Hacking Magazine Hacked

One of my favorite hacking resource site appears to be hacked and possibly even infecting visitors. Here’s the website:

And here’s the offending code in the source:

The external Javascript file has obfuscated code:

Let’s have a closer look at the obfuscated script but first let me clean it up:

This script basically concatenates groups of strings together after converting it from hex. Then it evals the result. If you convert the hex values to text, you can make out some of the final code.

Changing “eval” to “alert” gives you the final code.

Here are the pertinent HTTP requests:

http://hakin9.org/

http://hakin9.org/wp-includes/js/l10n.js?ver=20101110

http://superpuperdomain2.com/frame.php

http://global-traff.com/tds/in.cgi?5&user=mexx

http://global-traff.com/ts/in.cgi?mexx

http://global-traff.com/tds/in.cgi?18

http://global-traff.com/empity.html

I can’t seem to persuade it to give me a payload. :( If anyone can, please let me know. In the meantime, let’s hope the guys over there can clean out their site quickly so we can get back to reading their zine safely.

This entry was posted in Malscript and tagged , . Bookmark the permalink.