SPAM frauds, fakes, and other MALWARE deliveries - archive

JBoss worm-in-the-wild

FYI...

JBoss worm-in-the-wild
- https://isc.sans.edu/diary.html?storyid=11860
Last Updated: 2011-10-21 02:06:15 UTC ...(Version: 2) - "A worm is making the round infecting JBoss application servers. JBoss is an open source Java based application server and it is currently maintained by RedHat. The worm exploits and older configuration problem in JBoss, which only authenticated GET and POST requests. It was possible to use other methods to execute arbitrary code without authentication. The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there. If you do run JBoss, please make sure to read the instructions posted by RedHat here:
- http://community.jboss.org/blogs/mj...g-security-threat-to-jboss-application-server
Analysis of the worm: http://pastebin.com/U7fPMxet "
___

- http://www.theregister.co.uk/2011/10/26/jboss_worm/
26 October 2011 - "... The malware behind the attack is significant both because it targets servers rather than PCs and for its reliance on exploiting a vulnerability that is over a year old – a flaw in JBoss Application Server patched by Red Hat in April 2010 – in order to attack new machines. The worm's payload includes a variety of Perl scripts, one of which builds a backdoor on compromised machines... exploits with a patch available for over a year accounted for 3.2 per cent of compromises..."

:fear::fear:
 
Last edited:
Fake jobs: jobbworld .com, yourjobb .com, canada-newjob .com, netherlandjobb .com...

FYI...

Fake jobs: jobbworld .com and yourjobb .com
- http://blog.dynamoo.com/2011/10/fake-jobs-jobbworldcom-and-yourjobbcom.html
23 October 2011 - "Two new domains being used to recruit for fake jobs, which actually turn out to be illegal activities such as money laundering.
jobbworld .com
yourjobb .com
This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address..."

Fake jobs: canada-newjob .com, netherlandjobb .com and newjobrecruit .com
- http://blog.dynamoo.com/2011/10/fake-jobs-canada-newjobcom.html
20 October 2011 - "Another bunch of domains being used to peddle fake jobs:
canada-newjob .com
netherlandjobb .com
newjobrecruit .com
These domains form part of this long running scam. You may find that the emails appear to come from your own email address..."

:mad::mad:
 
Mass SQL Injection attack hits 1 million sites

FYI...

Mass SQL Injection attack hits 1 million sites
- http://www.darkreading.com/taxonomy/index/printarticle/id/231901236
Oct 19, 2011 - "A mass-injection attack similar to the highly publicized LizaMoon attacks this past spring has infected more than 1 million ASP.NET Web pages, Armorize researchers said*... According to database security experts, the SQL injection technique used in this attack depends on the same sloppy misconfiguration of website servers and back-end databases that led to LizaMoon's infiltration. "This is very similar to LizaMoon," says Wayne Huang, CEO of Armorize, who, with his team, first reported of an injected script dropped on ASP.NET websites that load an iFrame to initiate browser-based drive-by download exploits on visitor browsers to the site. Initial reports by Armorize showed that 180,000 Web pages had been hit* by the offending script, but Huang told Dark Reading that a Google search resulted in returns for more than 1 million Web pages containing the injected code..."
* http://blog.armorize.com/2011/10/httpjjghuicomurchinjs-mass-infection.html
"... The scripts causes the visiting browser to load an iframe first from www3 .strongdefenseiz .in and then from www 2.safetosecurity .rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser... if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc). This wave of mass injection incident is targeting ASP ASP.NET websites..."
> https://www.virustotal.com/file-sca...b428226a97642e575f4066a4847c3877aa-1319203779
File name: file-2979089_
Submission date: 2011-10-21 13:29:39 (UTC)
Result: 30/42 (71.4%)
___

Dissecting the Ongoing Mass SQL Injection Attack
- http://ddanchev.blogspot.com/2011/10/dissecting-ongoing-mass-sql-injection.html
Oct 20, 2011

- https://encrypted.google.com/ ...
Oct. 25, 2011 - "... about 1,610,000 results..."

:mad::fear::mad:
 
Last edited:
Targeted malware attack shows how Fast Fingerprinting works

FYI...

