{"id":2057,"date":"2010-11-02T23:08:15","date_gmt":"2010-11-03T06:08:15","guid":{"rendered":"http:\/\/www.ait-pro.com\/aitpro-blog\/?p=2057"},"modified":"2011-04-04T11:18:55","modified_gmt":"2011-04-04T18:18:55","slug":"website-hack-report-case-study-for-recent-website-hacks-during-september-october-and-november","status":"publish","type":"post","link":"https:\/\/www.ait-pro.com\/aitpro-blog\/2057\/misc-projects\/security-reports-warnings-and-fixes\/website-hack-report-case-study-for-recent-website-hacks-during-september-october-and-november\/","title":{"rendered":"Website Hack Report – Case Study For Recent Website Hacks During September, October and November"},"content":{"rendered":"

Hack Attack details For Recent GoDaddy Website Hack
\nHack Date: October 31, 2010 11:30pm PST<\/h2>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\u00a0* In no way, shape or form is this report intended to reflect negatively on GoDaddy web hosting.\u00a0 AIT-pro.com is hosted on GoDaddy and will continue to use GoDaddy web hosting.\u00a0 We could not be any more pleased than we already are with GoDaddy web hosting services and support.<\/strong><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Attack Method<\/strong> – Initial SQL Injection \u2013 For the primary purpose of redirection to specified encoded IP. Upon site visit – download and cache of additional payload files used for successful execution of additional IP redirection. True goal \/ intention appears to be masked with several layers of subterfuge tactics to give the appearance of a classic malware infection. Desired end result possible traffic boost. Not conclusive. True intentions could have just been simply to disrupt GoDaddy web hosting services.<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Base64 Code Injection String (only including\u00a0first line of base64 code injection for search purposes)<\/strong><\/td>\n<\/tr>\n
$_8b7b=\"\\x63\\x72\\x65\\x61\\x74\\x65\\x5f\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e\";$_8b7b1f=<\/code><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
ChLoE – Level 9<\/strong><\/td>\n<\/tr>\n
CClearHost<\/strong> – Non-Conclusive<\/td>\n<\/tr>\n
Design & Intention<\/strong> – Non-destructive – Primary Desired Result Redirection to intended IP or disruption of services. The ultimate beneficiary is not 100% absolutely clear.<\/td>\n<\/tr>\n
Possible Motive \/ Goal<\/strong> – Visitor Traffic Rank Increase by Redirection<\/td>\n<\/tr>\n
Indirect Beneficiary<\/strong> – Host globalnet.ba\u00a0*I am not implying that globalnet.ba is responsible for this attack to increase ranking.<\/strong> It is clear that they do benefit indirectly from this attack, but there is no direct link to insomniaboldinfoorg.com & globalnet.ba except for the fact that insomniaboldinfoorg.com and other domains launching this attack are hosted on globalnet.ba web hosting. This web host could be a victim in these attacks as well.<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Attack Dates | IP Addresses Involved<\/strong><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Sept 17<\/strong> | 77.78.239.53 (most likely other IPs in this subnet as well)<\/td>\n<\/tr>\n
Later Sept \u2013Early Oct <\/strong>| 77.78.239.53 (most likely other IPs in this subnet as well) \u2013 total of 7 different domains with same IP<\/td>\n<\/tr>\n
Oct 19 \u2013 21 | <\/strong>77.78.239.53 (most likely other IPs in this subnet as well) \u2013 total of 3 different domains with same IP<\/td>\n<\/tr>\n
Oct 31 11:30pm PST<\/strong> | 77.78.239.53, 77.78.247.28, 77.78.201.251<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
