On Wed, Aug 25, 2010 at 1:40 PM, techconnect <[email protected]> wrote: > We found this script on our website and we want to know what it > does anyone know?
I'm going to upgrade my analysis from "suspicious" to "very likely to be malicious". The decoded URL I sent triggered at least one other subscriber's malware filter. Your website is compromised. Invoke your security compromise contingency procedures. My original message is copied below with the URLs removed and code transformed to make it more acceptable for a filter. On Wed, Aug 25, 2010 at 1:56 PM, Ben Scott <[email protected]> wrote: > It's an obfuscated code injector. The resulting HTML code looks like this: > > (div style="visibility: hidden; position: absolute; left: 1; top: > 1")(iframe src="[REDACTED]" > frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 > marginheight=0 scrolling=no)(/iframe)(/div) > > The page at "[REDACTED]" doesn't > appear to do anything interesting (right now). But the name looks > like the kind of random string attackers often use to host their > malware. > > If I had to guess, I'd guess your website was compromised and > malicious code placed on it, so that anyone visiting your site would > get nailed by the attacker from an unsuspected source. Happens all > the time. > > -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
