the bad guy's day
May 23, 2009, 08:09:13 am
Reply #3

xorrox

  • Special Access
  • Newbie
  • Offline
  • *
  • 3
Re: 62.211.68.58
Quote from: SysAdMini on May 22, 2009, 09:47:30 pm
I still have found only a single infected site.

Me too. There are hundreds of domains on that box, i checked something like 150 of them and found none of these infected. Only all the pages from that single user have Mebroot.

So the assumption of that user (that the server was hacked) might be wrong. He thinks so because he only uses static HTML and has not logged into that machine (via FTP) for a very long time.
Logged
Pages: [1]   Go Up
« previous next »