Author Topic: PPG sites hacked on March 22, please read  (Read 3213 times)

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
PPG sites hacked on March 22, please read
« on: March 25, 2009, 05:55:36 PM »
On Sunday afternoon, most of PPG's sites were hacked and a small piece of Javascript injected. I only diagnosed the problem this afternoon and restored a number of affected files from backup. To the best of my knowledge, the offending code has been removed.

We don't know precisely what the hack was trying to accomplish--it appears that it may have been used to generate web traffic/clicks on other sites (a common tactic to generate fraudulent advertising revenue) but I can't swear to anything.

There is a discussion of the exact exploit we suffered going on here (same exact code, even the same attacker) and a slightly different and less informative version here. Google's site scanner provides some data about the attacker here. I'm not qualified to interpret the Javascript involved, unfortunately. In limited research I've also heard of at least one other completely unrelated forum which was hit.

Significantly, I can't say for certain whether or not the hack deployed a trojan or other malware. I have run a malware check on the two computers here which accessed PPG since Sunday and they came up clean--that said, both are running Firefox and are very well patched, so you may wish to run your own scans.

I'd like to add that none of our mods or other files available for download were touched (I've checked, more than once and in more than one way), only the index.php and index.html files on the site. It also does not appear that the hack obtained any databases or other information. They seemed to only be interested in modifying our index files.

I'm obviously a combination of annoyed and embarrassed at the situation. Our master password has been changed. Unfortunately, the only promise I can make is to attempt to be responsive if this occurs again.

(Thanks to DevSin and Gert for pointing out the problem, which was originally detected by the Safari/Google site scanner.)
« Last Edit: March 25, 2009, 09:57:23 PM by jcompton »
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: PPG sites hacked on March 22, please read
« Reply #1 on: March 25, 2009, 09:34:58 PM »
Forgot to mention one useful detail:

The script is known to have set four cookies from the location "84.244.138.55". Although having random cookies is not usually a problem/threat, to be completely safe you might want to delete them.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net