Author Topic: Unfriendly visitor ? (Read 675 times)

Jazz · « **on:** May 06, 2011, 07:00:12 PM »

Hello
First, thank you for your good wishes vis a vis my forum.
Second, can you help me? Just a short while ago my forum had a visitor from Malaysia. The visitor's opening activity seemed odd to me. His initial action seemed to be leaving me with a script. The wording in it makes me believe it is malicious. I will post it below for all to see. If my forum goes off tonight unexpectedly, you'll know why. Here is the script. (red highlights are my own) What do you make of it? Trying to hack or f.up my forum?

I have to split the post into two because it's too long for one.

var smf_formSubmitted = false;

// Define document.getElementById for Internet Explorer 4.
if (typeof(document.getElementById) == "undefined")
   document.getElementById = function (id)
   {
      // Just return the corresponding index of all.
      return document.all[id];
   }
// Define XMLHttpRequest for IE 5 and above. (don't bother for IE 4 :/.... works in Opera 7.6 and Safari 1.2!)
else if (!window.XMLHttpRequest && window.ActiveXObject)
   window.XMLHttpRequest = function

   {
      return new ActiveXObject(navigator.userAgent.indexOf("MSIE 5") != -1 ? "Microsoft.XMLHTTP" : "MSXML2.XMLHTTP");
   };

// Some older versions of Mozilla don't have this, for some reason.
if (typeof(document.forms) == "undefined")
   document.forms = document.getElementsByTagName("form");

// Load an XML document using XMLHttpRequest.
function getXMLDocument(url, callback)
{
   if (!window.XMLHttpRequest)
      return false;

   var myDoc = new XMLHttpRequest();
   if (typeof(callback) != "undefined")
   {
      myDoc.onreadystatechange = function

      {
         if (myDoc.readyState != 4)
            return;

         if (myDoc.responseXML != null && myDoc.status == 200)
            callback(myDoc.responseXML);
      };
   }
   myDoc.open('GET', url, true);
   myDoc.send(null);

   return true;
}

// Send a post form to the server using XMLHttpRequest.
function sendXMLDocument(url, content, callback)
{
   if (!window.XMLHttpRequest)
      return false;

   var sendDoc = new window.XMLHttpRequest();
   if (typeof(callback) != "undefined")
   {
      sendDoc.onreadystatechange = function

      {
         if (sendDoc.readyState != 4)
            return;

         if (sendDoc.responseXML != null && sendDoc.status == 200)
            callback(sendDoc.responseXML);
         else
            callback(false);
      };
   }
   sendDoc.open('POST', url, true);
   if (typeof(sendDoc.setRequestHeader) != "undefined")
      sendDoc.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
   sendDoc.send(content);

   return true;
}

function textToEntities(text)
{
   var entities = "";
   for (var i = 0; i < text.length; i++)
   {
      if (text.charCodeAt(i) > 127)
         entities += "&#" + text.charCodeAt(i) + ";";
      else
         entities += text.charAt(i);
   }

   return entities;
}

// Open a new window.
function reqWin(desktopURL, alternateWidth, alternateHeight, noScrollbars)
{
   if ((alternateWidth && self.screen.availWidth * 0.8 < alternateWidth) || (alternateHeight && self.screen.availHeight * 0.8 < alternateHeight))
   {
      noScrollbars = false;
      alternateWidth = Math.min(alternateWidth, self.screen.availWidth * 0.

;
alternateHeight = Math.min(alternateHeight, self.screen.availHeight * 0.

;
   }
   else
      noScrollbars = typeof(noScrollbars) != "undefined" && noScrollbars == true;

   window.open(desktopURL, 'requested_popup', 'toolbar=no,location=no,status=no,menubar=no,scrollbars=' + (noScrollbars ? 'no' : 'yes') + ',width=' + (alternateWidth ? alternateWidth : 480) + ',height=' + (alternateHeight ? alternateHeight : 220) + ',resizable=no');

   // Return false so the click won't follow the link

.
   return false;
}

// Remember the current position.
function storeCaret(text)
{
   // Only bother if it will be useful.
   if (typeof(text.createTextRange) != "undefined")
      text.caretPos = document.selection.createRange().duplicate();
}

// Replaces the currently selected text with the passed text.
function replaceText(text, textarea)
{
   // Attempt to create a text range (IE).
   if (typeof(textarea.caretPos) != "undefined" && textarea.createTextRange)
   {
      var caretPos = textarea.caretPos;

      caretPos.text = caretPos.text.charAt(caretPos.text.length - 1) == ' ' ? text + ' ' : text;
      caretPos.select();
   }
   // Mozilla text range replace.
   else if (typeof(textarea.selectionStart) != "undefined")
   {
      var begin = textarea.value.substr(0, textarea.selectionStart);
      var end = textarea.value.substr(textarea.selectionEnd);
      var scrollPos = textarea.scrollTop;

      textarea.value = begin + text + end;

      if (textarea.setSelectionRange)
      {
         textarea.focus();
         textarea.setSelectionRange(begin.length + text.length, begin.length + text.length);
      }
      textarea.scrollTop = scrollPos;
   }
   // Just put it on the end.
   else
   {
      textarea.value += text;
      textarea.focus(textarea.value.length - 1);
   }
}

