SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Someone replace my Logo to run this javascript

    i think i was hacked..

    someone replace my website logo from this:
    <img src="http://www.domain.com.sg/images/logo.png">
    to this:
    <img src="http://172.31.254.xxx/www.domain.com.sgg/images/logo.png">

    the image actually run a javascript i think:
    <SCRIPT LANGUAGE="JavaScript">
    51var ir_t;
    52var ir_g;
    53var ir_y;
    54var ir_u;
    55var mp;
    56var ir_find=new Array('.gif','.GIF','.jpg','.JPG','.jpeg','.JPEG');
    57
    58function ir_r()
    59{
    60 if(!ir_g.dontfetch)
    61 {
    62 if(ir_g.src.search("mhtml") != -1)
    63 {
    64 mp = ir_g.src.search("!");
    65 if(mp != -1)
    66 {
    67 ir_g.src=ir_g.src.substring(mp+1);
    68 }
    69 }
    70
    71 ir_g.src=ir_g.src+'nguncompressed';
    72 }
    73
    74 ir_g.dontfetch=true;
    75 ir_g.updateSrc=true;
    76 ir_g.title = ir_g.oldTitle;
    77 ir_g.alt = ir_g.oldAlt;
    78 window.status='';
    79
    80}
    81
    82function ir_c(event)
    83{
    84 if(! event)
    85 event = window.event;
    86
    87 lTargetTag = (null != event.srcElement) ? event.srcElement : event.target;
    88
    89 if(lTargetTag)
    90 {
    91 if(lTargetTag.tagName=="IMG")
    92 {
    93 ir_g=lTargetTag;
    94 if(!ir_g.dontfetch && !ir_g.updateSrc && !ir_y)
    95 {
    96 if(!ir_g.changeAlt)
    97 {
    98 ir_g.oldTitle = ir_g.title;
    99 ir_g.title = '';
    100 ir_g.oldAlt = ir_g.alt;
    101 ir_g.alt = '';
    102 ir_g.changeAlt = true;
    103 }
    104 window.status = '';
    105 ir_t=setTimeout("ir_r();", 1000*2);
    106 }
    107 }


    anyone know what this script do ?

    and how the f**k did he managed to change my code ?

    Any suggestions on what i should do next ... to close the door on the guy..

  2. #2
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It may be worth letting us look at your site?

    The following url has a reference to "nguncompressed", and further reading mentions XSS attacks.

    http://www.usenix.org/event/nsdi08/t...tml/index.html

    It could be that your forum/web site accepts input but doesn't check that input for possible XSS attacks.


  3. #3
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It may be worth taking a look at: http://vancouver.cs.washington.edu/

    This could point out whether its something local or not. Then it also provides a toolkit that could help prevent this problem in the future.


  4. #4
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hi gRoberts..

    thanks for the quick reply.

    the site is : www.travelpear.com

    i need to know what the script is doing.. please help

    thanks

  5. #5
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't see any problems.

    this is what I see:

    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
    <html><head>
    <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
    <META NAME="Description" CONTENT="Compare travel packages frm Singapore Travel Agencies.">
    <META NAME="keywords" CONTENT="Travel agencies, travel agency, tours, airfare, hotel, singapore travel">
    <title>Travelpear - compare travel deals.</title>
    <style media=screen type=text/css>
        @import "http://www.travelpear.com/css/index.css"; 
    </style>
    <SCRIPT language="JavaScript1.2" src="../singapore/js/travelpear.js"type="text/javascript"></SCRIPT>
    <script src="js/prototype.js" type="text/javascript"></script>
    <script src="js/scriptaculous.js" type="text/javascript"></script>
    
    
    <script language="javascript">
        col=255;
        function sa() { document.getElementById("ws").style.color="rgb(" + col + "," + col + "," + col + ")"; col-=5; if(col>0) setTimeout('sa()', 25); }
        function fl(){ document.entryform.dest.focus(); }
    </script>
    
    <script type="text/javascript">
        function g() { 
            document.entryform.action = 'http://www.travelpear.com.sg/singapore/travel-packages/1/'+document.entryform.dest.value + '.html';
        }
    </script>
            
    </head><body onLoad="fl();sa();">
    
    
    <div id="indexcontent">
            <div align="center">
                <h3>
                <img src="http://www.travelpear.com/images/pear_logo.png" border=0>
                <span id="ws" class="W">Travelpear</span>
    
                </h3>
                <form name="entryform" method="post" action="" onsubmit="g();">    
                    <div class="sb">
                        From: <a href='http://www.travelpear.com.sg/singapore/origin.html'>Singapore</a>&nbsp;&nbsp;&nbsp;&nbsp;Going to:
                        <input type="text" name="dest" size=17 value="" onMouseOver="this.focus()" class="se" id="dest" autocomplete="off" />
                        <span align="left"><span id="suggestionBox" style="display:none;border:1px solid black;background-color:white;"></span></span>
                        <input name=sm type=submit value="Search" class="s2" align="bottom">
                    </div>    
                </form>                
                Search 1620 travel packages and brochures. Compare travel deals.
                <br><br>
    
                <a href="http://www.travelpear.com.sg/singapore/travel-agencies/list/a.html" class="ls">Singapore travel agencies</a> | 
                <a href="http://www.travelpear.com.sg/singapore/popular-travel-destinations" class="ls">Popular Destinations</a>
                <br>
                
    
        
        <script type="text/javascript" language="javascript">
          var myAutoCompleter = new Ajax.Autocompleter('dest', 'suggestionBox', 'suggest.php', {});
        </script>            
                
            </div> 
    </div>
    
    
    
    <br style="clear:both;" />
    
         
    </body>
    </html>


  6. #6
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    oh crap..

    its my browser.. firefox..

    its replacing all my image tags with
    <img src="http://172.31.254.244/image.jpg">

  7. #7
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This looks like its routing all traffic via 172.31.254.244 which could be a proxy server.

    Does it happen for all web sites? Also, does it happen within IE?


  8. #8
    SitePoint Member
    Join Date
    Jul 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yup it happen for all browsers , including IE..

    any idea what the script is doing?

    is it some kind of spyware?

  9. #9
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Most likely, was you last post also confirming it was effecting all sites as well?

    I'd promptly run an Anti-virus and Anti-spyware scan on your machine (AVG Free will do if you don't already have some.)


  10. #10
    SitePoint Member
    Join Date
    Jun 2009
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by shiftypowers View Post
    oh crap..

    its my browser.. firefox..

    its replacing all my image tags with
    &lt;img src=" http: //172.31.254.244/image.jpg">
    Hi, by any chance are you using MobileOne's network?

    I am experiencing the same. It's a nuisance.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •