Wepawet scan site "worked in the ground"?

Viruses and worms
1

Scan site comes up with errors and won’t scan.
Also http://anubis.iseclab.org/ seems down.

What is going on?

polonus

2

Maybe they are being hacked again? :slight_smile:

Or theyre getting DDoseD.

3

Hi Steven Winderlich,

This comes up wrong and server is not responding for wepawet.iseclab.org/js/undefinedhttp://jsunpack.jeek.org/?report=47c927bed155b7d26d10208a39f13031d3a65182
All I get is

There were some errors. Please try again or let us know of this problem.

See the pinpoint scan logs below!
With file-viewer I get: [quote] PHP Fatal error: Undefined variable: tmp in /public_html//js-functions/js_functions.php on line 112[/quoye]

Damian

4

Pinpoint is still not working for me.

Neither on my system or in a Windows 7 VM.

5

You have to allow and exclude it in avast, else it won’t work, it is just the one executable creating the logs separately after sandbox has given them up for restoration. Handling pinpoint is “easy peasy”, but interpreting the results is another kettle of fish.
Well I think I now know why Wepawet is experiencing trouble, they work with a wayback Apache httpd 2.2.22 server version and we are now at n Apache httpd 2.2.25 (for what they possibly may have encountered see: http://httpd.apache.org/security/vulnerabilities_22.htmlhttp://www.ubuntu.com/usn/usn-1765-1/ )

pol

6

Bingo, just as I thought - exploits flagged here: http://support.clean-mx.de/clean-mx/viruses.php?ip=128.111.48.236&sort=first%20desc
Up and alive and Long OVERDUE! → EXP/CVE-2010-1885 and BC.Exploit.CVE_2010_1885-2
Avast should detect: https://www.virustotal.com/nl/file/b394787d35f845c21ead36ae288791852a9ed2bc27907c156bb0df0f2f19cc41/analysis/
& https://www.virustotal.com/nl/file/2e6557d3266bad21a1e4d1ca62f799fc0485050b807d51dea9cc9a0940e237b1/analysis/
Re: http://viruspool.net/virus.cms?name=bc.exploit.cve_2010_1885-2 and in here: https://lists.ubuntu.com/archives/ubuntu-server-bugs/2011-April/054523.html Recovery Procedure (credits Greg Freeman) http://www.gregfreeman.org/2013/how-to-tell-if-your-php-site-has-been-compromised/
For a reconstruct of what might have happened, see: http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2F128.111.48.236%2Fview.php%3Fhash%3D15da4088e9f0d68527bb6966eec213bd%26amp%3Btype%3Djs
and http://support.clean-mx.de/clean-mx/view_virusescontent.php?url=http%3A%2F%2Fwepawet.cs.ucsb.edu%2Fview.php%3Fhash%3Dae5cd3db6d20ab068ac8646853b0f86f%26t%3D1343255393%26type%3Djs

polonus