Site defaced via hidden iFrame detected? Not by avast!

See: http://killmalware.com/sportkledingsite.nl/#
Benign: http://zulu.zscaler.com/submission/show/3c7cac25fc4b08efdcf3bcbb61e37132-1413930512
Site is clearly hacked and defaced, but not malicious an sich.
But Sucuri detects this as malware on site: http://sitecheck.sucuri.net/results/www.sportkledingsite.nl/
SSUE DETECTED DEFINITION INFECTED URL
Defacement MW:DEFACED:01 htxp://www.sportkledingsite.nl/
Defacement MW:DEFACED:01 htxp://www.sportkledingsite.nl/404testpage4525d2fdc
Defacement MW:DEFACED:01 htxp://www.sportkledingsite.nl/404javascript.js
Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01

hacked by mustireiS List of referenced blacklisted domains/hosts: 1 facebook dot com

polonus

Why site run risks?
One of the reasons is insecurity with 183 websites on one and the same IP: http://sameid.net/ip/91.220.37.4/
Latest detected URLs there: https://www.virustotal.com/nl/ip-address/91.220.37.4/information/

The defacement on our scan site was performed thanks to this exploit in the PHP version:
http://www.vulnerability-lab.com/get_content.php?id=1150 (link info credits go to Evolution Security crew 2013)
Another hacked site there: http://urlm.nl/www.babysnowboots.nl
And another with insecure CMS:
Web application version:
WordPress version: WordPress 3.6.1
Wordpress version from source: 3.6.1
Wordpress Version 3.6.1 based on: htxp://www.asjltrading.nl//wp-admin/js/common.js
WordPress directory: htxp://www.asjltrading.nl/wp-content
WordPress theme: htxtp://www.asjltrading.nl/wp-content/themes/Nova/
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 4.0

polonus (volunteer website security analyzer)

For websites which are vulnerable, read here on the facebook threats:
http://www.sophos.com/en-us/security-news-trends/security-trends/social-networking-security-threats/facebook.aspx
In our example site we found external links to facebook dot com and youtube (part of the defacement result).

polonus

Regarding sportkledingsite.nl: http://urlquery.net/report.php?id=1413957269165 IDS detections.

Thanks for that confirmation, mchain, good scanning, my friend.

But there was/is more via that same IP: http://sitecheck.sucuri.net/results/hiddebousema.nl (cannot be properly scanned);
see: https://www.virustotal.com/nl/ip-address/91.220.37.4/information/ and http://urlquery.net/report.php?id=1413967521057
external link: -hiddebousema.nl/logo.jpg - unwanted info proliferation: http://jsunpack.jeek.org/?report=a583fb0676ebd6f87aedbd9a15e1639842dfc727
Caution: for security research only, open up with NoScript active, inside a VM/sandbox, or on a disconnected lab settings machine!

polonus (volunteer website security analyzer)

Another one via the same facebook iframe campaign: http://killmalware.com/adv-mos.ru/#
see: https://www.virustotal.com/nl/url/ee3e236317d7f05e0c84a25786673be237fee5d19e3128c9697981e64ebb50a6/analysis/1413987198/
and http://quttera.com/detailed_report/adv-mos.ru
Flagged by Sucuri’s: http://sitecheck.sucuri.net/results/adv-mos.ru
System Details:
Running on: nginx/1.4.4
Outdated Web Server Nginx Found: nginx/1.4.4

polonus

Some particularities on this iFrame defacement. For an Iframe injection the attacker has to find vulnerable sites first via google dorks.
Next the attacker has to test a vulnerability first by inserting some iFrame tag inside the webpage. Mostly the attackers are looking for two types of vulnerability - remote or local file include vulnerabilities. Also then a backdoor is installed as a rule based on r57, e99 or local7 shell. See: http://old.honeynet.org/scans/scan13/max.html
Escalation of priviliges takes place via so-called auto-rooters, read:
http://www.symantec.com/connect/articles/introduction-autorooters-crackers-working-smarter-not-harder

An online scanner to estimate some risks: http://xss-scanner.com/
Only to be used on a site you own or for which you have been given explicit written permission to scan. Know all scans are being properly logged, else be aware not to share scan results in public or use them against a particular website. This also is so for Dazzlepod IP scan results, Qualys ssl scan results even when the site offers weak vulnerable keys first over secure ones, which is another big problem with obsolete browsers to-day.

What makes a site vulnerable to an above hack scheme for example. Main reason is full patch policy not being followed up. Second reason is bad server security configuration (header security settings and server hardening policies).