\"Alexa<\/a><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Although the attack dates do not match up exactly with the resulting ranking increases displayed in the Alexa graph above there is a definite similarity in the pattern and of course all of these attacks originate from the same IP block and subnet. Other factors include how accurately the Alexa graph displays results by date. Ie realtime vs post DB update. How accurately attack dates are reported. Ie I see several conflicting dates of attack. I am only 100% positive of all data collected for Oct 31 because I personally tracked the attack from T +20 minutes to T + 24 hours. Once again this web host could also be a victim in these attacks.<\/strong><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Netrange 77.0.0.0 \u2013 77.255.255.255<\/td>\n<\/tr>\n
Domain insomniaboldinfoorg.com<\/td>\n<\/tr>\n
Sarajevo Bosnia and Herzegovina<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Known IP Addresses involved<\/strong><\/td>\n<\/tr>\n
IP 77.78.239.53<\/td>\n<\/tr>\n
IP 77.78.247.28<\/td>\n<\/tr>\n
IP 77.78.201.251<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
ISP<\/strong><\/td>\n<\/tr>\n
Bosnia And Herzegovina Sarajevo Globalnet Bh<\/td>\n<\/tr>\n
inetnum: 77.78.241.0 – 77.78.247.255<\/td>\n<\/tr>\n
netname: GLOBALNET-ISP<\/td>\n<\/tr>\n
descr: GlobalNET BH<\/td>\n<\/tr>\n
descr: Internet Service Provider<\/td>\n<\/tr>\n
descr: http:\/\/www.globalnet.ba\/<\/td>\n<\/tr>\n
address: Bosnia and Herzegovina<\/td>\n<\/tr>\n
nic-hdl: JB1004<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Additional Payload Files involved<\/strong><\/td>\n<\/tr>\n
Javasript Files Involved (detectable)<\/strong><\/td>\n<\/tr>\n
Function: Encoder \/ Decoder<\/strong><\/td>\n<\/tr>\n
Javascript file yirvqjkm.js origin = IP 77.78.247.28<\/td>\n<\/tr>\n
Full domain path to js script file >>> http:\/\/77.78.247.28\/js\/1\/yirvqjkm.js<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Javascript file functions.js origin = IP 77.78.247.28<\/td>\n<\/tr>\n
Full domain path to js script file >>> http:\/\/77.78.247.28\/js\/functions.js<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
HTML Files Involved (detectable)<\/strong><\/td>\n<\/tr>\n
Source of HTML file<\/strong><\/td>\n<\/tr>\n
http:\/\/77.78.201.251\/index.php?H20=qW&09G=C99VM9AHQ5&Lm9=
\nXM20oJUs2K15U&3KO=0T5A1EFFMOAQS86&tsov=
\nZwSmlMBktyAgoKf3wAZmMGPj1GMw%3D%3D&62Z=
\n31454OXHOJA6X077C&KaucT=TBJMlAaLyIxPx44N0RGXG1YLSR&3T=
\n321IX6T2AA7BB&bos=SEkHM2o0fz&9zKS=022HN2RV6JX5GS2Y%2FKUUgLjd<\/code><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Redirect code within above HTML file<\/strong><\/td>\n<\/tr>\n
<meta http-equiv=\"refresh\" content=\"0; url=http:\/\/77.78.247.28\/index.php?e55E=
\ngEvW&7i8P4=5275WR6EX&nZ56= iZgcVtzKFdTUgctLQgHCQwAZQAMCWlAKj08&8iBAL=
\nB8DJ10&d69=AA95AwYIJAUzfzR%2BKwEFCFQII&7IS= 127808F8J95PJEE&Yh=
\nMy5dICE%2BTC0nV&R068=36KQ95147W241X4ONHOWW0dEQ&V2W=
\nGcvXDZJWg8jITlUVWhc&au=ExPAX5%2FDQUf&ff=1A0KXdzDAcBBzNnB\" \/><\/code><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
PHP Files Involved \u2013 several (not retrievable)<\/strong><\/td>\n<\/tr>\n
Remote PHP script execution appear not to be intended to be cached<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
DNS Lookup For 77.78.247.28<\/strong><\/td>\n<\/tr>\n
Spoof – 28.247.78.77.in-addr.arpa. IN PTR<\/td>\n<\/tr>\n
Spoofed to United States Columbus Dod Network Information Center<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
globalnet.ba Information<\/strong><\/td>\n<\/tr>\n
nameserver: ns1.globalnet.ba<\/td>\n<\/tr>\n
nameserver: ns2.globalnet.ba<\/td>\n<\/tr>\n
nameserver: rns.globalnet.ba<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Nodes to Final Destination<\/strong><\/td>\n<\/tr>\n
188.64.105.30 – Ljubljana Slovenia<\/td>\n<\/tr>\n
77.77.197.34 – globalnet.telemach.ba<\/td>\n<\/tr>\n
77.78.192.5 \u2013 Unknown<\/td>\n<\/tr>\n
77.78.192.15 \u2013 globalnet.ba<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n
blacklist_zone<\/strong><\/td>\ndomain<\/strong><\/td>\nstatus<\/strong><\/td>\nSubmitted<\/strong><\/td>\nAdded<\/strong><\/td>\nRejected<\/strong><\/td>\nRemoved<\/strong><\/td>\n<\/tr>\n
