Defacement on site - avast! Web Shield detecs as HTML:Defacement-N[Trj]

See: http://maldb.com/sweetforms.com/# and http://urlquery.net/report.php?id=8592380
See search results for “htxp://c0.histats.12mlbe.com/jsx01/7/1950229/66,63”
avast detects on contact.php | {gzip}
Defacing a website simply means that we replace the index.html file with the defacement file.
The attacker finds a target website via searching for and finding vulnerability points on websites.
Also php shell/web defacement tools can be used,
Keeping the CMS software up to date and use input and output validation can prevent a lot of awe.

polonus

Nice message from the hacker(s) to the admin. :slight_smile:

0 detections on Virustotal: https://www.virustotal.com/de/url/7b571d2086b5652dfe4324e98eacfb0dd48960c186a1deb90d09501bf7e85490/analysis/1388266040/

MCAfee gives suspicious: http://www.siteadvisor.com/sites/sweetforms.com

Sucuri detects the defacement: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fsweetforms.com

Hi Steven Winderlich,

VT result for src: https://www.virustotal.com/nl/url/f48536b4e96428b1fdf74a44cef1ea5cbcd1ef89607913550c6417e767eb4836/analysis/1388266084/
Interesting is to read here about reversing this malcode and analyzing it: http://viralgandhi1990.blogspot.com/
this on the use of htxp://c0.histats.12mlbe.com/jsx01/7/1950229/66,63
blog article author = viral gandhi
With a custom scan like this the defacement is missed: http://zulu.zscaler.com/submission/show/98aaf072cd15486def01bd07cb9a2a85-1388265991
while Sucuri’s gives all the ins and outs: http://sitecheck.sucuri.net/results/sweetforms.com
lot of malcode closed now for IP: http://support.clean-mx.de/clean-mx/viruses.php?ip=69.175.79.169&sort=email%20asc,review%20desc
for external link see: http://psyon.org/tools/dns_lookup.php?hostname=xover3.jkt.3d.x.indowebster.com&type=any

pol

Detected by avast
https://www.virustotal.com/en/file/6f7eed4817b3999ae201390cac7460b3d7def3dc4a39c6ec4fe1ba44426a883b/analysis/1388267295/

Detected by avast
https://www.virustotal.com/en/file/6f7eed4817b3999ae201390cac7460b3d7def3dc4a39c6ec4fe1ba44426a883b/analysis/1388267295/

Hi Pondus,

he already said that in title of this topic and in his first post. :wink:

Hi Steven Winderlich,

Pondus posted this as a sort of a “QED”, as that what had to be demonstrated ;D
for those that missed that in the topic line :wink:

pol