Info credits for above particularities on iFrame defacement for educational purposes only go to Kaspersky’s David Jacoby.

polonus (volunteer website security analyzer)

P.S. Security researchers that want to help the security community with forensics and analysis skills can go here:
http://old.honeynet.org/scans/

The following is quite another defacement crack than the previous one, see: http://killmalware.com/binaggia.com/
Site reported as defaced since 9 days.
Sucuri flags it: Defacement MW:DEFACED:01 htxp://binaggia.com
Defacement MW:DEFACED:01 htxp://binaggia.com/404javascript.js
Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01
This is not actually helping the security as domain is one of 263 on one and same IP: http://sameid.net/ip/64.16.202.46/
Has PHP/Shell.A.M. Long OVERDUE! malware, some up for over 5000 hours: http://www.worldguide.pt/clean-mx/viruses.php?virusname=PHP/Shell.AM&sort=id%20DESC - attacked via DEBUG output created by Wget 1.12 on linux-gnu,
via PySQLi “Python SQL Injector”. On this backdoor read: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:PHP/Shell.A (non-breaking spaces).
About the cracker and according defacements listed: http://www.zone-h.org/archive/notifier=Samir%20InjectOr?zh=1
PHISHing going on there, while Phish is declared dead.
That hoster has some historical badness: http://sitevet.com/db/asn/AS21840
but only 25 bad apples now ???
The scanned site is not flagged here: http://urlquery.net/report.php?id=1414010555851

polonus

This site had a history of malware and defacement and malware had been detected by avast! http://www.scumware.org/report/4FB906E8C7775AD3F1D0E1EFD73FEEF7.html
Site had HTML/Phishing.Agent.G trojan as avast! detects HTML:Phishing-Q [Trj] - part of bankfraud!
Site is now clean but still vulnerable because of outdated CMS in correlation with PHP vulnerabilities *:
System Details:
Running on: Apache
Powered by: PHP/5.3.10

Web application details:
Application: WordPress 3.5 - htxp://www.wordpress.org
Running cPanel 11.44.1.18: jpalvarezm dom com:2082

Web application version:
WordPress version: WordPress 3.5
Wordpress version from source: 3.5
Wordpress Version 3.5 based on: htxp://jpalvarezm.com//wp-admin/js/common.js
WordPress theme: htxp://jpalvarezm.com/wp-content/themes/jpalvarezm/
Wordpress internal path: /home/jpalvare/public_html/wp-content/themes/jpalvarezm/index.php
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 4.0

Gmane has it as a PHISH: http://blog.gmane.org/gmane.comp.security.phishings/page=3

This code is flagged by Bitdefender’s TrafficLight as malicious: http://jsunpack.jeek.org/?report=43f42cdfe128131cd82bb902420a1a131833fd60 (undefined variable j - related to PHP exploit as I mentioned above *- read: http://www.exploit-db.com/papers/12871/).
Above link for security research only, open link with NoScript active and in a VM/sandbox or in a disconnected lab setting!

polonus

Another facebook attacker defacement on: http://killmalware.com/holidaypointer.com/ detected 6 days ago and
now cleansed apparently from Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01

Are there still vulnerabilities on site? Powered by: PHP/5.4.32
This was with another domain on same IP:
Up(nil): TR/Crypt.ZPACK.Gen RIPE NL abuse at leaseweb domcom 85.17.199.95 to 85.17.199.95 bontekoewielersport dom nl htxp://bontekoewielersport.nl/facebook/bot.exe

How is the security of the facebook attacker?
Using user-agent for Chrome 30.0-MacOSX

Result Category Name Actual Value Our Recommendation Show All Details
Correct Framing X-Frame-Options DENY Use ‘sameorigin’
Missing Transport Strict-Transport-Security Use ‘max-age=31536000; includeSubDomains’
Correct Content X-Content-Type-Options nosniff Use ‘nosniff’
Correct Content Content-Type text/html; charset=utf-8 Use ‘text/html;charset=utf-8’
Warning XSS X-XSS-Protection 0 Use ‘1; mode=block’
Warning Cookies Set-Cookie datr=zxhJVDxLsTTIPr1…cebook.com; httponly Add ‘secure;’
Warning Cookies Set-Cookie reg_ext_ref=deleted;…domain=.facebook.com Add ‘secure; httponly;’
Warning Cookies Set-Cookie reg_fb_ref=https%3A%…domain=.facebook.com Add ‘secure; httponly;’
Warning Cookies Set-Cookie reg_fb_gate=https%3A…domain=.facebook.com Add ‘secure; httponly;’
Correct Caching Cache-Control private, no-cache, n…ore, must-revalidate Use ‘no-cache, no-store, must-revalidate’
Correct Caching Pragma no-cache Use ‘no-cache’ Details
Correct Caching Expires Sat, 01 Jan 2000 00:00:00 GMT Use ‘-1’. Currently, expiration is current time minus -467391823 seconds.
Missing Access Control X-Permitted-Cross-Domain-Policies Use ‘master-only’
Missing Content Security Policy Content-Security-Policy Try Content-Security-Policy-Report-Only to start. Include default-src ‘self’, avoid ‘unsafe-inline’ and ‘unsafe-eval’
Warning Privacy P3P CP=“Facebook does no…e: http://fb.me/p3p” Remove obsolete header

