As for the link redirecting automatically to google, may i say it's
easy enough to have php redirect based on the HTTP "Referer" header.
In other words, if referred from your site, then output malicious
code, otherwise redirect to Google and play cool. :p
On Feb 12, 2008 2:47 AM, Alan Fregtman <alan.fregtman(at)gmail.com> wrote:
> As I said on the initial email, it's an antivirus called "NOD32". In
> my experience, I haven't had any false positives with it yet.
>
> The mystery site apparently tried to make me download an .exe, then in
> case that didn't work, attempted to load a malicious piece of Java
> from a second domain, coripastares.com. I have a funky feeling if I
> had been on IE, it'd probably execute it.
>
> The .jar, I presume, would install nasty things on the host machine.
>
>
> Here's an online virus scan that works with urls:
> http://online.drweb.com/
> Go there and paste this url: http://coripastares.com/ms03011.jar
> (and please be careful not to run this link accidentaly)
> It says:
> In file >ms03011.jar/MagicApplet.class found virus VBS.Siggen.1989
> In file >ms03011.jar/OwnClassLoader.class found virus Exploit.ByteVerify
> In file >ms03011.jar/ProxyClassLoader.class found virus Exploit.ByteVerify
> In file >ms03011.jar/Installer.class found virus VBS.Siggen.5970
>
> Alternatively, you are welcome to download the file yourself and run
> it through multiple antiviruses:
> http://virusscan.jotti.org/ (scans using multiple engines. pretty neat.)
> http://www.kaspersky.com/scanforvirus (Kaspersky rarely, if ever, has
> false positives.)
>
> Cheers,
>
> -- Alan
>
>
>
> On Feb 12, 2008 2:03 AM, kim aldis <xsi(at)kim-aldis.co.uk> wrote:
> > Yup, you're right. Something had found its way into the site's main template
> > file. I'm not sure if it's always been there or if it's been hacked, the
> > template page was a copy of a Joomla template.
> >
> > I can't find any reference to this site using google. Browsing to the link
> > using a virtual machine browser redirects immediately to google.
> >
> > My virus checker didn't pick up on it, which one do you use?
> >
> >
> >
> > > -----Original Message-----
> > > From: owner-xsi(at)Softimage.COM [mailto:owner-xsi(at)Softimage.COM] On
> > > Behalf Of kim aldis
> > > Sent: 12 February 2008 09:49
> > > To: XSI(at)Softimage.COM
> > > Subject: RE: [OT] Hey Kim, is your site hijacked to load virus? Please
> > > confirm..
> > >
> > > Thanks Alan, just checking it out now.
> > >
> > >
> >
> >
> > ---
> >
> > Unsubscribe? Mail Majordomo(at)Softimage.COM with the following text in body:
> > unsubscribe xsi
> >
>
---
Unsubscribe? Mail Majordomo(at)Softimage.COM with the following text in body:
unsubscribe xsi
