<InMotion Hosting> was hacked leaving more than 70,000 websites compromised on the weekend of September 23, 2011. One of many news articles that covered the attack:
(Article by Jack Phillips Sep 29, 2011)
<The Epoch Times: Hosting Firm InMotion Hacked, Thousands of Websites Defaced>
This attack appears to be a host-wide defacement. The defaced websites had hacked-by pages added to their site which credited "TiGER-M@TE":
(This is a screen shot of the defacement page, index.php )
From the perspective of the customer, there were no access, web, or ftp log entries. A file named hacked_page was dropped in to the root www directory and was propagated to all the immediate sub-directories as index.php.
found in index.php
(URL escaped hexadecimal characters)
This is not a new technique and is easily decoded after the fact. After coding up a quick tool I was able to decode the page:
I've created an open source tool for decoding escaped hex, <Unescape>, so you can follow along.
Analyzing this shows that this page has five parts of interest:
- Connection to statistics tracking service
- Window animation and color cycling
- A base64 embedded GIF image (not hex-coded)
- "Hacked" image
- Playing of an embedded Flash file (apparently for auto playing audio)
Line #33 of the <decoded page> (line #11 originally) defines the function details. This function is set as an onclick event for the "TiGER-M@TE" text. The function open three web pages when triggered, two different statistics tracking service links at <zone-h> and one Google search of "Hacked by TiGER-M@TE" through <LMGTFY (Let Me Google That For You)> The statistics at zone-h can be viewed here:
<zone-h notifier: TIGER-M@TE>
<zone-h notifier: TIGER-M@TE special=1>
Line #40 through #133 of the <decoded page> (also line #11 originally) defines a timed script of moving and resizing the browser window in some sort of animated show while cycling colors.
Embedded base64 GIF image
Line #148 of the <decoded page> (the end of line #11 originally) contains a GIF image embedded in the page using <base64(wiki)> encoding. This appears to merely be a faded line. As we'll seen next, maintaining image hosting seems like a challenge for the defacers.
Embedded flash audio
<index.php decoded dF function>(pastebin.org)
This decoder merely did some basic arithmetic to each character's value. The final results start at line 200 of the <decoded page>. This resulting code adds the following flash file to the page for auto-play:
The host 126.96.36.199 <resolves> to <Rackhosting.com> in Denmark. The link, with its peculiar "..." directory, seemed dead as as soon as tested.
10/2/2011 - Added decoded dF function pastebin
10/8/2011 - Added open source Unescape tool.