Trojan Blocked

jim22

Many thanks all. I've often thought that all these virus warnings were fake. How wrong can you be?

jim22

one thing I have not asked is if this exploit gets on your machine what will it/can it do?

asbokid

jim22 wrote: »

one thing I have not asked is if this exploit gets on your machine what will it/can it do?

That dodgy bit of obfuscated javascript code that was planted on the pages of the estate agent's website.. that's just the first part of the attack..

the javascript code gets your browser to automatically retrieve an object of unknown filetype and unknown purpose from a website ostensibly owned by a turkish bloke, but actually hosted on a machine hanging off an IP address that belongs to a moscow-based company.

that remotely located object will obviously be malware. it could do absolutely anything that the attacker decides...

on a vulnerable PC, perhaps it would install a keystroke logger, to record all the passwords you enter. Or it might overwrite the hosts file, or the nameserver addresses, or a CA root certificate on your PC.

Once he's installed his malware on your machine, he then "owns" your machine. He can snoop on all your browsing. He could use your PC to serve up child !!!!!!, send out spam emails from your machine, hack other computers from your PC (making it look like you hacked them), or he could harvest all your banking login details by doing a man-in-the-middle attack...

It's organised crime..

p.s. have you noticed that the word mafeeya gets censored on this forum... m...ma...maf...mafi...!!!!!

asbokid

spg_SCOTT wrote: »

asbokid, Nice, thanks but can you please remove it otherwise there will be alerts on this page and sessionstore.js (firefox anyway, equivalent for others) That is why I post images, as they show the script but don't cause alerts. I know you deactivated the link, but it could still generate an alert.

Don't worry, anti-virus software doesn't work that way.. The trigger was caused by a heuristic definition. The definition is based on the likelihood that obfuscated javascript eval() code is usually dodgy. However, once the code has been de-obfuscated, the trigger won't occur.

Used appropriately, <iframe /> tags in HTML are benign and commonplace. Normally, they never cause anti-virus software to trigger. If they did, our browsers would grind to a halt: the tags are that common.

What caused the trigger was the dubious method of code obfuscation and its invocation using the javascript eval() function.

Once the code is de-obfuscated, the anti-virus software will ignore it. :j

spg_SCOTT

I have seen/experienced cases where people post code like that, and because it exists in the source code (even escaped sometimes, or in code blocks) an antivirus can still alert
I simply suggest to use images to avoid that possibility, and avoid the confusion in case it does happen...

Firetastic

Once he's installed his malware on your machine, he then "owns" your machine. He can snoop on all your browsing. He could use your PC to serve up child !!!!!!, send out spam emails from your machine, hack other computers from your PC (making it look like you hacked them), or he could harvest all your banking login details by doing a man-in-the-middle attack...

It's organised crime..

So if the above happens on someone's computer how do you prove you are innocent? Obviously being accused of all that could wreck some innocent person's life.

RussJK

Firetastic wrote: »

So if the above happens on someone's computer how do you prove you are innocent? Obviously being accused of all that could wreck some innocent person's life.

If your computer was suspected of serving child !!!!!!, then your hard drive would be whisked away faster than you'd have any time to prove anything. If the computer forensics team are worth anything, they'll probably figure it out for themselves...

spud17

Fascinating stuff.
Can I ask a question?

I run a basic website from home just to play around, always setting myself new challenges.

I run it from either an old pc with ubuntu server/xubuntu desktop or a thin client/FreeNAS. In the Ubuntu logs I'm always seeing various Chinese sites have been trying php/my admin or MySQL/myadmin (possibly that's not exactly correct) type things.

I've always assumed they're trying to get in and hack me as per OP. Can you confirm if that's true?

Chris55_2

For those who are not that technical but are just interested in the whole subject can I recommend reading some of the stories on the http://krebsonsecurity.com/ website. Obviously if you're technical you'll know where else to go for harder stuff, but I think Brian writes in a way that is accessible (if a bit american focussed)- without dumbing down too much.

asbokid

spud17 wrote: »

Fascinating stuff.
Can I ask a question?

I run a basic website from home just to play around, always setting myself new challenges.

I run it from either an old pc with ubuntu server/xubuntu desktop or a thin client/FreeNAS. In the Ubuntu logs I'm always seeing various Chinese sites have been trying php/my admin or MySQL/myadmin (possibly that's not exactly correct) type things.

I've always assumed they're trying to get in and hack me as per OP. Can you confirm if that's true?

Yes, they are trying to hack your server. They have a script that automatically probes vast numbers of apache servers. The script is searching for servers that are hosting a vulnerable version of the phpmyadmin tool.

There are loads of vulnerabilities for phpmyadmin. They will use an exploit that leverages one of those vulnerabilities to gain remote access to those servers.

http://www.phpmyadmin.net/home_page/security/

If you examine those requests in your apache logs, you can usually discover the vulnerability that the hacker is searching for.

Arguably, the ISPs should be pro-actively probing their own clients for signs of vulnerability.