[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: what is this?

---> figure out why my antivirus randomly popsup?i

The exploit is served first time you load an infected page and then very
infrequently after that (it was originally thought that it is delivered
only ONCE per visiting IP, but some people put this to the test (and
found that the exploit will appear more than once to a single IP/visitor
- however, it will always appear the first time you hit an infected site).

More on this in the theregister.co.uk link - follow the Comments link in
that article and read the comments.

---> i dont think its a problem with my script otherwise i could have find
---> the code

The machine serving the malware has been rooted ie. an LKM rootkit is in
place which replaced several system binaries and even has self-defences
in place ( eg. you can't compile a new kernel on an infected machine AND
even if you take a kernel compiled on a clean box, and boot it, it will
be infected after boot) - read the webhostingtalk link/discussion for
more info.

In short, if you need to stop the system from serving the malware there
IS a way to do it (contact Scott.MC from WHT) -  he will clean the
exploit. However the thing that is still unknown is how the initial root
compromise is achieved in order for the rootkit to be installed in the
first place ie. your box is still rootable even when it gets cleaned by

.---> this issue in the techicorner.com or on tubeley.com or on
---> secgeeks.com?

None of those sites load for me, I'm guessing you took the box offline
for an OS reload. Most people who performed an OS reload had the same
exploit hit them again after a very short time. Only way to stop the
exploit (not the root compromise) is to boot into a clean kernel with
the grsec patch which is set to deny writing to /dev/mem (according to
Scott) - but if your box is already compromised, you will also need to
replace the system binaries that were replaced by the rootkit, with
clean ones.

Maybe I've said too much ... all of this info is on those 2 links in my
initial reply. Read them from start to finish if you really want to
'digg this issue' 


On Tue, 15 Jan 2008 11:42:33 +0530
"crazy frog crazy frog" <i.m.crazy.frog@xxxxxxxxx> wrote:

---> well,
---> i received many response but no one is perfact.i checked the files and
---> didn't find anything embeded in my scripts or pages.still i have to
---> figure out why my antivirus randomly popsup?i mean most of the times
---> it doesnt detect any infection but then suddenly this thing happnes
---> and then everything seems ok.
---> i dont think its a problem with my script otherwise i could have find
---> the code or it should be repeating consistly.has any one still facing
---> this issue in the techicorner.com or on tubeley.com or on
---> secgeeks.com?
---> let me know i m trying hard to digg this issue.
---> On Jan 15, 2008 10:46 AM, Denis <sp23@xxxxxxxxxxxxxxxx> wrote:
---> > This is a very serious new threat affecting Linux servers and thousands
---> > of boxes have been compromised since December 2007.
---> >
---> > Each box serving the nasty javascript has been rooted. One person has
---> > found a way to CLEAN the infection (ie. stop your server from serving
---> > the bad javascript), however not the root hole ie. the servers in
---> > question are still rooted as nobody so far has found what hole is being
---> > exploited to gain root access in the first place.
---> >
---> > See the following urls for a lot more info on this exploit:
---> >
---> > http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion
---> > starts on page 3 or so)
---> >
---> > http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
---> >
---> > Time for some honey pot action to find out how they're gaining root
---> > access to begin with. From all reports so far it does not appear to be a
---> > kernel vulnerability (as some of the affected servers were using latest
---> > kernels)
---> >
---> > Cheers,
---> > Denis
---> >
---> >
---> > On Sun, 13 Jan 2008 21:31:34 +0530
---> > "crazy frog crazy frog" <i.m.crazy.frog@xxxxxxxxx> wrote:
---> >
---> > ---> Hi,
---> >
---> > --->
---> > ---> Recently on opening one of my site,my antivirus pops up saying that it
---> > ---> has found on malicious script.the url is random and i have managed to
---> > ---> get tht script.it is using some flaw in apple quick time.
---> > ---> u can get the zip file for java script here:
---> > ---> http://secgeeks.com/what.zip
---> > ---> password is 12345
---> > ---> can somebody guide/help me what is this and how can i remove it?
---> > --->
---> > ---> --
---> > ---> advertise on secgeeks?
---> > ---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> > ---> http://newskicks.com
---> >
---> > Denis
---> >
---> -- 
---> advertise on secgeeks?
---> http://secgeeks.com/Advertising_on_Secgeeks.com
---> http://newskicks.com