OSS Lab網站被植入惡意程式碼
2008 年 08 月 27 日 – 10:58:20OSS Lab(開放原始碼軟體實驗室)網站被植入惡意程式碼 (利用超過十種不同的安全漏洞),此惡意程式為 TR/Dropper.Gen,最近有瀏覽這個網頁的網友,請要盡速檢查自己的電腦是否有中毒的情形 (Credit: Anderson)。
惡意連結/程式碼是放置在上述網址 (其他網頁,應該要仔細檢查) 中的:
下面是網頁信譽評等掃描的結果(從這裡可以知道,如果惡意程式碼放置在正常網站中,大部分的網頁信譽評等是無法掃描到的):
Google Search 查詢結果(未發現異狀),如下圖所示:
McAfee SiteAdvisor 查詢結果(未發現異狀),如下圖所示:
趨勢科技網頁信譽評等查詢結果(未發現異狀),如下圖所示:
finjan 網頁信譽評等查詢結果(發現異狀),如下圖所示:
Dr.Web 網頁信譽評等查詢結果(未發現異狀),如下圖所示:
Exploit Prevention Labs 網頁信譽評等查詢結果(未發現異狀),如下圖所示:
賽門鐵克 Safe Web 查詢結果(未發現異狀),如下圖所示:
執行之後,有下面的行為:
[DLL injection]
C:\WINDOWS\system32\6to4ex.dll
[Added service]
NAME: 6to4
DISPLAY: Microsoft Device Manager
FILE: C:\WINDOWS\System32\svchost.exe -k netsvcs
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\200808[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\bfyy[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ms07055[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\Thunder[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\uc[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\xlkk[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\Yahoomessenger[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\300×250_mermaid_child_01[1].swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\Home[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\js[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\lz[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\Media[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ms06042[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ms07033[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\Opera[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\Baidu[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\bfyy[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\CA7QWR7T.swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\CAUV4XEF.swf
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\exe[1]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ms07027[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\qvod[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\200808[1].html
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\cx[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\d[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\Main[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\Mcafee[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\ms07017[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\Ruising[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\TTplayer[1].htm
C:\WINDOWS\system32\6to4ex.dll
下列是 VirusTotal 掃描結果 (僅提供參考):
File file.exe-1 received on 08.27.2008 04:44:07 (CET)
AhnLab-V3 2008.8.21.0 2008.08.26 -
AntiVir 7.8.1.23 2008.08.26 TR/Dropper.Gen
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.26 Win32:Dialer-1313
AVG 8.0.0.161 2008.08.26 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.26 -
eSafe 7.0.17.0 2008.08.26 Suspicious File
eTrust-Vet 31.6.6050 2008.08.26 -
Ewido 4.0 2008.08.26 -
F-Prot 4.4.4.56 2008.08.26 -
F-Secure 7.60.13501.0 2008.08.27 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.08.26 -
GData 19 2008.08.27 Win32:Dialer-1486
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 Heur.Trojan.Generic
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 Backdoor:WinNT/Farfli.E!sys
NOD32v2 3390 2008.08.26 a variant of Win32/Dialer.NEW
Norman 5.80.02 2008.08.26 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.26 -
Prevx1 V2 2008.08.27 -
Rising 20.59.11.00 2008.08.26 -
Sophos 4.32.0 2008.08.27 Mal/Dorf-A
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.26 -
VBA32 3.12.8.4 2008.08.26 -
ViRobot 2008.8.26.1350 2008.08.26 -
VirusBuster 4.5.11.0 2008.08.26 -
Webwasher-Gateway 6.6.2 2008.08.26 Trojan.Dropper.Gen
File size: 61424 bytes
MD5…: 5cd36262e6557d81987c05eabb4d1b03
SHA1..: c915051639e7aa1e0c49fc1ea00a677388db1f6e
SHA256: 32034fa8a9a02909725bf89c7e5c9172e5db1c111135f2c0da5c9ca7811f078d
SHA512: 3e0e337ad2c4eeb82b87a64c3ce004fdef9e2e49f5ff40713dd0181407a147bf
a05510d0408581433ec86bbc09430a398028352a2996a6e6e5d31a0f38c1f1bd
PEiD..: ASPack v2.12
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0×401000
timedatestamp…..: 0×48aa5002 (Tue Aug 19 04:45:54 2008)
machinetype…….: 0×14c (I386)
( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
.ASPack 0×1000 0×22000 0×200 0.55 5161e94a08bd0fdb4b4b525429d75c53
.ASPack 0×23000 0×12f4c 0xeb7d 7.98 25bc6b8536f61efb75dfb536c5f1cf91
( 1 imports )
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualProtect, VirtualFree, GetModuleHandleA
( 0 exports )
packers (F-Prot): RLPack
packers (Avast): RLPack
“OSS Lab網站被植入惡意程式碼” 目前有 3 迴響
我是站長..感謝指正,joomla 不是我所熟悉的架構,主要由另外一位站長alang 負責,目前正在修正中,其實我是不太打算用Joomla 做主頁,而適用 wiki 架構.另外想請教一下這漏洞怎來的?主要是joomla 樣版問題嗎?
By thx on 2008 年 09 月 5 日 - 00:26:32
Joomla 的問題,可以參考這篇:
http://armorize-cht.blogspot.com/2008/08/joomla-hack-analysis.html
By BoFan on 2008 年 09 月 5 日 - 08:52:13
謝謝BoFan回答。請盡速將Joomla更新至1.5.6(http://www.joomla.org/announcements/release-news/5199-joomla-156-released.html)。
By Roger on 2008 年 09 月 5 日 - 10:32:38