Analyzed: How my Websites got hacked

After some investigations over my websites which have been hacked recently, I think I now found out how they did it:
  • I had surfed with a PC to an infected website (already contacted their webmaster who already removed the problem) which had some evil JavaScript injected into their html.
  • The JavaScript downloaded a .pdf, causing Adobe Reader to display it, and caused to trigger a security hole inside which made it possible to run arbitrary code.
  • This code downloaded some other .exe which apparently scanned my disk for popular (s)ftp programs and grabbed adresses and passwords from them
  • Not sure if this program did it itself or this was done by an external bot, but with these passwords, two of my websites where changed and the JavaScript was inserted on my websites as well, probably causing the virus to spread to other people.
    Fortunately, this happened during the holidays where not many people visted these websites and I fixed it within a few hours.
I reconstructed all this only with dates of files, registry entries and logs, so it might not be the full story, but I think it is pretty close to it. The bad thing is that this happened to me using the latest (or at least very very recent) versions of most software and all security updates installed. What I learned from this and what you can do to prevent the same happen to you:
  • Disable plugins (flash; adobe reader etc) when surfing the web to reduce the security risk.
  • Enable the data execution prevention if your CPU supports this. On another PC with which I've tried this, it prevented that security hole to work.
  • Don't let (s)ftp programs store your passwords.
  • I had antivirus software installed, and it noticed the thread. But it didn't prevent the problem, it just kicked in _after_ the trojan had executed already: "Hey, there is a trojan on your Hard Disk! But too late. Just wanted to let you know. You are fucked now.". So don't count on anti virus software at all.
  • Do backups (I had plenty of those, fortunately)

It's easy to be wise after the event... :)

eleven comments, already:

So, my 26C3 script kiddy hypothesis turned out not to be true…

Anyway, here’s the talk that briefly mentions irrFuscator:
ak () - 06 01 10 - 16:22

That sucks :(

I recommend the NoScript plugin for Firefox, this wouldn’t have helped in your case as you were infected by a trusted site, but it’s good for general surfing.

I avoid Adobe Acrobat on Windows and use Foxit reader instead. This isn’t for security but because Adobe lost my trust when they forced the Yahoo toolbar on me during an upgrade. Foxit is smaller and seems to be faster too.

One final recommendation, send any infected PDF files to your AV provider so they can update their scanners. If it was caught in the PDF file before being loaded by Acrobat then the trojan wouldn’t have been able to run.
Gaz () (link) - 06 01 10 - 19:44

And change passwords regularly
evo - 06 01 10 - 19:52

How glad i am to use ubuntu :-)
I don’t say this couldn’t happen in linux, but it’s way less likely!

And indeed, adobe acrobat has become a real bulky, shitty thing.
Lenx - 06 01 10 - 20:35

interesting… i always wondered how stuff like that works… going to uninstall acrobat reader now… :p
horace () - 07 01 10 - 05:37

That’s only a guess. The real principle of this virus, who knows?
Lenx, don’t get happy too early. This virus might be cross-platform, the man who only use Mac OS X system was also troubled by it, and he didn’t have Adobe Reader installed at all.
Since Linux and OS X are all Unix based, the similar thing might be happen.
chen () (link) - 07 01 10 - 08:32

Hi niko
I’m very insterested in your backup solution, because i’m going to start doing backups(yes, i was not using backups till now). Which programs do you use and what’s ur hardware setup(external NAS, Windows Home Server, ...)?
ASpanishGuy - 09 01 10 - 19:40

nothing special, simply some self written batch script. not even incremental :)
niko - 10 01 10 - 20:11

Linux is not exactly Unix-based, its a reimplementation following POSIX.
Raedwulf - 11 01 10 - 06:20
they also used pdf exploits.
horace () - 14 01 10 - 11:07

1. Use firewall
2. Keep your passwords on encrypted drive, available only on request (like TrueCrypt)
3. Do not allow programs to save your FTP password: FileZilla allows it, Total Commander allows it, Firefox? sure too
4. Disable most of JavaScript functions – available in Firefox: Options / JavaScript
5. Use “PDF download” plugin (which allows you to select if you want to open PDF)

More luck next time!
che - 30 01 10 - 23:04

Remember personal info?
Email (optional):
URL (optional):
Enter "layered" (antispam):
Comment:Emoticons / Textile

  ( Register your username / Log in )

Notify: Yes, send me email when someone replies.  

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.
Note: If you type in your email adress above, it will be visible to other visitors, although it will be hidden for bots using javaScript.