Getting hacked and seven levels of indirection
OK, the first link injected into the site (the site master page, or whatever they call it in wordpress php land – I don’t speak much of their language) was this:
Using Google Chrome, load up a random web page, right-click and take “Inspect element” somewhere on the document. Find the console tab, and you can enter in the entire part that matches “unescape(….)” and get the contents. Magically you get ANOTHER URL: [http://flyfishers.ch/wp-admin/cPanelX/index.php?setup=d].
Now, that part was easy, now it gets tricky, and long. Here is the contents of that GET request:
I’m not going to bother breaking that up, it is just a mess anyway. But in the end you get this very well formatted code:
Now, some parts are more interesting than others. The end if the file just seems base64 encoded…cause it is. OK un-base64, you get a wall of numbers. But there is a clue in the d_hex function (that doesn’t exist), so we are assuming it is hex. Convert the tex to text and you see this:
Saudações aos meus colegas de trabalho do blog crimesciberneticos.com.
Sabendo que nada sabemos estamos além do bem e do mal, afinal a única coisa absoluta é que tudo é relativo.
Um abraço, do seu amigo Psychlo.
by Psychlo – 11/11/11
Via Google translate you find this is Portuguese which I’m sure would make some of my Portuguese friends happy. Actually, if you want it to be hard to untranslate, use a language no one knows anymore, like Fries or Gronings! Cause you know every girl wants to hear, “Hey babe, I speak Gronings.” Note: my mother speaks Gronings.
Greetings to my coworkers crimesciberneticos.com blog.
Knowing that we know nothing beyond good and evil, after all the only thing absolute is that everything is relative.
A hug, your friend Psychlo.
by Psychlo – 11/11/11
Anyway, one of the things this code is trying to do is run a Java applet. But do take a look that the rest of that code, some of it will come in handy later.
Here is where that is happening:
Which is indirecteeze for:
OK, now I have the url for the Java applet, plus the entry point class (a.class). I can download that now. With the applet in hand, a Java applet is a zip file (funny things you remember from Comp Sci class in 1996), grab the *.class files, find a Java Decompiler and away we go.
You get 5 classes:
c_de, I could be missing something, but it looks like that code can download near anything. Kind of scary that one.
c_gP, I will need a Java expert for that. Completely dumbfounds me right now, but I don’t have a good Java environment to play with right now to try it out. (I’m working on that, but it is late).
a, this one is the entry point for the applet. It is easy to see the link in there, it comes out to: [http://dl.dropbox.com/u/41185898/a.gif] Which is a broaken link (but I was getting excited there).
Where did this go?
OK, I spent a couple of hours on this, part of that is writing this up, so this is kind of a mad dash. But it looks like the point was to load random images onto the page. But someone else can look that up.
Now the rest of the ethical delima: should I have posted this? Personally I think there are valuable things to learn from reading code like this. And it is always good to know what the “other side” is doing. But is posting the code more harm than good?
Tell me what you think. If you convince me I did wrong, some of this may go away.