Website infected with malicious scripts

I was browsing websites analyzed by internal honeypots and I found a website that is infected with two malicious scripts. I used website snifer to retrieve the content of the website and we can see from the pic above that after the end of the html tag there are two javascript scripts:


This is very suspicious since there should never be scripts or iframes at the end of the html tag and this looks like that the website has been infected with an automatic script that adds specific code (in this case js code + iframe) at the end of each files present in a website. Most probably also other websites present in the same server where is hosted the infected website could have the same dangerous scripts injected in all of their files, this is a common symptom of a mass infection.

We can see that the first script contains obfuscated data and it uses random function names to bypass heuristic detections of security software. When deobfuscated, we can see it points to the following malicious url:


Interesting, it is an iframe that can be called hidden since it uses the two parameters width and height with a very small value (1) to hide the iframe from the user. A scan with reveals that the IP Address is detected by 5 engines and it is classified as dangerous:

The other script is not deobfuscated and we can see that it loads a script from a remote website that looks a bit suspicious since it uses port 8080 for its web server:

hxxp://oployau.fancountblogger. com:8080/Undo.js

A scan with reveals that the website is detected by 5 engines and it is classified as dangerous: