-2

On one of our websites, we are seeing this code is adding itself. I tried to figured out but no success. One thing I have noticed when I removed the html, head and body starting tags, it's gone.

Our website is on wordpress but when I create subdomain with non wordpress this code is also available on the page so it's not wordpress problem. So my question why apache adding this script. Let me know, if someone face the similar issue and how to resolve this.

http://pastebin.com/qVCZ5MjT# 

if (typeof _csrf_ == "undefined") {
  _csrf_ = {}
}
if (typeof _tsbp_ == "undefined") {
  _tsbp_ = {}
}
if (typeof _csrf_.vh == "undefined") {
  _csrf_.vh = []
}
if (typeof _csrf_.vu == "undefined") {
  _csrf_.vu = [/.*/]
}(function (c, m) {
    var l = function (e, b) {
      if (e !== null && b !== null) {
        if (e == "1") {
          window.location.href = b;
          return true
        }
            else {
          if (e == "2") {
            f(b);
            return true
          }
          else {
            if (e == "3") {
              document.write(b);
              document.close();
              return true
            }
              }
        }
      }
      return false
    };
    var i = function (b) {
      var s = b;
      if (typeof b.target != "undefined") {
        s = b.target;
        if (s.readyState == 4) {
          s.removeEventListener("readystatechange", i, false)
        }
      }
      if (s.readyState == 4) {
        var p = s.getResponseHeader(m.ba);
        var e = s.responseText;
        return l(p, e)
      }
      return false
    };
    var f = function (b) {
      if (window.document.body) {
        var s = document.getElementById("_tsbp_tId");
        if (!s) {
          var p = document.createElement("div");
          p.style.display = "none";
          window.document.body.insertBefore(p, window.document.body.firstChild);
          var e = "background-color: #dddddd; ";
          e += "border: 5px solid red; padding: 5px; ";
          e += "position: fixed; left: 6px; top: 10px; height: auto; width: auto; ";
          e += "overflow: hidden; z-index: 999999;";
          p.innerHTML = '<div id="_tsbp_aId" style="' + e + '"><div id=\'_tsbp_tId\'>    </div><div style="height: 10px; font-weight: bold; margin: 10px 10px 10px 10px; text-align:     right;"><a href="javascript: void(0);"     onclick="document.getElementById(\'_tsbp_aId\').parentNode.style.display = \'none\';"><span>    <span>[Close this message]</span></span></a></div></div>';
          s = document.getElementById("_tsbp_tId")
        }
        s.innerHTML = b;
        document.getElementById("_tsbp_aId").parentNode.style.display = ""
      }
    };
    var q = function (b) {
      return b.split("&").join("&amp;").split("<").join("&lt;").split('"').join("&quot;")
    };
    var k = function (e) {
      if (/^\w+:/.test(e) === false) {
        var b = document.createElement("div");
        b.innerHTML = '<a href="' + q(e) + '">.</a>';
        e = b.firstChild.href
      }
      return e
    };
    var h = function (s, b) {
      var v = s;
      var t = k(v);
      if (v != null && v != "") {
        if (o(t) && d(t) && n(t) && (-1 == v.indexOf(c.pn + "=" + c.pv))) {
          var p = v.indexOf("#");
          var w;
          if (p != -1) {
            w = v.substring(p);
            v = v.substring(0, p)
          }
          var e = v.indexOf("?");
          if (e == -1) {
            if (b === "POST" || b === "post") {
              v += "?"
            }
            else {
              return s
            }
          }
          if (v.search(/\?$/) == -1) {
            v += "&"
          }