Targeted malware attack shows how Fast Fingerprinting works
- http://nakedsecurity.sophos.com/2011/10/24/targeted-malware-attack-fast-fingerprinting-works/
October 24, 2011 - "... technology is helping anti-virus researchers detect malicious Microsoft Office files, by examining if they fail to confirm to the OLE2 file format specification... two differences between the new malware sample and previous ones are:
- The case of the Workbook stream had been changed to workbook...
- Previous incarnations had contained the unicode string "HP LaserJet" at offset 0x638 and the new version has had the first four characters "HP L" overwritten with nulls.
At the time of analysis, detection of this malware by other vendors wasn't very good... according to VirusTotal, detection has improved*. If your computer wasn't updated with Microsoft's MS09-067** security patch, then the cybercriminal could have installed the Mal/Gyplit-A malware onto your PC."
* https://www.virustotal.com/file-sca...827643073a996893beb577e033e7ab0241-1319198077
File name: e6d3bf9d5ba93ec6444612f819029e52942100f7.bin
Submission date: 2011-10-21 11:54:37 (UTC)
Result: 17/43 (39.5%)

Microsoft Office Excel ...
** http://www.microsoft.com/technet/security/bulletin/MS09-067.mspx

:fear::mad:
 
Facebook spam evolves...

FYI...

Facebook spams evolved
- http://techblog.avira.com/2011/10/25/facebook-spams-evolved/en/
October 25, 2011 - "... links usually redirect in two steps to a Canadian Pharmacy website where various (fake) meds are offered at unbelievable prices. We have noticed a new type of mail which at the first glance seems to be from the mentioned category . This time, there is a text:
“Please call +7 951 xyzq”.
According to its prefix, the number is from Russia... if we consider that the numbers starts with “9" then I think I can assume that it is a very expensive number... Can it be that the Canadian Pharmacy spam doesn’t bring anymore enough money to the spammers and they are searching for new methods of getting some easy money? Fortunately for us, the spam is malformed and it is quite easy to detect it as spam. But this opens a new chapter in Facebook related spam – now those who are not aware of such scams can lose some serious money. Facebook will never ask you to call any number. They will also never send you such a notification and definitely your Facebook Inbox will never get full. We strongly advise all users to never call any number present in such emails."

:fear::mad:
 
URL shorteners actively circumvent spam filters

FYI...

URL shorteners actively circumvent spam filters

Bulk Registrars, URL Shorteners, Dynamic DNS Providers
- http://www.malwaredomains.com/wordpress/?p=2147
October 27th, 2011 - "We’ve been maintaining lists of Bulk Registrars, Dynamic DNS Providers, and URL Shorteners...
http://www.malwaredomains.com/wordpress/?p=1991
We just added a new list of “unverified” URL Shorteners here: http://mirror1.malwaredomains.com/files/url_shorteners-unverified.txt
We’ll be going through the URLs and adding them to the main list once they have been verified. If anyone wishes to help in this effort, please let us know."

- http://www.digitaltrends.com/web/spammers-create-and-launch-url-shortening-services-to-hide-links/
October 25, 2011 - "According to new information from researchers at Symantec, a group of spammers have created a group of 87 spam-friendly, public URL shortening services and are actively using them to circumvent spam filters on popular sites. Using URL shortening scripts that are free and open source, the spammers are churning spam through the service..."

:sad::fear:
 
“ce.ms” free domains... host malicious code

FYI...

“ce.ms” free domains... host malicious code
* http://research.zscaler.com/2011/10/now-cems-free-domains-are-being-used-to.html
October 27, 2011 - "...it appears that attackers are leveraging free “.ce.ms” domains. Likewise, we have identified a number of .ce.ms domains exploiting various known client side vulnerabilities. Here are a few of the URL’s being used:
hxxp ://27glshegbslijels .ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp ://hhhjjjjj111111 .ce.ms/main.php?page=423b262d0a1a9f70
hxxp ://00000000000000 .ce.ms/main.php?page=423b262d0a1a9f70
hxxp ://24sjegohmjosee .ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp ://44444444444444444 .ce.ms/main.php?page=423b262d0a1a9f70
The aforementioned domains suggest that random domain names are being registered to host these attacks. Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines... Attackers keep registering different random domains to spread their attacks, often targeting free registration services. Due to obfuscation used by the attackers, security solutions relying on regular expressions designed to match known patterns can often be evaded due to the code being spread of over numerous lines..."

