Hacked
***WARNING: This post contains links and code which are taken from LIVE RUNNING MALICIOUS SITES! Please take all precautions when examining files.
Yesterday evening I discovered that this website was hosting a malicious file. I will post what I have found soon. I believe this instrusion stems from a password leak from my host around the time I signed up. Here is the log file showing the FTP access:
ftpd24914 84.19.186.93 Sat Mar 7 04:40 gone – no
ftpd24070 84.19.186.93 Sat Mar 7 03:49 gone – no
ftpd20416 84.19.186.93 Sat Mar 7 00:49 gone – no
ftpd2595 206.125.222.101 Wed Mar 4 18:35 gone – no
ftpd21566 95.52.31.16 Wed Mar 4 06:14 gone – no
ftpd3011 206.125.222.101 Tue Mar 3 14:01 gone – no
ftpd20665 206.125.222.101 Tue Mar 3 13:39 gone – no
ftpd25549 84.19.186.93 Mon Mar 2 17:12 gone – no
ftpd16660 66.147.227.184 Mon Mar 2 11:14 gone – no
Most of the IPs were from Europe, some were from the US. I have emailed the providers in the US’ abuse box as well as the host of the 84.19.186.93 address. This address showed up more than any other.
When I came to the site yesterday, this index file was being presented. The file contains links to other hijacked sites. Here are some of the examples of hijacked sites: **DO NOT FOLLOW THESE LINKS
href=”http://www.kit-cars.com/beta/2/index.html”>ushi digard
href=”http://www.kit-cars.com/beta/2/index1.html”>military calisthenics
href=”http://www.kit-cars.com/beta/2/index2.html”>ishizu
href=”http://www.kit-cars.com/beta/2/index3.html”>antiaging dry-oily skin care
product
When I followed these links I found that these pages are legitimate sites which have also been hacked some how. There were a few more that seem to be hosted in England as well as Europe.
I was able to find some of the javascript code that was hiding around on these sites. All these sites had Javascript which was obfuscated. From one of the sites a colleague of mine pulled the obfuscated code and pulled out an IP. The hijacked IP of 200.155.17.172 not only has IIS running hosting malicious sites but also terminal services and MS SQL open to the internet. I have notified their ISP of the leak and I believe I identified the company which has the box.
I will post all the files I found during this investigation as well as any replies I get from my abuse complaints. Anyone know where I could possibly submit these files for review? SANS?
-G
Hello, G13!
Index.php of one of my sites was changed from the IP 84.19.186.93 via ftpd. Have you found out how login/password were gathered in your case?
Thanks.
I found out that my host had a security compromise around the time I signed up: http://www.dreamhoststatus.com/2007/06/06/security-breach/
After this I noticed my index file changed a little while ago; I have no way of determining when it was changed. At the time I did not check my website often