          v += c.pn + "=" + c.pv;
          if (p != -1) {
            v += w
          }
        }
      }
      return v
    };
    var d = function (t) {
      var s = window.document.createElement("a");
      s.href = t;
      if (typeof s.pathname == "undefined") {
        return true
      }
      u = s.pathname;
      if (u === "" || u[0] !== "/") {
        u = "/" + u
      }
      for (var b = 0; b < c.vu.length; b++) {
        try {
          if (u.match(c.vu[b])) {
            return true
          }
        }
        catch (p) {
          return true
        }
      }
      return false
    };
    var n = function (v) {
      var p = function (z) {
        var A = window.document.createElement("a");
        A.href = z;
        var w = "-";
        try {
          w = A.host;
          if (!w) {
            w = window.location.hostname
          }
          if (w.match(/:\d+$/)) {
            var y = window.location.hostname;
            if (!y.match(/:\d+$/)) {
              w = w.replace(/:\d+$/, "")
            }
          }
        }
        catch (x) {}
        return w
      };
      var t = p(v);
      if (true && window && window.location && window.location.hostname && t ===     window.location.hostname) {
        return true
      }
      for (var b = 0; b < c.vh.length; b++) {
        try {
          if (t.match(c.vh[b])) {
            return true
          }
        }
        catch (s) {}
      }
      return false
    };
    var o = function (e) {
      var b = false;
      if (e.match(/^http/i) || e.substring(0, 1) == "/" || (e.indexOf("://") == -1 &&     !e.match(/^urn:/i))) {
        b = true
      }
      if (e.match(/^mailto:/i)) {
        b = false
      }
      return b
    };
    var a = function (w) {
      if (!w || typeof w.elements == "undefined") {
        return
      }
      for (var s = 0; s < w.elements.length; s++) {
        if (w.elements[s].name === c.pn) {
          return
        }
      }
      var v = (w.attributes.action != null) ? w.attributes.action.value : "";
      try {
        v.match(/./)
      }
      catch (x) {
        v = window.location.href
      }
      if ((!v) || (v === null) || (v === undefined) || (v.match(/^\s*$/))) {
        v = window.location.href
      }
      v = k(v);
      if (d(v) && o(v) && n(v)) {
        var t = (w.attributes.method != null) ? w.attributes.method.value : "";
        if (c.f == 0 && t.toLowerCase() == "post") {
          try {
            var p = v.indexOf("#");
            var y = "";
            if (p != -1) {
              y = v.substring(p);
              v = v.substring(0, p)
            }
            if (v.indexOf("?") == -1) {
              v += "?"
            }
            v = h(v, "GET");
            w.attributes.action.value = v + y
          }
          catch (x) {}
          return
        }
        var b = document.createElement("input");
        b.type = "hidden";
        b.name = c.pn;
        b.value = c.pv;
        w.appendChild(b)
      }
    };
    var r = function () {
      var p = window.document.getElementsByTagName("a");
      for (var t = 0; t < p.length; t++) {
        try {
          var s = p[t].innerHTML;
          var x = h(p[t].getAttribute("href", 2), "GET");
          if (x != null && x != "") {
            p[t].setAttribute("href", x);
            if (p[t].innerHTML != s) {
              p[t].innerHTML = s
            }
          }
        }
        catch (w) {}
      }
      var b = window.document.getElementsByTagName("form");
      for (var v = 0; v < b.length; v++) {
        a(b[v])
      }
    };
    var g = function () {
      var b = window.XMLHttpRequest;