- http://sunbeltblog.blogspot.com/2011/10/then-cocc-now-cems.html
October 30, 2011 - "... Late last week, our friends at Zscaler* discovered that cyberciminals have now moved to hosting their wares on "ce.ms" domains (.ms being the top-level domain for Montserrat, an island in the West Indies). A simple Google search led me to several forums and personal blog posts as early as June of this year complaining about getting fake AVs from such sites, with the Zscaler discovery looking much more complex..."

:mad::fear:
 
The Market for stolen credit cards data...

FYI...

The Market for stolen credit cards data...
- http://ddanchev.blogspot.com/2011/10/exposing-market-for-stolen-credit-cards.html
October 31, 2011 - "What's the average price for a stolen credit card? How are prices shaped within the cybercrime ecosystem? Can we talk about price discrimination within the underground marketplace? Just how easy is to purchase stolen credit cards known as dumps or full dumps, nowadays?... the market for stolen credit cards data... 20 currently active and responding gateways for processing of fraudulently obtained financial data.
Key summary points:
Tens of thousands of stolen credit cards a.k.a. dumps and full dumps offered for sale in a DIY market fashion
• The majority of the carding sites are hosted in the Ukraine and the Netherlands...
• Four domains are using Yahoo accounts and one using Live.com account for domain registration...
• Several of the fraudulent gateways offered proxies-as-a-service, allowing cybercriminals to hide their real IPs by using the malware infected hosts as stepping stones.
The dynamics of the cybercrime ecosystem share the same similarities with that of a legitimate marketplace. From seller and buyers, to bargain hunters, escrow agents, resellers and vendors specializing in a specific market segment, all the market participants remains active throughout the entire purchasing process. With ZeuS and SpyEye crimeware infections proliferating, it's shouldn't be surprising that the average price for a stolen credit card is decreasing. With massive dumps of credit card details in the hands of cybercriminals, obtained through ATM skimming and crimeware botnets, the marketplace is getting over-crowded with trusted propositions for stolen credit card details..."
(More detail at the ddanchev URL above.)

More here:
- https://krebsonsecurity.com/2011/10/turning-hot-credit-cards-into-hot-stuff/
October 31st, 2011
___

- http://www.businessinsider.com/beware-credit-card-fraud-will-pound-your-credit-score-2011-11
Nov. 1, 2011

:mad::mad:
 
Last edited:
New cyber attack targets chemical firms: Symantec

FYI...

New cyber attack targets chemical firms: Symantec
- http://www.reuters.com/article/2011/10/31/us-cyberattack-chemicals-idUSTRE79U4K920111031
Oct 31, 2011 - "At least 48 chemical and defense companies were victims of a coordinated cyber attack that has been traced to a man in China, according to a new report from security firm Symantec... Computers belonging to these companies were infected with malicious software known as "PoisonIvy", which was used to steal information such as design documents, formulas and details on manufacturing processes... The cyber campaign ran from late July through mid-September..."

"Nitro" attacks
- http://www.symantec.com/content/en/...ty_response/whitepapers/the_nitro_attacks.pdf

> http://www.h-online.com/security/ne...nage-crosshairs-1369800.html?view=zoom;zoom=1

:mad::mad:
 
Last edited:
Duqu: status - 0-Day Exploit

FYI...

Duqu: status - 0-Day Exploit
- http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
Nov. 1, 2011 - "... an installer has recently been recovered due to the great work done by the team at CrySyS. The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries...
Key updates...
• An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
• Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
• Six possible organizations in eight countries have confirmed infections
• A new C&C server (77.241.93.160) hosted in Belgium was discovered and has been shutdown..."
(More detail at the symantec URL above.)

Graphic:
- http://www.symantec.com/connect/sites/default/files/images/duqu_flow.png

:mad:
 
Webinjects - underground market

FYI...

