Jump to content

Hostile java scri_pt


mrmaxx

Recommended Posts

I found that someone had hacked into our webserver last Sunday (July 10th) and added a few lines of code to all our java scri_pt files. Basically it was causing anyone visiting the website with internet explorer to start to download a file from mhjldbgmfds.com. No that's not a made up domain. That's the actual domain name that was trying to download something to my computer at work earlier today when I visited my company's website using internet explorer.

Link to comment
Share on other sites

I found that someone had hacked into our webserver last Sunday (July 10th) and added a few lines of code to all our java scri_pt files.

I know you said that the server was hacked, but ,,,, the 'adding a few lines to all the .js files' seems extremely out of the ordinary. More typical is the action of adding in something like an iframe bit to effect this sort of cross-site-scripting. The quick-check would be something simple like the file-dates of the web-page creation files .... the typical hack of this sort would leave an .html or .php file with the most recent date showing. But, yes, it would depend on the craftiness of the hacker.

download something to my computer at work earlier today when I visited my company's website using internet explorer.

lthough my immediate reaction would be to get the bad code off-line and replaced with a copy of the 'backed-up good' version, the question of analysis is still valid, I suppose. Again, my first reaction .... hit it with the FireFox add-on tool "firebug" which would allow one to pretty much see the page make-up. You didn't say whether you had anything above user-level access to this server, but even then, the majority of the codebase structure should be available.

Of course, the killer question is whether the hack vector has been discovered and closed. The entrance may not have actually been a server-hack, it may boil down to an exploitable application running on the web-server, the more typical problem of something allowed to get into the SQL database that then gets included on the displayed pages that is allowed to progress on exploitable (or trusting) web-bowers.

Link to comment
Share on other sites

...anyone visiting the website with internet explorer to start to download a file from mhjldbgmfds.com. No that's not a made up domain. That's the actual domain name that was trying to download something to my computer at work earlier today when I visited my company's website using internet explorer.

Searching http://www.malwaredomainlist.com/mdl.php

mhjldbgmfds.com

46.165.192.232 blackhole exploit kit

46.165.192.232 trojan Sinowal

46.165.192.232

mhjldbgmfds.com blackhole exploit kit

mhjldbgmfds.com trojan Sinowal

aopq3ohkrb.com blackhole exploit kit

53t3ghkjksd.com blackhole exploit kit

4uiokwnbe.com blackhole exploit kit

isj23hgggjg.com blackhole exploit kit

sdi2u3i2h.com blackhole exploit kit

kdjeiuhebn.com blackhole exploit kit

hdjwuy2gvn.com blackhole exploit kit

tbcfleatfds.com blackhole exploit kit

uwjkq3b3vhv.com blackhole exploit kit

Link to comment
Share on other sites

Of course, the killer question is whether the hack vector has been discovered and closed. The entrance may not have actually been a server-hack, it may boil down to an exploitable application running on the web-server, the more typical problem of something allowed to get into the SQL database that then gets included on the displayed pages that is allowed to progress on exploitable (or trusting) web-bowers.

Well, we're still not sure how the hacker got in, but the only apparent date changes were to the .js files which added the download of an apparent known malware. I did go in and edit the .js files and removed the offending code and it now comes up clean.

I also had the webhost change the ftp actions to block access by anyone coming from any IP other than our own external IP. That may or may not solve the problem, but it's a start. There were also a number of Windows Updates that needed to be installed, so we installed them. I suppose I ought to log in about once a week and see if there are any more updates to install, or should I just say "the heck with it" and let them auto-install????

Searching http://www.malwaredomainlist.com/mdl.php

mhjldbgmfds.com

46.165.192.232 blackhole exploit kit

46.165.192.232 trojan Sinowal

46.165.192.232

mhjldbgmfds.com blackhole exploit kit

mhjldbgmfds.com trojan Sinowal

Yeah... I pretty much figured it was malware it was trying to download. :angry: I don't like having to worry about the website as well as the internal machines... but for now, I guess I'm stuck with it. I really don't like people exposing our website visitors to malware, potentially costing us sales! :angry:

Link to comment
Share on other sites

  • 1 month later...
I found that someone had hacked into our webserver last Sunday (July 10th) and added a few lines of code to all our java scri_pt files. Basically it was causing anyone visiting the website with internet explorer to start to download a file from mhjldbgmfds.com. No that's not a made up domain. That's the actual domain name that was trying to download something to my computer at work earlier today when I visited my company's website using internet explorer.

No offense, but it seems to me like you need to hire some new people in your tech department.

Link to comment
Share on other sites

No offense, but it seems to me like you need to hire some new people in your tech department.

No offense taken. I would welcome more people in our IT Department since I'm the entire IT department and I know next to nothing about web programming, etc. Unfortunately, it ain't gonna happen, so I muddle along as best I can.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...