Increase in JavaScript injection-based attacks?

Portal Home > Knowledgebase > Articles Database > Increase in JavaScript injection-based attacks?

Posted by BATeller, 06-06-2013, 12:09 PM
Has anyone else noticed an increase in Javascript injected code attacks lately? I've seen activity on some forums and Groups and saw a couple sites infected so I wasn't sure if this was wide-spread or not. The type of attack I'm talking about is outlined here: http://jeffreysambells.com/2012/12/12/anatomy-of-a-hack The characteristics are the code is usually obfuscated into a single array where each character is represented by a ASCII-converted number, but they don't stop there. They scramble the numbers into a different sequence that has to be thrown through a for loop to get it in the right order again. The goal of the Javascript is to create an iFrame that visits a malware infected site which is usually some counter.php script where Mr. Hacker can keep tabs who he infected and what sites are referring. There also apparently is a mod_rewrite version as well. This one is a little more blatant. It redirects anyone using a huge list of referrers to the malware site. This code isn't really hidden. They put it straight in the .htaccess. Both of these methods apparently appear to compromise web sites by FTP (possibly insecure or trojan-collected passwords). Lately the hacker appears to be commenting on the .htaccess and Javascript code with a tag of '0c0896' I'm guessing it's his signature or calling card. Sites talking about this attack (all are within last week or so): http://x10hosting.com/forums/free-ho...en-hacked.html http://productforums.google.com/foru...es/BBaPfWLMyP8 http://forums.aspdotnetstorefront.co...-site&p=258977 http://stackoverflow.com/questions/1...mpromised-site http://www.avgthreatlabs.com/webthre...t-exploit-kit/ http://foros.ovh.es/showthread.php?t=11080 https://www.phpbb.com/community/view...460ea0ef2a1d4b http://www.javaprogrammingforums.com...ring-code.html Possible malware its trying to install: http://home.mcafee.com/VirusInfo/Vir...y=1487635#none http://www.avgthreatlabs.com/webthre...e-exploit-kit/ http://www.avgthreatlabs.com/webthre...t-exploit-kit/ Last edited by BATeller; 06-06-2013 at 12:21 PM. Reason: Added sites.
Posted by JustinAY, 06-06-2013, 07:29 PM
I see these sorts of attacks on a regular basis. Anybody who governs multiple shared machines should see these routinely. You can use a recursive grep and a sed to replace the malicious code.