Webinjects - underground market
- http://www.trusteer.com/blog/webinjects-sale-underground-market
November 02, 2011 - "... cybercriminals have been busy developing webinjects for Zeus and Spyeye to orchestrate and develop malevolent attacks against certain brands. Webinjects are malware configuration directives that are used to inject rogue content in the web pages of bank websites to steal confidential information from the institution’s customers... Trusteer’s research team has discovered that these webinjects are being offered for sale on many open internet forums... developers are earning a decent income from selling the Zeus/Spyeye webinjects service to an increasingly diverse customer base... the developers have gone to the trouble of obfuscating the Zeus/Spyeye webinjects, not because they want to confuse malware researchers, but to try and prevent piracy of their software... webinjects can’t be modified by the 'customer', if they need localization for a specific country and language, this can only be carried out by the developers... for a price... resale is rife. Those that have purchased a copy of webinject are openly -reselling- their version to anyone wanting to steal the same information from victims... From the advertisements we’ve seen there are multiple targets, including British, Canadian, American, and German banks..."
(More detail at the trusteer URL above.)

- http://www.abuse.ch/?p=2986
December 21, 2010 - "... the Bozvanovna botnet is also using so-called Webinjects to phish credentials and steal money from the victims online bank account..."

:mad::mad:
 
MIT server hijacked... used by hacks to compromise other websites

FYI...

MIT server hijacked - used by hacks to compromise other websites
- https://www.computerworld.com/s/art...hijacked_and_used_in_drive_by_attack_campaign
November 3, 2011 - "A server belonging to the Massachusetts Institute of Technology was commandeered by hackers who used it to launch attacks against other websites as part of a larger drive-by download campaign, according to antivirus vendor BitDefender*... The rogue script hosted on the MIT server searched for vulnerable installations of phpMyAdmin, a popular Web-based database administration tool. When the script finds a server with phpMyAdmin version 2.5.6 through 2.8.2, it exploits a vulnerability in the application and injects malicious code into the underlying databases. This attack campaign started in June and resulted in over 100,000 compromised websites so far... The company's researchers believe that the attacks are related to the Blackhole Exploit Pack, one of the most popular drive-by download toolkits currently used by cybercriminals. Users visiting websites compromised in this campaign will be redirected to exploits for vulnerabilities in Java and other browser plug-ins, which try to install malware on their computers... As far as the BitDefender researchers could tell, the server is still online, but no longer attacking websites... The fact that these servers have considerable resources and bandwidth at their disposal is also appealing to cybercriminals and could cause problems for less powerful systems that find themselves attacked. The denial-of-service effect on the smaller systems can be easily mitigated by filtering traffic from the offending IP addresses. However, most of the time hackers don't care if that happens because they use a hit-and-run approach... Webmasters are advised to remove old applications from their servers or keep them updated even if they are only rarely used. They should also review the server logs regularly for unusual requests that could be an indication of an attack in progress. Drive-by download toolkits like Blackhole continue to be popular with cybercriminals because a large number of users do a poor job of keeping their operating systems, browsers and other Internet-facing software up to date."
* http://www.malwarecity.com/blog/hacked-edu-website-serves-all-you-can-eat-dos-1199.html
2 November 2011

:fear::mad::fear:
 
5-M new malware samples... Q3 2011

FYI...

5 million new malware samples - Q3 2011
- http://pandalabs.pandasecurity.com/pandalabs-report-q3-2011/
Nov 3 - PandaLabs Report – Q3 2011 - "... PandaLabs Report Q3 11 is out... In this quarter 5 million new malware samples have been created and the record of new Trojans has been broken as it the preferred category by cybercriminals to carry out their theft of information... The highlight of this third quarter is the record set in the creation of new Trojan samples. 3 out of 4 new malware samples created by cybercriminals are Trojans and this is just another proof that they are focused on stealing users information."
* http://press.pandasecurity.com/wp-content/uploads/2011/10/PandaLabs-Report-Q3-2011.pdf
PDF file 2.9MB - 18 pgs.

:fear::spider::mad:
 
Pirate Bay - malware for Macs...

FYI...

