Author Topic: Subdomain on website defaced with an api-soundcloud-iFrame hack... (Read 3602 times)

polonus · « **on:** October 15, 2017, 09:48:39 PM »

See: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=yatagandh.saglik.gov.tr&ref_sel=GSP2&ua_sel=ff&fs=1
subdomain-defacement - 2017-10-15 08:25:10 Turkey AS42926 Radore Veri Merkezi Hizmetleri A.S. 46.45.136.115 htxp://www.yatagandh.gov.tr ifactoryx
iFrame:

Quote

<iframe width="0%" height="0" scrolling="no" frameborder="no" src="htxps://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/346326656&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true&visual=true"></iframe>

-> http://toolbar.netcraft.com/site_report?url=http://212.175.172.213
Fail and two warnings: https://asafaweb.com/Scan?Url=212.175.172.213
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fyatagandh.saglik.gov.tr%2F
error

Quote

[iframe] -widget.sndcdn.com/javascript:0
info: [iframe] -widget.sndcdn.com/{src}
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds

and

Quote

info: [iframe] -w.soundcloud.com/player/?url=htxps%3A/api.soundcloud.com/tracks/346326656&color=%23ff5500&play=true&related=false&comments=true&user=true&reposts=false&teaser=true&visual=true
info: [decodingLevel=0] found JavaScript
error: ./pre.js:249: InternalError: too much recursion *

* an indication of suspicious code...

Also consider info here: https://developers.soundcloud.com/docs/api/html5-widget

Quote

<iframe width="100%" height="166" scrolling="no" frameborder="no"
src="htxps://w.soundcloud.com/player/?url=htxps%3A//api.soundcloud.com/tracks/293&{ ADD YOUR PARAMETERS HERE }">
</iframe>

F-grade status on the defaced website

Update: defacement is now being cleansed....getting a 403 now.

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #1 on:** October 17, 2017, 12:10:39 AM »

Interesting background link for that code - with that iFrame insertion mentioned :
Re: -hxtps://code.sololearn.com/WZe4sWTl19rg/#html
Suspicious

Quote

-code.sololearn.com/bundles/jquery?v=yMmPM1TxecYcoWtCWW3jYgH0fr9kiAasOfb-W5I001A1 benign
[nothing detected] (script) -code.sololearn.com/bundles/jquery?v=yMmPM1TxecYcoWtCWW3jYgH0fr9kiAasOfb-W5I001A1
status: (referer=-code.sololearn.com/WZe4sWTl19rg/#html)saved 84194 bytes 8e9e0c2c1257f6691a79cacc0b8936e0976dc2b8
file: 8e9e0c2c1257f6691a79cacc0b8936e0976dc2b8: 84194 bytes (script) -cdnjs.cloudflare.com/ajax/libs/ace/1.2.2/ace.js
status: (referer=code.sololearn.com/WZe4sWTl19rg/#html)saved 347010 bytes e4a57a2ddcb1325b600b23c6b7fccdeadd0d4a98
-s7.addthis.com/js/300/widget.js#pubid=ra-5720d15c98e6f544
info: [decodingLevel=0] found JavaScript
error: undefined variable m - from -ajaxorg.github.io/ace-builds/src/ext-tools.js
(referer=-code.sololearn.com/WZe4sWTl19rg/#html)saved 356563 bytes 12fb3b97a3308b429c6ef44cb8e6a52875e7d85f
info: [iframe] -s7.addthis.com/js/300/javascript:
info: [img] -ssl.gstatic.com/images/icons/gplus-
info: [iframe] http
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds

Above were 3rd party check results performed against a generic javascript unpacker (pol)

polonus (volunteer website security analyst and website error-hunter)

Author Topic: Subdomain on website defaced with an api-soundcloud-iFrame hack... (Read 3602 times)

polonus

Subdomain on website defaced with an api-soundcloud-iFrame hack...

polonus

Re: Subdomain on website defaced with an api-soundcloud-iFrame hack...