Mailing List Archive

3APA3A wrote:

> Dear crazy frog crazy frog,
>
> Clear your computer from trojan, change FTP password for you site
> hosting access, because it's stolen, access your hosting account via
> FTP and remove additional text (usually at the end of the file, after
> </html>) from all HTML/PHP pages.

Ummmm -- the only part of that likely to be relevant here is the last.

These kinds of web page "compromises" are typically achieved through
bad/ill-configured/non-updated server-side web applications (or their
underlying script engines) and are typically achieved without requiring
any more special or privileged access to the victim sites than the
ability to run a clever Google search or your own brute-force spidering
via a bot-net, etc.

Of course, simply removing the undesired iframe/script/etc tags from
your compromised pages is not enough. Although doing so does not mean
that this attacker will come back, it equally does nothing to close the
hole they used in the first place, and the next attacker searching for
that hole will hit you just as easily and indiscriminately...


Regards,

Nick FitzGerald

hmm.thanks everyone for the suggestions.

On Jan 14, 2008 5:22 PM, Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:
> 3APA3A wrote:
>
> > Dear crazy frog crazy frog,
> >
> > Clear your computer from trojan, change FTP password for you site
> > hosting access, because it's stolen, access your hosting account via
> > FTP and remove additional text (usually at the end of the file, after
> > </html>) from all HTML/PHP pages.
>
> Ummmm -- the only part of that likely to be relevant here is the last.
>
> These kinds of web page "compromises" are typically achieved through
> bad/ill-configured/non-updated server-side web applications (or their
> underlying script engines) and are typically achieved without requiring
> any more special or privileged access to the victim sites than the
> ability to run a clever Google search or your own brute-force spidering
> via a bot-net, etc.
>
> Of course, simply removing the undesired iframe/script/etc tags from
> your compromised pages is not enough. Although doing so does not mean
> that this attacker will come back, it equally does nothing to close the
> hole they used in the first place, and the next attacker searching for
> that hole will hit you just as easily and indiscriminately...
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com

crazy frog crazy frog wrote:

> well,
> i received many response but no one is perfact.i checked the files and
> didn't find anything embeded in my scripts or pages.still i have to
> figure out why my antivirus randomly popsup?i mean most of the times
> it doesnt detect any infection but then suddenly this thing happnes
> and then everything seems ok.
> i dont think its a problem with my script otherwise i could have find
> the code or it should be repeating consistly.has any one still facing
> this issue in the techicorner.com or on tubeley.com or on
> secgeeks.com?
>
> let me know i m trying hard to digg this issue.

If you would tell us the _actual_ URL where this behaviour is being
seen we would have a reasonable chance of actually diagnosing it. As
it is, we're having to guess based on matching your half-arsed
descriptions of what you think is happening with our knowledge of what
has been seen going on out there.

This may surprise you, but many thousands and thousands of sites are
compromised each day to display "similar" activity to what you've asked
to us to diagnose (aka "guess").

If we could look at the actual site and see what is really happening
should have a better (if not perfect) chance of success.


Regards,

Nick FitzGerald

nick,
ur not getting my point,the url is techicorner.com/{random string
here},i have already mentioned it in previous posts.
i have read the link sent by denis,and i would have to conclude that:
1)The problem does not occurs always,instead it occurs randomly based
on IP or something like tht.
2)if u look at the pages on techicorner.com u will not find any
malicious code,so its possible that the server is compromised and its
an LKM
please refer to these links:
http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]

Thanks again everyone for your valuable suggestion,i posted here to
share this stuff with everyone and may be u can learn from it.

regards,
_CF

On Jan 15, 2008 12:15 PM, Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:
> crazy frog crazy frog wrote:
>
> > well,
> > i received many response but no one is perfact.i checked the files and
> > didn't find anything embeded in my scripts or pages.still i have to
> > figure out why my antivirus randomly popsup?i mean most of the times
> > it doesnt detect any infection but then suddenly this thing happnes
> > and then everything seems ok.
> > i dont think its a problem with my script otherwise i could have find
> > the code or it should be repeating consistly.has any one still facing
> > this issue in the techicorner.com or on tubeley.com or on
> > secgeeks.com?
> >
> > let me know i m trying hard to digg this issue.
>
> If you would tell us the _actual_ URL where this behaviour is being
> seen we would have a reasonable chance of actually diagnosing it. As
> it is, we're having to guess based on matching your half-arsed
> descriptions of what you think is happening with our knowledge of what
> has been seen going on out there.
>
> This may surprise you, but many thousands and thousands of sites are
> compromised each day to display "similar" activity to what you've asked
> to us to diagnose (aka "guess").
>
> If we could look at the actual site and see what is really happening
> should have a better (if not perfect) chance of success.
>
>
> Regards,
>
> Nick FitzGerald
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com

On Tue, 15 Jan 2008, crazy frog crazy frog wrote:
> nick,
> ur not getting my point,the url is techicorner.com/{random string
> here},i have already mentioned it in previous posts.
> i have read the link sent by denis,and i would have to conclude that:
> 1)The problem does not occurs always,instead it occurs randomly based
> on IP or something like tht.

