What is this "<!–[O]–><script>document.write(…" mysterious code block in some web sites’ source code?
August 5th, 2007
I must warn you to not use Internet Explorer while you are reading this post.
Your computer might get infected by a computer virus otherwise! If you are paranoid you can disable JavaScript in your browser too.
If you are not using Internet Explorer (or Maxthon) you can go on reading.
It is a long line of JavaScript code that some web sites’ HTML source code contains.
It can be found at the top or bottom of the HTML source code.
I’ve created a screen shot to show you how it looks like.
Do you know what it is?
It is a malicious JavaScript code that exploits Internet Explorer’s buffer overflow vulnerability.
Microsoft Internet Explorer (IE) contains a buffer overflow vulnerability
that can be exploited to execute arbitrary code with the privileges of the user running IE.
The special JavaScript code tries to execute a binary code, a trojan virus.
Your computer gets infected immediately by a trojan virus, such as Win32/Spy.Delf.NEY,
when you visit such "infected" web site with Internet Explorer on Windows XP SP1.
Other browsers might crash or close themselves. Firefox for instance immediately terminates itself when you visit such page.
How do web sites get infected?
At first, I believed the files on the server are modified by a vulnerable CMS or blog engine. That’s not true.
It is the infected computer that injects the malicious code into all files on the root of the web server without the knowledge of the user, of course.
When your computer is infected the virus tries to steal passwords from your computer to FTP servers.
It is confirmed that the virus can easily steal all FTP passwords from Total Commander’s configuration file, as the
passwords are not encrypted (maybe encrypted but the encryption is too weak).
Many web developers, including me, use Total Commander.
Although it is not advised to store passwords, we do it because we are too lazy to type the password all the time.
What to do when your computer or web site is infected by such trojan
- Do not panic! It cannot be worse.
- Remove the virus from your computer (the best would be to restore the system partition from an archive).
The second preferred option is to remove the virus with an antivirus. Make sure you disconnect your computer from the internet when you are doing it. - If your computer is clean, remove the stored passwords from Total Commander
- Now you need to check all your web sites one by one if they are not infected. Do not use Internet Explorer, your computer might catch the infection again.
Download all the files of your websites via FTP and search for the malicious JavaScript code. You can use Total Commander’s "Find Files" feature (ALT-F7) for this.
You will be looking up all files that contain the special string<!--[O]--><script>document.write(unescape.
If you found infected files, remove the JavaScript code from them. Then you can upload the modified files back to the server. - Now you need to change all your FTP passwords as the virus might have sent them to someone else.
- Last but not least you should update your browser.
- There is something else. Maybe you should notify your web site’s visitors about the infection ;)
It can be very embarrassing if your website is infected with such code. You might receive a few unfriendly e-mails from some visitors, customers.
The worst thing is that you can loose many visitor or customers. Your website can easily loose the trust and good name in a few hours or days.
The sooner you detect and resolve the infection the better. As an example, here are two links to infected web sites:
novepc.sk, webtest.sk. The first is
an online store selling computer hardware and the latter is a website collecting some of the most beautiful Slovak and Czech websites.
It is visited especially by web designers (Total Commander is very popular in Slovakia, too ;)).
September 21st, 2007 at 10:19 am
[…] sunt detalii: W3Net.eu » Blog Archive » What is this "<!–[O]–><script>document.write(…" … __________________ fcbihor Cheap Air […]