Friday, April 11, 2014

Repairing A Hijacked Page

Repaired a hijacked community page.

A family member of mine reached out to me about their site being hijacked. A fake / pirate / knockoff Louis Vuitton website was loading instead of the proper community page. It is a very simple site, but it was created, managed, and maintained exclusively using a proprietary-looking, web-based site construction tool which I had never heard of. Looking at the source of the site, I found this JavaScript at the top, hijacking the site and redirecting visitors.
<script>
	var s=document.referrer;
	if(s.indexOf("google")>0 || s.indexOf("bing")>0 || s.indexOf("aol")>0 || s.indexOf("yahoo")>0)
	{
		self.location="[a fake Louis Vuitton site]";
	}
</script>

Poking around the web-based website tool, I was able to locate direct access to the files for the website. While digging around in the actual files for the website, I was able to find an obfuscated default.aspx file (i.e. some characters were printed directly, most used ASCII character codes, multiple concatenations were made so the characters did not appear in the code in their final output order, etc.) which output that malicious JavaScript and then included the normal/original website index.html page. Removing this file solved the problem.

No comments:

Post a Comment