| 10:09 pm on Jun 24, 2012 (gmt 0)|
|If I delete the entire script from the source code, ALL of the source code disappears from the entire page. |
Obvious question first: Is this behavior exactly the same, whether or not you are in fact using MSIE || Firefox?
:: wandering off thinking evil thoughts about buggy site whose webmaster went AWOL in 2009 ::
| 10:38 pm on Jun 24, 2012 (gmt 0)|
Lucy24, I don't understand your question? I was using HTML-Kit to edit the source code on a copy of the site that I'd downloaded to my computer. When I deleted that script just to see what if anything would change on the page, ALL of the page coding disappeared too (from the html editing panel). Of course I could just hit 'undo' and have it all back - including the questionable script. That behavior made me even more suspicious that it's somehow malicious coding - why won't it let me delete the script just to see the effect on the site?
Maybe it's innocuous and I'm just too green, but that it contains the url to a known attack site, and appears to be hidden, and won't let me delete it without deleting the entire page all makes me suspicious so I'm trying to find out what's going on...
| 11:54 pm on Jun 24, 2012 (gmt 0)|
Now I'm more perplexed - just went back into the index page using HTTrack as editor, and this time it let me delete the script without problem.
I'd still like to know what the script is supposed to do, how it affects people surfing the site, and how to clean it thoroughly from the sites assuming it is malicious.
Shotgunning on the web, I did find it as malicious on Sucuri Malware Labs (http://labs.sucuri.net/?details=onmouseup.info) but I have no idea how reputable they are or aren't, and it provides zero information about what this script does.
| 12:17 am on Jun 25, 2012 (gmt 0)|
"If the visiting UA is Firefox or MSIE, append an invisible 1 pixel iframe to the body, position it top left on screen, and within it load something which counts this pageview."
| 1:06 am on Jun 25, 2012 (gmt 0)|
Ok... and thank you for the code to english translation!
Any idea why would it do that, and why is it considered to be malicious? What harm does or can it do to site visitors or site integrity? The hosting company wouldn't be using a known attack site to track page views for basic website stats, would they? Or maybe the webmaster was using an outside source for site stats and didn't realize that it's had problems with attack code of some sort?
| 3:32 am on Jun 25, 2012 (gmt 0)|
mean? Or is it just a cross-reference to something like the counter number?
More to the point: Why do they need to do all that "createElement('iframe')" and "getElementsByTagName" business instead of just shoving in a 1x1 transparent gif like the rest of us? For that matter, why even bother to check UA? Wouldn't it be easier to pull all the data and then delete the webkits and operas at your leisure?
| 4:10 am on Jun 25, 2012 (gmt 0)|
Lucy24, your guess is as good as mine on the <!--/c3284d-->. Looks like an html comment, but what the heck it means or why it's there I have no clue and wondered also. There are a couple more of them in the same vicinity - no idea if the current guy put them there, or maybe it's something HTTrack does when downloading a site? (doubt it)...
Anyhow, I figured that was less important than the script issue by far. I posted that over at https://badwarebusters.org/main/itemview/29499?t=5821#itemblock-29501 also. A moderator there also said its malicious (but not why). If I understand his reply correctly, he's saying that the thing downloads the entire contents (whatever that may be) of that onmouseup.info page anytime a webpage with that script is loaded in IE or Firefox....
So I'm still confused about how it would have gotten there and exactly what it's supposed to do.
| 6:26 am on Jun 25, 2012 (gmt 0)|
Guessing it is c <= counter 3284 <= counter number d <= reference of some sort..in a comment
It doesn't download the entire contents of the other site page..it does what g1smd says it does..it loads a single pixel and counts how many times it loads it..
It could do other stuff ( which could be malicious if set up right )..but at the moment it isn't..
| 1:22 pm on Jun 27, 2012 (gmt 0)|
I have the same problem on my website
I found every index.asp or index.aspx pages was infested by the code in the first post. I have removed the code but Google is telling mne there is a malware. Perhaps occur some days to back to the orihginal status.
I have found the problem. It is by steal your password in FTP client(I use Filezilla) so a post that explain in detailed manner this is here
[edited by: engine at 3:36 pm (utc) on Jun 27, 2012]
[edit reason] removed links to protect others from potential malware [/edit]
| 4:04 pm on Jun 27, 2012 (gmt 0)|
Excuse me for post link on my website enterely, however the second was good for explaininmg the problem. The problem is in account FTP of filezilla this file: sitemanager.xml located in
change FTP password
| 9:43 pm on Jun 27, 2012 (gmt 0)|
And give the machine you use for FTP a good scrub, it might have been infected by a keylogger.
| 8:38 am on Jun 28, 2012 (gmt 0)|
Yes infact the best is a method to crypt FTP file with software truecrypt. I have a problem with my PC but on my Virtual machine it works. So I advice thi:s in this manner sitemanager.xml is crypted and the the file is deleted once you have uploaded the files.
In the meanwhile my website is comeback to normal