HTML:sript-inf

i have been getting this message and the site hXXP://dte.org.in is bieng blocked…it is a web site of an university in which i m trying to seek admission it cannot be virus prone plz help…

Hi,

It cannot be virus prone is wrong. Every other site is and can be virus prone unless it doesn’t have any loop holes. The site which you are trying to open contains a script outside the html code. The script contains a malware url. The site may be hacked. If you have the webmaster’s email id, you can send him a mail that his site is hacked and give him this link : http://stopbadware.org/ - which contains documents on how to clean up the website etc.

You should be happy that avast! has blocked it. You cannot and shouldn’t access the site until the webmaster cleans up the site.

nmb

NoVirusThanks - INFECTED - 3/16
http://scanner.novirusthanks.org/analysis/ffc2fe82320d4869ed98119e47950e25/aW5kZXg=/

VirusTotal - dte.org.in.htm - 6/41
http://www.virustotal.com/analisis/5431f657eb5dde1098e63e65d2d2980b2ed3d025c9ae2457111525de3130bf17-1278320340

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=6aa8ccb32c02c8e1a42259614877fcda&t=1278320393&type=js

I think the redirect goes here
hxxp://fokko.irpublication.org:8080/RAM.js

NortonSafeWeb
http://safeweb.norton.com/report/show?url=http%3A%2F%2Ffokko.irpublication.org%3A8080%2FRAM.js&x=7&y=6

thanks for the reply…i’ll try n mail the administrator

You are welcome.

nmb

Tell then there is a script tag outside the closing html tag, a standards no, no and highly suspect, image1.

It also tries to run a javascript file at what is considered a malicious site, irpublication.org, image2.

[b][b]Ya…there is mallicious site on which page is redirected…
i.e. fokko.irpublication.org:8080/index.php?

this site contains exploit MS06-014…which is critical according to microsoft providing hacker way to run remote codes…

Since it’s one of prestigious university in my country i am sending email to admin of infected site

& also to the isp & admin of site which is hosting exploit (ie fokko.irpublication.org )

even if it is old exploit(hosted by fokko.irpublication.org)…there are 70 to 80% systems in india (which are used by students since its university website) are vulnerable to such type of attack…!!!

i suggest…$ update and get full patches if you are using xp sp1 or sp2 or win 2k…
$ other users must update their antivirus & antispyware to prevent such exploit in future…
$ Dont forget to enable firewall…or get one like zone alarm… :stuck_out_tongue: :P[/b][/b]

Thx nmb & devid for your support…

also thnx to sidanand for addressing d issue…(hope u have sent the email)…!!

It doesn’t matter if it is an old exploit as you would never know what is at the other end of the redirect as you see in my first image it is targeting ram.js, to try and run that script.

The main point is that the hXXP://dte.org.in site was hacked and they mus clean up that injected script. But that isn’t enough, they have to find out how they were hacked, usually a vulnerability in old content management software. This has to be updated to close the vulnerability.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Hi folks,

Also found here: http://www.threatlog.com/search/fokko.irpublication.org
Exploit / Browser hijack is a heuristic detection for potentially malicious files that may exploit the Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution Vulnerabilities (BID 39346).
David it was old, but not that very old, Trojan was discovered: April 14, 2010

Last time when this malicious software was found there was on 2010-07-27.

Malicious software includes 1 exploit as mentioned above.

This site was hosted on 1 network including AS4628 (PACIFIC).

Has this site being hosting malware?
Yes, and this malware has infected 1 domain, e.g. dte.org.in/, and this is on ThreatLog:
http://www.threatlog.com/search/dte.org.in

polonus

Yes, but as I said it doesn’t matter if it is old or brand new as the payload at the end of the redirect is immaterial as it is likely to change on a rotational basis. What is important is killing the injected script and then it truly doesn’t matter what is at the target site as it is no longer be redirecting to it.

Which is why I also say it is pointless trying to fathom what lies at the other end of any such hack. So it is confirm the site is hacked and let them get on with the job of disinfection of their site as what lies on the other end is beyond their control and interest I suspect…

Hi DavidR,

Logical, we should address the malware vector first and then the eventual momentary malware, whatever that may be. Without the vector malware cannot materialize, agree with you there, but for me, I am always curious what is at the other end of the vector, just as with the horizon and it is no pot of gold ;D (often malware),

polonus

[b]YES…devidr absolutely Right…Its not worth to find what is lying on fokko.irpublication.org
coz this can be changed to do more sophisticated attack…

its Really necessary to kill injected script…

n will be good challenge for dte.org.in admin to find how the script has been injected there…!! [/b]

[b]I just checked…online website scanners…are also indicating something wrong with the website…!!!

???

And the worst part is …this script is there …for more than a month or 2[/b]

Hi manohajuje,

Our data shows many previously infected websites are still infected with hidden malicious script injections today. Due to different obfuscation techniques detection by a majority of the Antivirus vendors remains poor, however avast has very good detection with the shields,

polonus

[b]yes polonus…u are right…

but i am more concern about that site…because its my OWN UNIVERSITY’s SITE…

n i really feel bad…when people neglect security…bcoz that malicious script is there from
more than a month and noone has bothered to notice

anyways…Thnx for the support from you guys…!!![/b]

Hi manojahuje,

Try to bring this thread here under the attention of the staff that is responsible for that site’s security, they may take it more seriously then and and cleanse the website accordingly, you could also mail the webmaster abuse address…

polonus

yes polonus…u are right…

bt i feel bad about the people…who dont take security seriously…coz that script is there from more than
a month…

And no one has bothered to watch…whts out there…!!!

anyways thnx to all of you guys for supporting…

I already notified them about the incidence…

hope they will take necessary steps…!!