      function e() {
        this.base = b ? new b : new window.ActiveXObject("Microsoft.XMLHTTP")
      }

      function p() {
        return new e
      }
      p.prototype = e.prototype;
      p.UNSENT = 0;
      p.OPENED = 1;
      p.HEADERS_RECEIVED = 2;
      p.LOADING = 3;
      p.DONE = 4;
      p.prototype.status = 0;
      p.prototype.statusText = "";
      p.prototype.readyState = p.UNSENT;
      p.prototype.responseText = "";
      p.prototype.responseXML = null;
      p.prototype.onsend = null;
      p.url = null;
      p.onreadystatechange = null;
      p.prototype.open = function (y, v, w, t, x) {
        var s = this;
        this.url = v;
        if (c.pn) {
              this.url = h(v, y)
        }
        this.base.onreadystatechange = function () {
          try {
            s.status = s.base.status
          }
          catch (z) {}
          try {
            s.statusText = s.base.statusText
          }
          catch (z) {}
          try {
            s.readyState = s.base.readyState
         }
          catch (z) {}
          try {
                s.responseText = s.base.responseText
          }
          catch (z) {}
          try {
                s.responseXML = s.base.responseXML
          }
          catch (z) {}
          if (m.ba && m.bh && i(this)) {
                return
          }
          if (s.onreadystatechange != nu <     /b{s.onreadystatechange.apply(this,arguments)}};this.base.open(y,this.url,w,t,x)};p.prototype.send=function(s){if(m.ba&&m.bh){this.base.setRequestHeader(m.bh,"true")}this.base.send(s)};p.prototype.abort=function(){this.base.abort()};p.prototype.getAllResponseHeaders=function(){return this.base.getAllResponseHeaders()};p.prototype.getResponseHeader=function(s){return this.base.getResponseHeader(s)};p.prototype.setRequestHeader=function(s,t){return this.base.setRequestHeader(s,t)};window.XMLHttpRequest=p};try{if(navigator.appName=="Microsoft Internet Explorer"){g()}else{if(c.pn){XMLHttpRequest.prototype._open=XMLHttpRequest.prototype.open;XMLHttpRequest.prototype.open=function(t,e,p,b,s){arguments[1]=h(e,t);this._open.apply(this,arguments)}}if(m.ba&&m.bh){XMLHttpRequest.prototype._tsbp_s=XMLHttpRequest.prototype.__lookupSetter__("onreadystatechange");if(typeof XMLHttpRequest.prototype._tsbp_s!="undefined"){XMLHttpRequest.prototype.__defineSetter__("onreadystatechange",function(e){var b=function(){if(i(this)){return}e()};this._tsbp_s(b)})}XMLHttpRequest.prototype._send=XMLHttpRequest.prototype.send;XMLHttpRequest.prototype.send=function(b){this.setRequestHeader(m.bh,"true");if((XMLHttpRequest.prototype._tsbp_s==null)&&(typeof this.addEventListener==="function")){this.addEventListener("readystatechange",i,false)}this._send.apply(this,arguments)}}}}catch(j){}if(c.pv!=undefined){if(!!window.addEventListener){window.addEventListener("load",r,false)}else{if(!!window.attachEvent){window.attachEvent("onload",r)}else{window.onload=r}}}delete _csrf_;delete _tsbp_})        (_csrf_,_tsbp_);
Tariq
  • 27
  • 4
  • Could you please at least format the code for readability? It's pretty much impossible to read as is. – l0b0 Jun 24 '13 at 13:03
  • Read the formatted code here http://pastebin.com/qVCZ5MjT – Tariq Jun 24 '13 at 13:16
  • Please edit your original question instead of adding new information in comments. Thank you! – l0b0 Jun 24 '13 at 13:18
  • Code is already formatted? I have added four spaces. let me know what else I can do to format code? – Tariq Jun 24 '13 at 13:28
  • Copy the code from the pastebin, then put it in a block below the existing code or replace the existing code entirely. Indentation (if done properly) will not affect the functionality, and therefore the question, in any way. – l0b0 Jun 24 '13 at 13:31
  • my first guess is that this is completely unrelated to cross-site request forgery - you probably got infected by some kind of malware (probably apache backdoor module) – buherator Jun 24 '13 at 13:38
  • Dear all code is formatted. Please try to look and suggest how could I get rid of this code. – Tariq Jun 24 '13 at 14:18
  • Thanks for taking the time to format it. I've seen from my research how minified it is and I appreciate the work you put into that. – Jeff Ferland Jun 24 '13 at 15:41
  • This doesn't look like CSRF or XSS. It looks like your website has been hacked, and then defaced. – rook Jun 24 '13 at 17:57
  • Thank you everyone. This is the real problem that we are facing in our website learn2serve dot com. So we are looking at server level configurations to find solution for this. Thank you everyone for provide feedback. – Tariq Jun 25 '13 at 06:47

1 Answers1

7

As best I can tell, this is a generic utility script with anti-CSRF protections. I wasn't able to find anything malicious in it.

Given what you said about it being injected and showing up in multiple configurations, I did some more digging around trying to identify the origin of the code. With some Google search work, it seems that it's injected by an F5 BIG-IP load balancer.

See http://support.f5.com/kb/en-us/solutions/public/11000/900/sol11930.html for their explanation of this feature. I then looked for another site had this code (found http://communications.med.nyu.edu), and to bring up an old Slashdot meme: Netcraft confirms it: they're using an F5 BIG-IP balancer as well: http://toolbar.netcraft.com/site_report?url=http://communications.med.nyu.edu

So, go forth and locate your load balancer and its configuration :)

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • Thank you guys. I am asking our NOC team to look this into load balancing server configurations. – Tariq Jun 24 '13 at 16:52
  • 1
    Thanks for answer. This really helped us to fix issue from F5 load balancing server. – Tariq Apr 25 '14 at 05:06