Thread: Malicious javascript obfustication
View Single Post
  #5 (permalink)  
Old 10-23-2006, 07:20 AM
Wong Yung
Guest
  
Posts: n/a
Default Re: Malicious javascript obfustication

Todd H. wrote:
> "Wong Yung" <wongyung_peach@yahoo.com> writes:
>
> > Thanks very much Todd!
> >
> > I went to the webpage and it's very strange. It doesn't seem to
> > attempt to download anything. They (kaonline.biz) claim that someone
> > is trying to blackmail them by sending spam in their name and then
> > trying to extort money from them. If this is true and they are not
> > lying their heads off I wonder if this is part of the supposed
> > extortion attempt. Or maybe they're just saying that because really
> > they are spammers and...*Sigh* I don't know what to believe anymore.
> >
> > Still this is only what it is doing *now*. The webserver looks like it
> > has been hacked for a while now and god knows what's been happening in
> > the meantime.
> >
> > Thanks though for helping out!
>
> No problem.
>
> Was your webhost based on cpanel.net software? A few weeks ago, a
> whole bunch of cpanel based sites got owned and were used largely to
> spread the Internet Explorer 0day exploit dujour. I think that
> issue has been patched but it did affect a lot of folks. Curious if
> you were one of em.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/


No,

I think the webserver was running Apache on Linux (I say "I think"
because I wasn't admining it so I don't know what exactly was running
on the computer). The problem is it wasn't updated and so I guess in
the end you can say it was all our own fault.

*Sigh* I'm still worried though because even though it looks like the
hack is fairly harmless now it looks like it was hacked a while ago and
who knows if they hadn't taken the opportunity to download Trojans onto
a few computers first. You know how it is with security - once one
thing gets compromised everything touching it is tainted because you
can't be sure what the hackers were doing.

Usually I run either Linux (most of these redirect things lead to some
Windows specific malware) or Windows with Firefox with the NoScript
extension which blocks all javascript except on sites you whitelist.
However, I *did* test my website in IE several times when the script
was present so I could make sure the css looked OK. Nor did I turn off
scripting in IE because I hardly ever use it and I didn't think my own
website would be a security risk. Not sure what to do now...probably
run a full anti-virus and anti-spyware check but you know that doesn't
catch everything. On the bright side of things I don't remember any
anti-virus alerts, or probably more importantly any warnings about
something trying to replace program x with a different version (I have
a program which detects when program files get changed) when I was
looking at my site in IE...

Anyway, thanks a lot for your help. It did help relieve my mind a lot.


Reply With Quote