Author Topic: Unknown html and xmlrpc.php malware?  (Read 4488 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Unknown html and xmlrpc.php malware?
« on: February 15, 2013, 02:10:58 PM »
See: http://urlquery.net/report.php?id=1007138 (2 IDS alerts)
Outdated WP software see: conditional redirect for: hxtp://www.virtu-al.net/home/content/73/8390073/html/virtual_net/wp-content/themes/black-with-orange/index.php -> htxp://www.virtu-al.net/home/content/73/8390073/html/virtual_net/wp-content/themes/black-with-orange/
(script) s.gravatar dot com/js/gprofiles.js?ver=2013Febaa
     status: (referer=www.virtu-al dot net/)saved 23367 bytes b4ce45f19627ef7f969f79dce0e16bb0da7113c0
     info: [img] s.gravatar dot com/js/
     info: [decodingLevel=0] found JavaScript
     suspicious:
powershell probe?
Also htxp://edge.quantserve.com/quant.js adware requests,

Older versions of xmlrpc.php are vulnerable: http://isc.sans.edu/diary/XML-RPC+for+PHP+Vulnerability+Attack/823 (article author = Koon Yaw Tan)

polonus
« Last Edit: February 15, 2013, 02:13:26 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: Unknown html and xmlrpc.php malware?
« Reply #1 on: February 15, 2013, 03:05:36 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: Unknown html and xmlrpc.php malware?
« Reply #2 on: February 18, 2013, 03:34:58 PM »
Only given on viruswatch archives: htxp://zy1.farm2.zynga.com/ -> content report: http://www.unmaskcontent.com/?domain=http%3A%2F%2Fzy1.farm2.zynga.com%2F&privacy=PUBLIC&method=GET&uagent=RANDOM&uagenttext=&referer=RANDOM&referertext=&accept=ACCEPTALL&accepttext=&MIMEType=1001
Site has zinga bar, a games simplifier, for code see: http://code.google.com/p/fgs/source/browse/trunk/scripts/games/farmville-snapi.js?spec=svn197&r=197
as has htxp://zgn.static.zynga.com/snapi/g0ee5c4b-prod/snapi.js  Zynga is trying to hunt abuse of their bar
see attached image. IP blacklisted once: http://www.unlocktheinbox.com/blacklist/bl/23.3.13.137/

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: Unknown html and xmlrpc.php malware?
« Reply #3 on: February 20, 2013, 06:32:16 PM »
Following unknown html malware is a clear PHISH: see: http://www.urlvoid.com/scan/minamyerresidential.com/
and https://www.virustotal.com/en/url/e06104e07e93dedab6720087049f7a5ad7dbee21d24f257d5551bdc7914f9166/analysis/
There is a  header redirectong the request to: htxp://www.koloalanding.com/components/com_banners/Recadastramento.Bradesco/index.php
Verified Phish: 013-02-20T00:35:45+00:00
Code: [Select]
<url>http://wXw.koloalanding.com/components/com_banners/Recadastramento.Bradesco/index.php</url>
<phish_id>1735642</phish_id>
<phish_detail_url>htxp://www.phishtank.com/phish_detail.php?phish_id=1735642</phish_detail_url>
<details>
<detail>
<ip_address>204.244.185.22</ip_address>
<cidr_block>204.244.0.0/16</cidr_block>
<announcing_network>5071</announcing_network>
<rir>arin</rir>
<detail_time>2013-02-20T00:31:34+00:00</detail_time>
</detail>
</details>
<submission>
<submission_time>2013-02-20T00:30:11+00:00</submission_time>
</submission>
<verification>
<verified>yes</verified>
<verification_time>2013-02-20T06:38:09+00:00</verification_time>
</verification>
<status>
<online>yes</online>
</status>
<target>Bradesco</target>
</entry>
<entry>
<url>htxp://minamyerresidential.com/images/visualizar.php</url>
<phish_id>1735641</phish_id>
<phish_detail_url>htxp://www.phishtank.com/phish_detail.php?phish_id=1735641</phish_detail_url>
<details>
<detail>
<ip_address>75.119.202.190</ip_address>
   

polonus
« Last Edit: February 20, 2013, 10:04:54 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: Unknown html and xmlrpc.php malware?
« Reply #4 on: February 20, 2013, 10:23:33 PM »
Scanned with Quttera's there is 1 potentially suspicious file flagged: http://quttera.com/detailed_report/www.koloalanding.com
e.g.: /modules/mod_swmenupro/transmenu_Packed.js * with detected potentially suspicious initialization of function pointer to JavaScript method write <code> __tmpvar42410799 = write; <code/> with a confirmed bug (credits go to ffaabbss) ->https://www.joomlapolis.com/forum/43-bugs/42314-swmenupro-users-watch-out-confirmed-bug (and so vulnerable to spoofs and as we found PHISH)
For the * code, see: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.koloalanding.com%2F%2Fmodules%2Fmod_swmenupro%2Ftransmenu_Packed.js&ref_sel=Google&ua_sel=ff (modified compressed script with submenu  iFrame)
Another example of that detection described here: http://forum.avast.com/index.php?topic=112110.msg882759#msg882759

polonus
« Last Edit: February 20, 2013, 10:33:28 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: Unknown html and xmlrpc.php malware?
« Reply #5 on: February 20, 2013, 10:54:25 PM »
This one is flagged in two instances here: http://www.urlvoid.com/scan/dponto.com/
and detected in three instances here: https://www.virustotal.com/en/url/0893623b69ae1bc76b954334e9b14c4dbaaa57a50ff531dc5ea6f130e15113d7/analysis/1361396453/
Here it was found clean: http://urlquery.net/report.php?id=1054625
But earlier on, it was as with detected RedKit exploit kit URL pattern -> https://urlquery.net/report.php?id=28335
http://zulu.zscaler.com/seen/68d9bdf607523f7ea19b586068534612-1361397098 (100/100 % malicious)
Latest report from here: http://siteinspector.comodo.com/public/reports/show_history?id=10480831&type=1 (Blacklisted via Google Safebrowsing)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29355
  • malware fighter
Re: Unknown html and xmlrpc.php malware?
« Reply #6 on: February 21, 2013, 06:55:00 PM »
Some security measures to consider are being described here: http://digwp.com/2009/06/xmlrpc-php-security/ (link article author = Jeff Starr)
Look here at a write up on a massive SEO spamming campaign: http://blog.unmaskparasites.com/2012/05/18/careless-webmasters-as-wordpress-hosting-providers-for-spammers/
Mind u that: htxp://blog.unmaskparasites.com/category/website-exploits/ is being flagged bu !avast Web Shield as JS:Decode-T[Trj]
As we see Content after the < /html> tag should be considered suspicious.

286: < !-- Dynamic page generated in 0.258 seconds. -->
287: < !-- Cached page generated by WP-Super-Cache on 2013-02-21 17:42:18 -->
288: < !-- super cache -->
which plug-in is vulnerable: http://wordpress.org/support/topic/wp-super-cache-vulnerable-to-php-injection (credits factoryjoe) allowing for PHP file injection to WP-content...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!