Hacking Magazine Hacked

One of my favorite hacking resource site appears to be hacked and possibly even infecting visitors. Here’s the website:

And here’s the offending code in the source:

The external Javascript file has obfuscated code:

Let’s have a closer look at the obfuscated script but first let me clean it up:

This script basically concatenates groups of strings together after converting it from hex. Then it evals the result. If you convert the hex values to text, you can make out some of the final code.

Changing “eval” to “alert” gives you the final code.

Here are the pertinent HTTP requests:

http://hakin9.org/
http://hakin9.org/wp-includes/js/l10n.js?ver=20101110
http://superpuperdomain2.com/frame.php
http://global-traff.com/tds/in.cgi?5&user=mexx
http://global-traff.com/ts/in.cgi?mexx
http://global-traff.com/tds/in.cgi?18
http://global-traff.com/empity.html

I can’t seem to persuade it to give me a payload. 🙁 If anyone can, please let me know. In the meantime, let’s hope the guys over there can clean out their site quickly so we can get back to reading their zine safely.

This entry was posted in Malscript and tagged , . Bookmark the permalink.

3 Responses to Hacking Magazine Hacked

  1. Sébastien Duquette says:

    Nice catch. They are using a vulnerable WordPress plugin, Sucuri is reporting a large number of compromises :

    http://blog.sucuri.net/2011/08/wordpress-sites-hacked-with-superpuperdomain2-com.html

  2. detrp says:

    Darryl,
    Excellent write-up as always. Though i am curious as to whether the Converter tool you have a screenshot of is publicly available. Malzilla works decently for my day to day deobfuscation activities but your software looks like it has all the features i actually use without the garbage i don’t. Thank you as always, keep up the good work. The site is just getting better and better.

  3. Anonymous says:

    Where can I get that Converter tool in your screen shot?

Leave a Reply