Pirate Bay - malware for Macs
- http://www.f-secure.com/weblog/archives/00002265.html
November 4, 2011 - "We recently analyzed DevilRobber.A, a Mac OS X malware that has both backdoor and trojan-like capabilities. All the samples we've collected so far were from torrents uploaded by a single user account on The Pirate Bay website... The files shared were legitimate Mac applications, but modified to include the malware's components... the malware author had varying purposes for each of his creations. One variant steals the Keychain of the infected machine and logs the number of files on the system... Graham Cluley* speculates may be referring to "pre-teen hardcore pornography". It appears as though the malware author is trying to find illegal child abuse materials, by spotting which infected machine has the most pornography and using its credentials to gain access to the materials. Other variants install applications related to Bitcoin mining. These applications use both the CPU and GPU computational power of the infected machines, which improves the mining operations at the computer owner's expense... all the variants we've seen log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet. All variants also perform the following:
• Opens a port where it listens for commands from a remote user.
• Installs a web proxy which can be used by remote users as a staging point for other attacks.
• Steals information from the infected machine and uploads the details to an FTP server for later retrieval..."
* http://nakedsecurity.sophos.com/201...rse-spies-on-you-uses-gpu-for-bitcoin-mining/

:fear::mad:
 
Phone scam targets PC users with phony virus reports

FYI...

Phone scam targets PC users with phony virus reports
- http://www.zdnet.com/blog/bott/phone-scammers-target-pc-users-with-phony-virus-reports/4198
Updated 7-November with additional details - "Online con artists are targeting PC users worldwide in a brazen scam. It starts with a phone call from a “tech support specialist” who warns that your computer is infected with a virus. To fix things, all you have to do is give the caller remote access to your PC... it starts with a phone call from someone who claims to be affiliated with Microsoft or another legitimate company or government agency. The caller then asks for the primary computer user in the house, who is told: “Your computer has downloaded a virus.” And, of course, the caller is ready and willing to fix the problem. All you have to do is navigate to a web site, click a link to install some remote-control software, and allow the “technician” to get to work. [NOT] The perps are using legitimate remote-assistance software, like the Ammyy Admin program from Ammyy Software Development, which posted a warning* that included some reports the company has received from scam victims..."
(More details at the zdnet URL above.)
* http://www.ammyy.com/en/admin_mu.html
___

- https://www.trusteer.com/blog/apply-security-online-protect-yourself-offline
November 08, 2011

:mad::mad:
 
Last edited:
Fake USPS e-mail w/PDF malware...

FYI...

Fake USPS e-mail w/PDF malware...
- http://sunbeltblog.blogspot.com/2011/11/pdf-malware-is-back-in-season.html
November 10, 2011 - "... an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it's either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer... seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject "Package is was not able to be delivered please print out the attached label"... When executed, it connects to the IP address, 91(dot)221(dot)98(dot)29, and downloads the file named step.exe, which is a variant of FakeSysDef, a rogue malware. It also checks on the following websites, all of which are from Russia:
followmego12(dot)ru
hidemyfass87111(dot)ru
losokorot7621(dot)ru
mamtumbochka766(dot)ru ...
... we detect this malware as Trojan.Win32.Generic!BT. As always, steer clear from these kinds of emails..."

Fake USPS Package Delivery Notification E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24212
November 10, 2011 - "... The text in the e-mail message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code..."

:mad:
 
Last edited:
73,000 daily malware threats created...

FYI...

73,000 daily malware threats created...
- https://www.computerworld.com/s/art...ts_200_millionth_piece_of_cloud_based_malware
November 11, 2011 - "... CI uses the Internet "community" - users of Panda's free CloudAntivirus, along with other companies and collaborators - to locate malware... ranging from viruses to worms, Trojans, spyware and other attacks. CI now has a database of more than 25 terabytes of cloud-based classification data... According to Panda, a third of all the malware in existence was created in the first 10 months of 2010. The average number of threats created daily rose from 55,000 in 2009 to 63,000 in 2010 to 73,000 this year..."
> http://dashboard.csoonline.com/

- http://www.av-test.org/en/statistics/malware/

:mad: :mad: :mad:
 
Virus Outbreak In Progress...

FYI...

Virus Outbreak In Progress
- http://www.ironport.com/toc/
November 14, 2011

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77

Fake Secret File Malicious Link E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24569
Fake Payment Details Spreadsheet E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24566
Fake Royal Mail Service Delivery Failure E-mail Messages...
- http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=24264
___

Global Attacks
- http://atlas.arbor.net/summary/attacks#sources
Summary Report - (Past 24 hours)
"... by Country... by ASN..."

1. http://www.google.com/safebrowsing/diagnostic?site=AS:4134

2. http://www.google.com/safebrowsing/diagnostic?site=AS:4812

3. http://www.google.com/safebrowsing/diagnostic?site=AS:4837

:mad: :mad:
 
Last edited:
Htaccess redirection - malware...