whois<\/td>\nba<\/td>\nListed<\/td>\nApr 16, 2004 9:26 EDT<\/td>\nApr 16, 2004 11:07 EDT<\/td>\nNever<\/td>\nNever<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
General Info and reputation of web host<\/strong><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Globalnet.ba is a domain controlled by three name servers at globalnet.ba themselves. Two of them are on the same IP network. The primary name server is ns1.globalnet.ba. Incoming mail for globalnet.ba is handled by five mail servers at googlemail.com and google.com. Two mail servers have the same IP number. All four of them are on different IP networks. globalnet.ba has one IP number (77.78.192.15) , which also has a corresponding reverse pointer.<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Www.globalnet.ba cnames to this hostname. Crtaci.gnet.ba, int.gnet.ba, www.crtaci.gnet.ba, vpsmachine.int.gnet.ba and root.vpsmachine.int.gnet.ba point to the same IP. Teamwaffle.net use this as a name server under another name. Rental.ba, hackforums.net, casper.ba, nkcelik.info, bihnet.org and at least 31 other hosts share name servers with this domain. Telemach.ba, irc.bolchat.org, 249.77.77.in-addr.arpa, 251.77.77.in-addr.arpa, 250.77.77.in-addr.arpa and at least two other hosts share name servers under another name with this domain. Ifesgulf.com, joshua.net, fedro.com, quivive.nl, gregbiggers.com and at least 200 other hosts share mail servers with this domain. Heartthegamer.com, contea.net, slimverdienen.com, hillsc.net, butysportowe.net and at least 16 other hosts share mail servers under another name with this domain. Pptp-200-sa.globalnet.ba, analyzer-eth1.globalnet.ba, secure.globalnet.ba, ns4.globalnet.ba, ns3.globalnet.ba and at least 31 other hosts are subdomains to this hostname.<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
in bgp<\/strong><\/td>\nroute record<\/strong><\/td>\nprefix<\/strong><\/td>\ndescription<\/strong><\/td>\n<\/tr>\n
AS42560<\/td>\nAS42560
\nAS42983<\/td>\n		77.77.192.0\/18<\/td>\nmain route block main route block<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.77.194.0\/23<\/td>\nTELEMACH<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.77.196.0\/22<\/td>\nTELEMACH<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.77.224.0\/19<\/td>\nTELEMACH<\/td>\n<\/tr>\n
\u00a0<\/td>\n\u00a0<\/td>\n77.78.192.0\/18<\/td>\nGlobalNET Bosnia<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.192.0\/24<\/td>\nGlobalNET Bosnia<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.193.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.194.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.195.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.196.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.197.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.198.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.199.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.200.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.201.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.202.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.203.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.204.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.205.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.206.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
(unannounced)<\/td>\nAS42560<\/td>\n77.78.207.0\/24<\/td>\nGlobalNET subnet<\/td>\n<\/tr>\n
AS42560<\/td>\nMISSING!<\/td>\n77.78.239.0\/24<\/td>\n\u00a0<\/td>\n<\/tr>\n
AS42560<\/td>\nMISSING!<\/td>\n77.78.240.0\/24<\/td>\n\u00a0<\/td>\n<\/tr>\n
AS42560<\/td>\nMISSING!<\/td>\n77.78.248.0\/24<\/td>\n\u00a0<\/td>\n<\/tr>\n
AS42560<\/td>\nMISSING!<\/td>\n77.78.249.0\/24<\/td>\n\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Nikto Scan Results on Shared Host Server that was attacked<\/span><\/strong><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
Can’t locate auto\/Net\/SSLeay\/autosplit.ix in @INC (@INC contains: C:\/Perl\/site\/lib C:\/Perl\/lib .) at C:\/Perl\/lib\/AutoLoader.pm line 173.
