...

View Full Version : HTML hacking? (I know its not possible, read on)



Jazz914
06-25-2010, 07:13 PM
Okay, basically i'm letting a friend, ftp access to his subdomain (and only his subdomain) but for some reason it keeps getting "hacked".. here's whats going on...

1) First time, it was a .PHP with just the text "RAWR", as he was just using it to host som of his personal files, which were also nothing to with any server side scripts, but this got hacked and was redirecting to some site which would then force you to download a virus four months later I was told about this and contacted safe browser search telling them I sorted the problem.. (just removed the rediret and converted the file to a html one (.HTML))..

2) About 1 month later, after removing the redirect this time its 100% more wierd, i also changed the PHP file to a HTML file so the incident wouldn't happen again, but again a redirect has been "injected" somehow and in some way...

Now this file was a .html file and ONLY contained 4 letters (RAWR) I have NO IDEA how this could be "hacked" as HTML isn't even a scripting language, the first thing which came to mind was someone just found out his password and kept adding it to the end of the document, but the code was this really obfuscated javascript code which looked like WAY TOO much effort to be just pasted inside of a document if you know the password, this time it was redirecting to some russion site with a 404 error...

I was going to paste the code here but, me being me just copied something over the code in my clipboard :/ however I do remember it started with something like <--[injection....<script type="javascript">...... some random letters and something like "jkol" repeated over 40 lines, the "injection" was like 140 lines long which to me, seems WAY too over the top if all someone needed to do was redirect someone else if they had ftp access, so the only other thing I can think of is he has a file which gives access to rewrite the document, but again CHMOD shouldn't allow this....

Meh i'm so confused D: Anyone else have any idea on how this could be happening or if i'm just overthinking it... its only happening on his subdomain as well, so yeah...

(And I have changed his password now)

met
06-25-2010, 07:48 PM
Sounds like XSS Injection (http://www.google.co.uk/#hl=en&source=hp&q=xss+injection&aq=0&aqi=g4g-m2&aql=&oq=xss+injec&gs_rfai=&fp=fa2ff31099444636)

had a problem with this a while back, can be caused by poorly secured scripts, viruses on the server etc.

there's a lot of good material out there on ze web with fixes etc, might be worth a read.

Check your servers security if you can, you should be able to raise a support ticket with any provider worth their salt.

Jazz914
06-25-2010, 08:08 PM
But you can't inject a document which requires no user input, can you?
I mean seriously, all the document had in it was:

RAWR
No code, No HTML, No Database communication, No Serverside code, Nothing other than them four letters...

technolojik
06-29-2010, 10:21 PM
check these pdf documents http://www.pdfbooksearch.com/XSS+Injection.html

_Aerospace_Eng_
06-30-2010, 01:51 AM
But you can't inject a document which requires no user input, can you?
I mean seriously, all the document had in it was:

No code, No HTML, No Database communication, No Serverside code, Nothing other than them four letters...

You are misunderstanding. Its not your friends code. Its likely the server that you are on. It could have been compromised. I'm guessing you are on shared hosting?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum