Author Topic: JS:Agent-CV [Trj] in WebSite (Read 6696 times)

Martinss · « **on:** March 14, 2010, 07:44:42 PM »

Site is www.interbasquet-cba.com.ar

greetings

superhacker · « **Reply #1 on:** March 14, 2010, 08:06:37 PM »

if the virus has been blocked and alwil know about the website and no reason to post it since you are not infected why you put it,?

?

Martinss · « **Reply #2 on:** March 14, 2010, 08:12:46 PM »

It annoys me having to deactivate antivirus to enter in website.

Pondus · « **Reply #3 on:** March 14, 2010, 08:14:41 PM »

This page seems to be <clean>
http://www.UnmaskParasites.com/security-report/?page=www.interbasquet-cba.com.ar

But google is saying ( Malicious software includes 714 trojan(s)
http://www.google.com/safebrowsing/diagnostic?site=www.interbasquet-cba.com.ar
This site was hosted on 1 network(s) including AS27823 (Dattatec.com).

Diagnostic page for AS27823 (Dattatec.com)
Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 64 site(s), including, for example, juanfurlan.com.ar/, areasdm.com.ar/, enpucon.cl/, that infected 3280 other site(s), including, for example, klawrojna.com/, nojom-pal.com/, bnt-a.com/.

superhacker · « **Reply #4 on:** March 14, 2010, 08:18:55 PM »

4 Pondus:
no it is really has redirection to the infected website "i am not so advanced in java script so dont blame me"

psw · « **Reply #5 on:** March 14, 2010, 08:39:55 PM »

It is NOT FP.
There is redirect to hXXp://www.interbasquet-cba.com.ar/2008/index.php
And there is malicious script at the end of this file (eval (unescape ('%77%69...)))

polonus · « **Reply #6 on:** March 14, 2010, 08:42:15 PM »

Hi Pondus,

Yes, Martinss should make the live link there non-clickable by using htXp or wXw, and the link is given as clear but the history of Malicious software includes 714 trojans, just does not sound promishing.

This site was hosted on 1 network(s) including AS27823 (Dattatec.com).
See what we can find further:
The clean results is because of Blank page / could not connect
No ad codes identified File size: 725 bytes
File MD5: 9063eaf69e368e1d9c7bcd278c1792b9
This is the script Superhacker means: htxp://www.interbasquet-cba.com.ar//Script.0

Code: [Select]

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL //Script.0 was not found on this server.<P>
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.
<HR>
<ADDRESS>Apache/1.3.41 Server at www dot interbasquet-cba.com dot ar Port 80</ADDRESS>
</BODY></HTML>

Code: [Select]

Server: Apache/1.3.41 (Unix) mod_auth_passthrough/1.8 mod_bwlimited/1.4 mod_log_bytes/1.2 ^^ mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5 FrontPage/5.0.2.2635 ^^

check for older web software, because of exploits as this could be compromised via PHP:

Code: [Select]

 </style>^script>^^
document.location='htxp://www.interbasquet-cba.com.ar/2008/index.php'
<^/script> ^^ broken by me, polonus
</head>

activeX BOF exploit

That's all,

polonus

jsejtko · « **Reply #7 on:** March 14, 2010, 08:46:16 PM »

Hello,

the website is infected and you should contact the owner to clean it up instead of turning your AV off. VT report http://www.virustotal.com/analisis/40598fb3f7747398ade25f73e58073740fb8b1667ef0a55b836643793eb0004a-1268595419

Infection is located in document located at:

Code: [Select]

hxxp://www.interbasquet-cba.com.ar/2008/index.php It's at the end of the html code. You will found it by searching string "eval(unescape" without quotes. The code is placed after many tabs, so you might not see it for the first time.

Regards

Stran05 · « **Reply #8 on:** March 15, 2010, 09:13:22 AM »

Forbidden

You don't have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

This is what Chrome says when I try to access the website.

superhacker · « **Reply #9 on:** March 15, 2010, 01:07:09 PM »

Thanks polonus,i really dont plan to be professional in JavaScript maybe next year

polonus · « **Reply #10 on:** March 15, 2010, 02:54:23 PM »

Hi superhacker,

A bit of JS script knowledge and of the devolping errors that make exploits possible can be helpful, malzilla can elaborate on the code better than a human source and every browser knows how to run it.
In Firefox No-Script add-on is a good prevention against malcode infections and RequestPolicy to prevent malicious third party code to run. Obfuscated code and code outside HTML should always be checked because of malcode redirection - moreover the avast shield is one of the best around,

polonus

superhacker · « **Reply #11 on:** March 15, 2010, 06:23:05 PM »

Knowing of exploiting is so good"my work when i have no thing to do"but not in javascript,c++ was so good to this mission but python now start to become more shining and flexible to do this work

Author Topic: JS:Agent-CV [Trj] in WebSite (Read 6696 times)

Martinss

JS:Agent-CV [Trj] in WebSite

superhacker

Re: JS:Agent-CV [Trj] in WebSite

Martinss

Re: JS:Agent-CV [Trj] in WebSite

Pondus

Re: JS:Agent-CV [Trj] in WebSite

superhacker

Re: JS:Agent-CV [Trj] in WebSite

psw

Re: JS:Agent-CV [Trj] in WebSite

polonus

Re: JS:Agent-CV [Trj] in WebSite

jsejtko

Re: JS:Agent-CV [Trj] in WebSite

Stran05

Re: JS:Agent-CV [Trj] in WebSite

superhacker

Re: JS:Agent-CV [Trj] in WebSite

polonus

Re: JS:Agent-CV [Trj] in WebSite

superhacker

Re: JS:Agent-CV [Trj] in WebSite