Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possibly still infected, FTP sniffer


  • Please log in to reply
2 replies to this topic

#1 tsk05

tsk05

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 13 August 2010 - 05:11 AM

Running Windows 7, 64-bit.

About a week ago, I got infected with Antivir Solutions Pro through a vulnerable Java Deployment Toolkit (old version). I removed it without any problems and updated the old java toolkit.

Flash forward to yesterday, got a warning by Mozilla (in firefox) that a website was malicious, ignored it out of curiosity, got a warning from NOD32 that a malicious attempt was blocked.

About half a day later, I noticed extra (obfuscated) javascript on one of my websites. Code located here, if anyone interested. Through viewing FTP logs (/var/log/messages), I noticed that this was uploaded a couple hours earlier. Right password first time (so no brute force).

After deobfuscating a part of it, I found that someone did it fully, available in post by Habanero here. Not really very helpful, it basically changes which domain is displayed in an iframe based on the date. I have run the page with the code, was not warned by NOD32 - I am not sure if the iframe exploit was successful.

--------

So basically I am not sure which time the password was stolen (probably taken from Filezilla). I scanned yesterday and today using NOD32 (which I have had running, and was running at the time of the Antivir Solutions Pro infection but did not stop it), scanned using malware bytes. Some stuff was removed the first time but I am pretty sure the content was false positives as I have had it on this computer for a long time.

I changed all the passwords but I've not seen log-in attempts since (either successful or unsuccessful, again, via /var/log/messages).

Wondering how I can further check whether I am infected by anything. Running a 64-bit version of Windows 7.

Thanks.

Edited by tsk05, 13 August 2010 - 05:21 AM.


BC AdBot (Login to Remove)

 


#2 tsk05

tsk05
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 August 2010 - 04:48 AM

Nothing at all?

#3 Stor-A11

Stor-A11

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 15 August 2010 - 09:13 AM

Download, burn to cd, and scan using Dr. Web Live CD.

You can also scan your pc with MBAM.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users