FYI...

Htaccess redirection - malware ...
- http://blog.sucuri.net/2011/11/htaccess-redirection-to-sweepstakesandcontestsinfo-dot-com.html
November 14, 2011 - "Since last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to hxxp ://sweepstakesandcontestsinfo .com/ nl-in .php?nnn=555. This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days that we started to see it being done via .htaccess... anyone that visits the compromised sites from a search engine will get redirected (and some times have their personal computer compromised). This is what happens on the browser of the visitor:
• Visits compromised site by clicking from a search engine
• Browser is redirected to sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 (and variations)
• Browser is redirected to hxxp ://www4.personaltr-scaner.rr.nu/?gue5mx=i%2BrOmaqtppWomd%2FXxa.. (or www3 .bustdy .in or www3 .strongdefenseiz .in and variations)
• Browser is again redirected to hxxp ://rdr.cz.cc/ go.php?6&uid=7&isRedirected=1 (and other domains)
From there, it can be sent to online surveys
(hxxp ://www.nic.cz.cc/redir2/?hxxp ://surveyfinde.com/d/local-job-listings .net), malware web sites, fake search engines and anywhere the attackers decide.
>> If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here:
- http://sitecheck.sucuri.net
... we are seeing it being used in combination with timthumb.php attacks and on outdated Joomla/WordPress sites. So you have make sure all of them are updated to avoid getting reinfected. *Also, the site is -not- blacklisted by Google (or in any major blacklist)..."
? - http://forums.spybot.info/showpost.php?p=415962&postcount=91
____

Bash commands to detect script injections and malware
- http://www.malwaredomains.com/wordpress/?p=2184
November 14th, 2011 - "This was posted a while ago on stopbadware and it’s too good not to repost… The first one will find any javascript file that contains the string “eval(unescape” which is the most common way of injecting malicious code. The second is a similar method for PHP files (source*)... If you run a CMS, making this a “cron” script to run on a regular interval may not be a bad idea* .. (Note: Linux only… If anyone is running the equivalent commands on windows, please let us know)... [In addition to using a “sitecheck” service like sucuri...]"

* https://badwarebusters.org/stories/show/20712
"Not so long ago my site and other domains hosted on my server were injected with malware PHP scripts that caused all sorts of damage, including amending javascript files to display ads to people who visited my sites. The scripts also self-replicated, and accepted commands from an external source to run on my server. These 2 bash commands saved my life and I would like to share them with the world. The first one will find any javascript file that contains the string “eval(unescape” which is the most common way of injecting malicious code. The second is a similar method for PHP files.
find . -name “*.js” | xargs grep -l “eval(unescape”
find . -name “*.php” | xargs grep -l “eval(base64_decode”
Seek and destroy!"

:fear::mad::fear:
 
Last edited:
2011-Q3 Security threat report...

FYI...

2011-Q3 Security threat report - Trend Micro
- http://blog.trendmicro.com/microsoft-and-us-no-longer-top-threat-vectors-for-q3/
Nov. 15, 2011 - "... Google replaced Microsoft as the software vendor with the greatest number of reported vulnerabilities for the quarter - 82. This is due to the increasing number of vulnerabilities found in Chrome, which continues to grow in popularity. Oracle came in second place, with 63 vulnerabilities, while Microsoft fell to third place with 58 vulnerabilities. Furthermore, the United States, which normally takes the top spot in the list of spam-sending countries dropped out of the top 10 list and was replaced by India and South Korea... researchers also witnessed a significant shift in terms of cybercriminal attack targets. The attacks have changed from being massive in nature - those aimed at affecting as many users as possible, to targeted, particularly those against large enterprises and government institutions... trends seen during the third quarter are already taking place halfway into the fourth quarter, with the addition of attacks leveraging the holidays. Attackers will further hone their attacks to target specific entities and will continue leveraging mobile platforms and social media..."
(More detail available at the trendmicro URL above - the complete report [PDF] here*)
* http://us.trendmicro.com/imperia/md...esearchandanalysis/3q_2011_threat_roundup.pdf

:fear: :fear:
 
Last edited:
You must log in or register to reply here.
Back
Top