Tag Archives: js exploit

New Malicious Injected Code: Injection_head and Injection_tail

We have logged few websites infected with a new injected javascript code that seems to target mainly the websites powered with WordPress and Joomla. Below there is a screenshot of the malicious script:

Image

As we can see from the image above, the injected code starts with:

<!--Injection_head[SessionID=...]-->

And it ends with:

<!--Injection_tail[SessionID=...]-->

Com.Br Websites Infected with Maliciour JS Code (count18.php)

Our sandbox has logged various domains with suffix .COM.BR infected with a malicious obfuscated javascript code, that is injected at begin of the HTML pages of the websites, before the initial <html> tag:

Obfuscated JS code

The malicious script redirects the users to a malicious URL:

hxxp:// bylviha .ru/count18.php

An example of websites infected:

hxxp:// carboniferacatarinense .com .br/
hxxp:// www. csir-iir. org/
hxxp:// www. terapets .com/

Sometimes the malicious script is injected inside the <title> tag:

JS Injected in Title TAG

URLVoid reports of malicious domains:

http://www.urlvoid.com/scan/bylviha .ru
http://www.urlvoid.com/scan/carboniferacatarinense .com .br
http://www.urlvoid.com/scan/csir-iir. org
http://www.urlvoid.com/scan/terapets .com