In recent kits, it is more likely it is user-agent based.

> 2)if u look at the pages on techicorner.com u will not find any
> malicious code,so its possible that the server is compromised and its
> an LKM
> please refer to these links:
> http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]
>
> Thanks again everyone for your valuable suggestion,i posted here to
> share this stuff with everyone and may be u can learn from it.
>
> regards,
> _CF
>
> On Jan 15, 2008 12:15 PM, Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:
>> crazy frog crazy frog wrote:
>>
>>> well,
>>> i received many response but no one is perfact.i checked the files and
>>> didn't find anything embeded in my scripts or pages.still i have to
>>> figure out why my antivirus randomly popsup?i mean most of the times
>>> it doesnt detect any infection but then suddenly this thing happnes
>>> and then everything seems ok.
>>> i dont think its a problem with my script otherwise i could have find
>>> the code or it should be repeating consistly.has any one still facing
>>> this issue in the techicorner.com or on tubeley.com or on
>>> secgeeks.com?
>>>
>>> let me know i m trying hard to digg this issue.
>>
>> If you would tell us the _actual_ URL where this behaviour is being
>> seen we would have a reasonable chance of actually diagnosing it. As
>> it is, we're having to guess based on matching your half-arsed
>> descriptions of what you think is happening with our knowledge of what
>> has been seen going on out there.
>>
>> This may surprise you, but many thousands and thousands of sites are
>> compromised each day to display "similar" activity to what you've asked
>> to us to diagnose (aka "guess").
>>
>> If we could look at the actual site and see what is really happening
>> should have a better (if not perfect) chance of success.
>>
>>
>> Regards,
>>
>> Nick FitzGerald
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>

nope i dont thnk it has to do with user agent.i have tried with
IE,Firefox but nothing.though when u change ip it shows the stuff.so i
think its ip based?

On Jan 15, 2008 10:52 PM, Gadi Evron <ge@linuxbox.org> wrote:
> On Tue, 15 Jan 2008, crazy frog crazy frog wrote:
> > nick,
> > ur not getting my point,the url is techicorner.com/{random string
> > here},i have already mentioned it in previous posts.
> > i have read the link sent by denis,and i would have to conclude that:
> > 1)The problem does not occurs always,instead it occurs randomly based
> > on IP or something like tht.
>
> In recent kits, it is more likely it is user-agent based.
>
>
> > 2)if u look at the pages on techicorner.com u will not find any
> > malicious code,so its possible that the server is compromised and its
> > an LKM
> > please refer to these links:
> > http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]
> >
> > Thanks again everyone for your valuable suggestion,i posted here to
> > share this stuff with everyone and may be u can learn from it.
> >
> > regards,
> > _CF
> >
> > On Jan 15, 2008 12:15 PM, Nick FitzGerald <nick@virus-l.demon.co.uk> wrote:
> >> crazy frog crazy frog wrote:
> >>
> >>> well,
> >>> i received many response but no one is perfact.i checked the files and
> >>> didn't find anything embeded in my scripts or pages.still i have to
> >>> figure out why my antivirus randomly popsup?i mean most of the times
> >>> it doesnt detect any infection but then suddenly this thing happnes
> >>> and then everything seems ok.
> >>> i dont think its a problem with my script otherwise i could have find
> >>> the code or it should be repeating consistly.has any one still facing
> >>> this issue in the techicorner.com or on tubeley.com or on
> >>> secgeeks.com?
> >>>
> >>> let me know i m trying hard to digg this issue.
> >>
> >> If you would tell us the _actual_ URL where this behaviour is being
> >> seen we would have a reasonable chance of actually diagnosing it. As
> >> it is, we're having to guess based on matching your half-arsed
> >> descriptions of what you think is happening with our knowledge of what
> >> has been seen going on out there.
> >>
> >> This may surprise you, but many thousands and thousands of sites are
> >> compromised each day to display "similar" activity to what you've asked
> >> to us to diagnose (aka "guess").
> >>
> >> If we could look at the actual site and see what is really happening
> >> should have a better (if not perfect) chance of success.
> >>
> >>
> >> Regards,
> >>
> >> Nick FitzGerald
> >>
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> > --
> > advertise on secgeeks?
> > http://secgeeks.com/Advertising_on_Secgeeks.com
> > http://newskicks.com
> >
>



--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com