Your security, networking, programming, and application news source.

Sunday, October 2, 2011

Payload Anatomy of InMotion Hosting Defacements

The Attack

<InMotion Hosting> was hacked leaving more than 70,000 websites compromised on the weekend of September 23, 2011. One of many news articles that covered the attack:

(Article by Jack Phillips Sep 29, 2011)
<The Epoch Times: Hosting Firm InMotion Hacked, Thousands of Websites Defaced>

The Defacement

This attack appears to be a host-wide defacement. The defaced websites had hacked-by pages added to their site which credited "TiGER-M@TE":

(This is a screen shot of the defacement page, index.php )

From the perspective of the customer, there were no access, web, or ftp log entries. A file named hacked_page was dropped in to the root www directory and was propagated to all the immediate sub-directories as index.php.

<index.php contents>(


This PHP page contains only HTML and JavaScript. A close look at its contents shows that it uses some cleaver encoding in an attempt to avoid security fingerprinting, which could later allow for easy automated detection.

A common technique is to represent malicious JavaScript code in escaped hexadecimal character format, then pass that through JavaScript's unescape function at run time. First, this obscures the malicious code. With some small adjustments, the same encoded contents can be generated in many copies all uniquely different. But, with a little time one can decode the page's contents.

The unescape function decodes the URL escape character syntax as well as the JavaScript escape character syntax. The defacement page used both, one over top of the other:

found in index.php
(JavaScript escaped hexadecimal characters)


unescape's to...
(URL escaped hexadecimal characters)


unescape's to...
(The start of an HTML tag that will contain the malicious JavaScript)


This is not a new technique and is easily decoded after the fact. After coding up a quick tool I was able to decode the page:

<index.php decoded>(
(The decoded contents are noted in JavaScript comments.)

I've created an open source tool for decoding escaped hex, <Unescape>, so you can follow along.

Analyzing this shows that this page has five parts of interest:
  • Connection to statistics tracking service
  • Window animation and color cycling
  • A base64 embedded GIF image (not hex-coded)
  • "Hacked" image
  • Playing of an embedded Flash file (apparently for auto playing audio)

Statistics tracking

Line #33 of the <decoded page> (line #11 originally) defines the function details. This function is set as an onclick event for the "TiGER-M@TE" text. The function open three web pages when triggered, two different statistics tracking service links at <zone-h> and one Google search of "Hacked by TiGER-M@TE" through <LMGTFY (Let Me Google That For You)> The statistics at zone-h can be viewed here:

<zone-h notifier: TIGER-M@TE>

<zone-h notifier: TIGER-M@TE special=1>

Window animation

Line #40 through #133 of the <decoded page> (also line #11 originally) defines a timed script of moving and resizing the browser window in some sort of animated show while cycling colors.

Embedded base64 GIF image

Line #148 of the <decoded page> (the end of line #11 originally) contains a GIF image embedded in the page using <base64(wiki)> encoding. This appears to merely be a faded line. As we'll seen next, maintaining image hosting seems like a challenge for the defacers.

"Hacked" image

Line #183 of the <decoded page> (then end of line #15 originally) is some encoded JavaScript to add an image tag to a small image of the word "Hacked". This <image is hosted on> but the tag is crafted to fall back on <the same image hosted at>. This seems to highlight the perceived difficulty of maintaining image hosting during the peak of the defacement activity.

Embedded flash audio

The code inside the "mp3 code starts from here" HTML comments turned out to be the most complicated. This part was encoded in multiple layers and revealed a custom character transformation function. First the contents had some key characters escaped with JavaScript hex characters, the entire resulting contents was escaped with URL escaped hexadecimal characters, then the resulting contents was additionally escaped with JavaScript hex characters. Pealing this away reveals a dF function which provided a custom transformation decoder for decoding the accompanying section of escaped data:

<index.php decoded dF function>(

This decoder merely did some basic arithmetic to each character's value. The final results start at line 200 of the <decoded page>. This resulting code adds the following flash file to the page for auto-play:

The host <resolves> to <> in Denmark. The link, with its peculiar "..." directory, seemed dead as as soon as tested.

Variable Names

The "_0x9355" style of JavaScript variable names imply that many documents where intended to be generated with unique variable names. This technique would act as an obfustication while attempting to evade fingerprinting by security applications such as anti-virus and intrusion detection services.


The index.php defacement page propagated nearly one hundred thousand times in recently compromised <InMotion Hosting> web sites display a decorative brand promotion while loading a flash file that appeared to be for audio, but was unrecovered. A statistics tracking service was used and a couple of mostly common techniques where used to obfusticate the JavaScript code in an apparent attempt to evade filtering and detection by security services.


10/2/2011 - Added decoded dF function pastebin
10/8/2011 - Added open source Unescape tool.

No comments:

Post a Comment