\n\u00a0at C:\/Perl\/lib\/Net\/SSLeay.pm line 61
\n– Nikto v2.1.3
\n—————————————————————————
\n+ Target IP:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 173.201.92.1
\n+ Target Hostname:\u00a0\u00a0\u00a0 p3nlhg43c081.shr.prod.phx3.secureserver.net
\n+ Target Port:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 80
\n+ Start Time:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2010-11-07 15:55:45
\n—————————————————————————
\n+ Server: Apache
\nE:Sat Nov\u00a0 6 15:55:56 2010 + ERROR: \/cgi.cgi\/ returned an error: error reading HTTP response
\n+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
\n+ ETag header found on server, inode: 14271895, size: 91, mtime: 0x477838c1c0907
\nE:Sat Nov\u00a0 6 15:56:10 2010 + ERROR: \/index.php3 returned an error: error reading HTTP response
\n+ Multiple index files found (note, these may not all be unique): default.asp, index.jhtml, index.php, index.htm, index.pl, default.htm, index.as
\npx, default.aspx, index.asp, index.do, index.cfm, index.cgi, index.html, index.shtml,
\n+ DEBUG HTTP verb may show server debugging information. See http:\/\/msdn.microsoft.com\/en-us\/library\/e8z01xdh%28VS.80%29.aspx for details.
\nE:Sat Nov\u00a0 6 15:56:21 2010 + ERROR: \/ returned an error: error reading HTTP response
\nE:Sat Nov\u00a0 6 15:56:31 2010 + ERROR: \/ returned an error: error reading HTTP response
\nE:Sat Nov\u00a0 6 15:56:54 2010 + ERROR: \/postnuke\/viewtopic.php?t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%5
\n0%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 returned an error: error reading HTTP response
\nE:Sat Nov\u00a0 6 15:57:13 2010 + ERROR: \/phpBB\/viewtopic.php?t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5
\nf%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527 returned an error: error reading HTTP response
\n+ 58 items checked: 6 error(s) and 3 item(s) reported on remote host
\n+ End Time:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2010-11-07 15:57:23 (98 seconds)
\n—————————————————————————
\n+ 1 host(s) tested<\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
GoDaddy was notified first of our findings before this information was posted.\u00a0 Post was released on confirmation from GoDaddy that this issue was resolved: \u00a0malicious code \/ worm scan result for postnuke and phpBB.<\/span><\/strong><\/td>\n<\/tr>\n
\u00a0<\/td>\n<\/tr>\n
More about Nikto2 Open Source web server scanner…<\/a><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

Hack Attack details For Recent GoDaddy Website Hack Hack Date: October 31, 2010 11:30pm PST \u00a0* In no way, shape or form is this report intended to reflect negatively on GoDaddy web hosting.\u00a0 AIT-pro.com is hosted on GoDaddy and will continue to use GoDaddy web hosting.\u00a0 We could not be any more pleased than we […]<\/p>\n","protected":false},"author":167,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[311],"tags":[308,309,307],"class_list":["post-2057","post","type-post","status-publish","format-standard","hentry","category-security-reports-warnings-and-fixes","tag-website-hack-november","tag-website-hack-october","tag-website-hack-september"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/users\/167"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/comments?post=2057"}],"version-history":[{"count":0,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2057\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/media?parent=2057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/categories?post=2057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/tags?post=2057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}