Author

Topic: 'Bitcoin Accepted' Images - THREAT - JavaScript (Read 177 times)

copper member
Activity: 10
Merit: 0
November 15, 2019, 09:00:56 PM
#2
One thing i need to emphasize here, downloading .htacess through the FTP did not reveal the hidden input, neither was it revealed when viewing through the web hosts rich text editor. Only the full version standard editor built into the hosts control panel was able to work round the attackers encapsulation. The FTP situation has me stumped though, i really can't get my head around that one, some kind of trickery with symbolic links? Difficult to tell as don't have any kind of terminal access to this particular site just a basic hosting package.
copper member
Activity: 10
Merit: 0
Wasn't sure where to put this so went to the only place i felt comfortable given the little engagement ive had here.

So i noticed an old website i'd been running for years was behaving very strangely. When accessing the site it was clear some sort of query was being executed (gave itself away in the address bar). I did some more digging and noticed timestamps on certain files changed including a new 'compressed.js' amongst other unrecognised changes.

So i pull up .htaccess for a ganders, now, when downloading .htaccess through FTP or viewing/editing through the web hosts built in (grim) rich text editor, there was nothing to see, but when viewed through the web hosts built in standard editor it displayed hundreds of lines of miscreant administered code hidden away using html encapsulation to trick the server as best it can into hiding but still running the extra .htaccess rules (sluts,xxx and the like was what i gathered in a quick run through)

Chased the timestamped modifications back to one file that changed first around that period, the bitcoin-accepted.png. I took the file and opened it in browser that had javascript disabled, surly enough, javascript required error when trying to open. I'm no Normantic Heruestician but i'd put money on that having something to do with the long list of strange goings on.

With that, did some cleaning and replaced as many of the files as can be found that have modifications stamps around that time-frame but ultimately, the site is compromised and needs pulling apart. Luckily the site has very little going on and is built entirely of flat HTML files which rules out an enormous array of potential attack vectors.

-----------------------------------

The image was taken from a google search some years back. The file permissions on the server were all in order and no obvious means for entry or apparent signs of break in.

Watch out for them dodgy images, use only trusted source or cycle the format of any un-trusted source images which might help purge any nasty additives.
Jump to: