June 15th, 2009

Hacked and resolved

No tags
Posted in Hirvine
Official from moe.imouto 72268

Taiga, from ToraDora. Official from moe.imouto 72268

Hello my fellow visitors. Yesterdays night and today’s morning was quite a stumble for my poor server. It didn’t took me very long to find the cause and a stumbled upon an hack. I’m not sure how long the hack lasted, but it might be the full previous week. I’ve no clue how they did it, so poor me hopes it won’t happen again. Your virus scanner/firewall now shouldn’t warn any longer about a fake and dangerous site “trafing.com”. Do NOT visit that site! If your virus scanner/firewall is still making warnings, please use Ctrl-R or Ctrl-F5 in your web browser to fully refresh the page. You may also remove Hirvine from your history to resolve the problem. Again, I’m truly sorry I haven’t found the hack earlier, the site is known for their ad or spyware. You might want to check your pc. Mine was still clean, but you never know.

To Visitors, Hirvine does NOT display any advertising.
When you do see any please refresh the site due an hack earlier this week.
(It’s all okay by now, read the date)

Webbloggers having Wordpress might want to read on as the hack was found in Wordpress. Obvious I have no clue if the hack was fetched by any plugins.

For fellow wordpress webmasters

Hi there, so what did the hack?

The hack replaced your jquery script with an advertising script.  It kept working for jQuery so it didn’t break anything.
However it did also digg in an ‘free’ advertising to goOogle.net, which on his path refers to ‘trafing.com’.  (be warned dangerous sites)
Lucky for me my firewall stumbled upon a dangerous site and didn’t load the ad until I would decide for yes. Obviously I pressed ‘No’
’cause I do NOT have ads at my site.

Please check your jquery script in.

wp-includes/js/jquery.js

When you open the file (use an editor is safe, but don’t use emascript to execute the file) you stumble upon a compressed jquery script.
At first it looks like anything is ok. The header is equals to the current wordpress installation and tells ‘jQuery 1.2.6 – New Wave Javascript’.
However the line does have “advQuery()” at the end of the script, just scroll until the end.

The file must be “31.111″ but it was “31.409″ bytes. The modified date was ’safely’ hidden, which I mean was the same as all the other files around.
So if you would check the modified dates, you will think it’s the file installed. No, not true! So please replace this file with the correct file.

My active plugins were:

  • captcha
  • commentluv
  • subscribe to comments
  • wp cache
  • wp ajac edit comments

If you like to get a look into the fake js you can download it from this site. I have added the extension .txt so you won’t mistakenly execute the script (and it can’t be executed from this server, which is also great :D ).

Download FAKE jquery file (the hacked version).
Wordpress topic

Posted on Monday, June 15th, 2009 at 10:07 am
This post Comments RSS 2.0 (this post only)
Traceback open

Comments are closed.