Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Jul 2009
    Posts
    187
    Thanks
    16
    Thanked 8 Times in 8 Posts

    HTML hacking? (I know its not possible, read on)

    Okay, basically i'm letting a friend, ftp access to his subdomain (and only his subdomain) but for some reason it keeps getting "hacked".. here's whats going on...

    1) First time, it was a .PHP with just the text "RAWR", as he was just using it to host som of his personal files, which were also nothing to with any server side scripts, but this got hacked and was redirecting to some site which would then force you to download a virus four months later I was told about this and contacted safe browser search telling them I sorted the problem.. (just removed the rediret and converted the file to a html one (.HTML))..

    2) About 1 month later, after removing the redirect this time its 100% more wierd, i also changed the PHP file to a HTML file so the incident wouldn't happen again, but again a redirect has been "injected" somehow and in some way...

    Now this file was a .html file and ONLY contained 4 letters (RAWR) I have NO IDEA how this could be "hacked" as HTML isn't even a scripting language, the first thing which came to mind was someone just found out his password and kept adding it to the end of the document, but the code was this really obfuscated javascript code which looked like WAY TOO much effort to be just pasted inside of a document if you know the password, this time it was redirecting to some russion site with a 404 error...

    I was going to paste the code here but, me being me just copied something over the code in my clipboard :/ however I do remember it started with something like <--[injection....<script type="javascript">...... some random letters and something like "jkol" repeated over 40 lines, the "injection" was like 140 lines long which to me, seems WAY too over the top if all someone needed to do was redirect someone else if they had ftp access, so the only other thing I can think of is he has a file which gives access to rewrite the document, but again CHMOD shouldn't allow this....

    Meh i'm so confused D: Anyone else have any idea on how this could be happening or if i'm just overthinking it... its only happening on his subdomain as well, so yeah...

    (And I have changed his password now)
    Last edited by Jazz914; 06-25-2010 at 06:16 PM.

  • #2
    met
    met is offline
    Regular Coder
    Join Date
    Oct 2009
    Location
    United Kingdom
    Posts
    728
    Thanks
    4
    Thanked 119 Times in 119 Posts
    Sounds like XSS Injection

    had a problem with this a while back, can be caused by poorly secured scripts, viruses on the server etc.

    there's a lot of good material out there on ze web with fixes etc, might be worth a read.

    Check your servers security if you can, you should be able to raise a support ticket with any provider worth their salt.

  • #3
    Regular Coder
    Join Date
    Jul 2009
    Posts
    187
    Thanks
    16
    Thanked 8 Times in 8 Posts
    But you can't inject a document which requires no user input, can you?
    I mean seriously, all the document had in it was:
    RAWR
    No code, No HTML, No Database communication, No Serverside code, Nothing other than them four letters...

  • #4
    New to the CF scene
    Join Date
    Jun 2010
    Posts
    3
    Thanks
    0
    Thanked 1 Time in 1 Post

  • #5
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    Quote Originally Posted by Jazz914 View Post
    But you can't inject a document which requires no user input, can you?
    I mean seriously, all the document had in it was:

    No code, No HTML, No Database communication, No Serverside code, Nothing other than them four letters...
    You are misunderstanding. Its not your friends code. Its likely the server that you are on. It could have been compromised. I'm guessing you are on shared hosting?
    ||||If you are getting paid to do a job, don't ask for help on it!||||


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •