Found on the criticalsecurity list: https://www.virustotal.com/url/27201c77b60f13074762d9aeec4d5912d598d0d73f5eff1918ed319885321b50/analysis/1328542810/
See: http://vscan.urlvoid.com/analysis/8561a5cafe01b71e76fd2fa5fa60df60/Ym9nZWwtcGhw/
Down: PHP/Spy.Ettu.D? Can someone verify?
I see an infected image file here: http://img.youtube.com.verdadebiblica.net/bogel.php 200 image/gif
For contents thereof, see: -http://jsunpack.jeek.org/?report=c0980118428d55714c4674620f42cebee433bec0
(visit above mentioned link only when enough security savvy, with ample script protection and in a VM)
At first there was the image tag and later the malcode was injected: 1767 bytes, 18 hidden,
polonus
Hi Pondus,
So, not yet detected by avast? More RFI (=Remote File Inclusion) attacks of this pattern?
-/img.youtube.com.cpct.co.uk/bogel.php
and
-//img.youtube.com.pousadacayana.com.br/bogel.php
See for instance this bizimbal report: -http://www.bizimbal.com/odb/details.html?id=1162737
(On last mentioned webpage the avast webshield may alert for PHP:Small-AG[Trj] - without any payload, but going there you are warned for that alert from the webshield),
polonus
Pondus
February 6, 2012, 4:42pm
4
img.youtube.com.dekofilm.ro/protected.php
VirusTotal - 15/43
https://www.virustotal.com/file/2bcc7261416bcef8da36472e889404cc2d11e8063dbbd70e85585e11c075bfa4/analysis/1328546300/
the rest seems to be dead…
Hi Pondus,
This seems embroidering on the same pattern: -http://blogger.com.antesagoradepois.com/depois.php
See: -http://jsunpack.jeek.org/?report=c298fe376d8688530a76d8d27b2f18b597bdcae6
Go to the jsunpack link when enough security savvy, with ample script protection and in a VM!
About this: http://forums.oscommerce.com/topic/362312-anyone-seen-this-hack-before/ forum poster = alex hill. .httacces hack malware contents start with ^?php # Web Shell by boff
polonus