Thread: Hey guys, check out my new website,
View Single Post
  #14   Spotlight this post!  
Unread 05-04-2007, 17:40
Ytud Fo Llac's Avatar
Ytud Fo Llac Ytud Fo Llac is offline
Registered User
FRC #1369 (Minotaur)
Team Role: Programmer
  
Join Date: Jan 2006
Rookie Year: 2005
Location: Tampa Fl
Posts: 11
Ytud Fo Llac is an unknown quantity at this point
Send a message via MSN to Ytud Fo Llac
Re: Hey guys, check out my new website,
from my host...
We have conducted a detailed investigation on how a windows based trojan
could infect a Linux based web server and wish to explain in detail what
happens and what's the current status of your web site.

Linux and Windows are two entirely different operating systems, with
different architecture, file system, etc., but to put something in common
between them let's say that both have executable files. Those are entirely
different types of files from the one system to the other.
Windows executables cannot be run on linux based machines. If they are
execute they will not produce any meaningful result. What Windows virus and
trojans do is to try and invect and Windows binary (executable).
When run, the infected binary does its nasty things and eventually spreads
through the network in an active internet connection is found.
The Windows binaries cannot be run and executed on Linux based machine and
thus have no effect.

Now back to the problem - as I've mentioned we've done an investigation and
it turns out that the issue is connected to a virus, for the Windows
operating system. Detailed information about the virus can be found at:

http://www3.ca.com/securityadvisor/v....aspx?id=62158

We did some tests with Windows based machines and it turned out that
machines that have not been updated with the latest patches from the
microsoft web site are susceptible to this virus. We then updated the test
machine and the same behaviour was not observed. During the past 24 hours
we've had a few other cases with similar sympthoms to your case.

We downloaded the file from the remote server that actually holds the virus
and upond testing it, it confirmed our observations:

$ wget -S http://86.39.128.144/download/167212/file.jpg
$ file file.jpg
file.jpg: RIFF (little-endian) data, animated cursor

What's the most odd thing in the whole situation is that even a Linux based
desktop will display the text in the top left corner of the page as well.
After a refresh of the page though the text disappears. We've run antivirus
scan on all the machine but we were unable to find event a hint of a virus
on any of the servers. We've determined that the virus is actually a
javascript insert into the page. It does nothing malicious but display the
ugly text in the top left corner of the page.
Unfortunately we still don't have a permanent solution on how to prevent
this. We are continuing our investigation and have also asked for support
the RedHat developers. We hope that we will be able to fix the problem in
the next 24 - 48 hours.
Reply With Quote