pol

LS, to those that may visit this thread,

Recently we experience a lot of defacements via a SSLv3 vulnerability (credits Vanessa, CPanel partner) in cPanel 11.44.1.19 starting 6 days ago, like this one: http://sitecheck.sucuri.net/results/planetkids.se and yes cPanel seems the common denominator here .
Default is/seems fine for cPanel servers, but one might like to change that for LiteSpeed servers, and we have a LiteSpeed server in our example below. In recent SEA defacements some UK sites even went go null routed after defacement. “ConnectBack Backdoor Shell” was a very simple Perl script delivering a reverse shell. The attacker may have found an exploit for a particular vulnerable server configuration and ran a scanner tool to find this target. For our example: http://killmalware.com/planetkids.se/#
this shell has been used rainbow.sh: https://github.com/Viiksipojat/asmrainbow/blob/master/rainbow.sh
Visiting the site may not bring additional malware. More sites on that one and same IP: http://sameid.net/ip/5.9.29.178/

The attentive reader will get alerted to more and more defacement patterns as this thread comes unrolling.

polonus (volunteer website security analyzer)

Re: http://killmalware.com/codethatnow.com/# for code: http://jsunpack.jeek.org/?report=f9594ec67d01de88ba1aade9ea35675005ede871
System Details:
Running on: Apache
Powered by: PHP/5.2.14

Web application details:
Running cPanel 11.44.1.19: codethatnow.com:2082
A defacement method we earlier discussed here: https://forum.avast.com/index.php?topic=119945.0

On IP: https://www.virustotal.com/nl/ip-address/74.124.217.196/information/

See whwere defacement attack info could go: http://pastebin.com/5UaZ6XgB

polonus

Attackers can change the index.html file on a cPanel server in a mass defacement attack. In one defacement a 1000 sites can be affected.
Example: http://killmalware.com/repaus.ro/# & http://sitecheck.sucuri.net/results/repaus.ro
Read here on mass-defacement: http://forums.cpanel.net/f185/mass-defacement-348842.html
With an autorooter compromise it is always adviced to reinstall the OS when the server was rooted.
For the PowerHexShell used for cPanel the scan has been removed: https://www.virustotal.com/nl/file/6c62f42d...344608038/

polonus

Another one here: http://killmalware.com/wecanfixyouroldpix.com/#
Missed: http://quttera.com/detailed_report/wecanfixyouroldpix.com
Flagged: Defacement MW:DEFACED:01 htxp://wecanfixyouroldpix.com
Defacement MW:DEFACED:01 htxp://wecanfixyouroldpix.com/404javascript.js
Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01



<center><big><big><big><big><font color=red><b>HackeD by Psycho</b></font><big></big></big></big></center>
]

Re: https://www.mywot.com/en/scorecard/72.167.131.132?utm_source=addon&utm_content=popup
On IP: https://www.virustotal.com/nl/ip-address/72.167.131.132/information/ also PHISH
http://www.worldguide.pt/clean-mx/viruses.php?virusname=JS/iFrame.VR&sort=id%20DESC

pol

A tool that may reveal Meta Tag Defacements immedeately: http://www.seocentro.com/tools/search-engines/metatag-analyzer.html
See: http://killmalware.com/sitesuck.com/
Status.
Status: 200 OK
Web Server: Apache
Content Type: text/html
Content Length: 9004

Meta tags report for: htxp://sitesuck.com/
meta tag length value
Title: 18 Hacked by xDrKeeFx
Description: 27 .:: Hacked By xDrKeeFx ::.
Keywords: 26 .:: Hacked By xDrKeeFx ::.
Author: 8 xDrKeeFx

See: http://evuln.com/labs/hackedby/23460/

For hacked site statistics: http://www.hack-cn.com/snapshot.php?p=257832
e.g. http://www.hack-cn.com/search.php?var=http%3A%2F%2Fsitesuck.com%2F&seltype=name

and protection: http://www.spambotsecurity.com/zbblock.php

polonus

See detection here: http://killmalware.com/pariski.com/
Missed as that defacement may not be malign in origin: https://www.virustotal.com/nl/url/ade5c5551a7c4c763e46a8d888a5fef2291f1927949966c75c0811d6fa6ba7db/analysis/1414432397/
Sucuri’s detects a defacement:Web site defaced. Details: http://sucuri.net/malware/entry/MW:DEFACED:01

HACKED BY PANIMIN ARDIANSYAH VISIT MY GRUP TRENGGALEK DEFACER NEWBIE IP info - Illegal 3rd party exploits, including proxies, worms and trojan exploits https://www.robtex.com/ip/192.185. html Subnet Masking was explored: http://ccna.exampointers.com/sub.php?ip=192.185.5.240&mask=28 Information from the registry on ip 192.185.5.240 see there. What malcode originates from that IP - badness history: https://www.virustotal.com/nl/ip-address/192.185.5.240/information/ PAK_Generic.005, Backdoor.Win32.A.Hupigon.799113, Hiderun or Trojan.Win32.HideRun.A is not being detected by avast! AVG also detects HackTool.SOZ on that IP.

polonus