// Surrounds the selected text with text1 and text2.
function surroundText(text1, text2, textarea)
{
   // Can a text range be created?
   if (typeof(textarea.caretPos) != "undefined" && textarea.createTextRange)
   {
      var caretPos = textarea.caretPos, temp_length = caretPos.text.length;

      caretPos.text = caretPos.text.charAt(caretPos.text.length - 1) == ' ' ? text1 + caretPos.text + text2 + ' ' : text1 + caretPos.text + text2;

      if (temp_length == 0)
      {
         caretPos.moveStart("character", -text2.length);
         caretPos.moveEnd("character", -text2.length);
         caretPos.select();
      }
      else
         textarea.focus(caretPos);
   }
   // Mozilla text range wrap.
   else if (typeof(textarea.selectionStart) != "undefined")
   {
      var begin = textarea.value.substr(0, textarea.selectionStart);
      var selection = textarea.value.substr(textarea.selectionStart, textarea.selectionEnd - textarea.selectionStart);
      var end = textarea.value.substr(textarea.selectionEnd);
      var newCursorPos = textarea.selectionStart;
      var scrollPos = textarea.scrollTop;

      textarea.value = begin + text1 + selection + text2 + end;

      if (textarea.setSelectionRange)
      {
         if (selection.length == 0)
            textarea.setSelectionRange(newCursorPos + text1.length, newCursorPos + text1.length);
         else
            textarea.setSelectionRange(newCursorPos, newCursorPos + text1.length + selection.length + text2.length);
         textarea.focus();
      }
      textarea.scrollTop = scrollPos;
   }
   // Just put them on the end, then.
   else
   {
      textarea.value += text1 + text2;
      textarea.focus(textarea.value.length - 1);
   }
}

// Checks if the passed input's value is nothing.
function isEmptyText(theField)
{
   // Copy the value so changes can be made..
   var theValue = theField.value;

   // Strip whitespace off the left side.
   while (theValue.length > 0 && (theValue.charAt(0) == ' ' || theValue.charAt(0) == '\t'))
      theValue = theValue.substring(1, theValue.length);
   // Strip whitespace off the right side.
   while (theValue.length > 0 && (theValue.charAt(theValue.length - 1) == ' ' || theValue.charAt(theValue.length - 1) == '\t'))
      theValue = theValue.substring(0, theValue.length - 1);

   if (theValue == '')
      return true;
   else
      return false;
}

// Only allow form submission ONCE.
function submitonce(theform)
{
   smf_formSubmitted = true;
}
function submitThisOnce(form)
{
   // Hateful, hateful fix for Safari 1.3 beta.
   if (navigator.userAgent.indexOf('AppleWebKit') != -1)
      return !smf_formSubmitted;

   if (typeof(form.form) != "undefined")
      form = form.form;

   for (var i = 0; i < form.length; i++)
      if (typeof(form) != "undefined" && form.tagName.toLowerCase() == "textarea")
         form.readOnly = true;

   return !smf_formSubmitted;
}

// Set the "inside" HTML of an element.
function setInnerHTML(element, toValue)
{
   // IE has this built in...
   if (typeof(element.innerHTML) != 'undefined')
      element.innerHTML = toValue;
   // Otherwise, try createContextualFragment().
   else
   {
      var range = document.createRange();
      range.selectNodeContents(element);
      range.deleteContents();
      element.appendChild(range.createContextualFragment(toValue));
   }

Jazz · « **Reply #1 on:** May 06, 2011, 07:00:30 PM »

}

// Set the "outer" HTML of an element.
function setOuterHTML(element, toValue)
{
   if (typeof(element.outerHTML) != 'undefined')
      element.outerHTML = toValue;
   else
   {
      var range = document.createRange();
      range.setStartBefore(element);
      element.parentNode.replaceChild(range.createContextualFragment(toValue), element);
   }
}

// Get the inner HTML of an element.
function getInnerHTML(element)
{
   if (typeof(element.innerHTML) != 'undefined')
      return element.innerHTML;
   else
   {
      var returnStr = '';
      for (var i = 0; i < element.childNodes.length; i++)
         returnStr += getOuterHTML(element.childNodes);

      return returnStr;
   }
}

function getOuterHTML(node)
{
   if (typeof(node.outerHTML) != 'undefined')
      return node.outerHTML;

   var str = '';

   switch (node.nodeType)
   {
   // An element.
   case 1:
      str += '<' + node.nodeName;

      for (var i = 0; i < node.attributes.length; i++)
      {
         if (node.attributes.nodeValue != null)
            str += ' ' + node.attributes.nodeName + '="' + node.attributes.nodeValue + '"';
      }

      if (node.childNodes.length == 0 && in_array(node.nodeName.toLowerCase(), ['hr', 'input', 'img', 'link', 'meta', 'br']))
         str += ' />';
      else
         str += '>' + getInnerHTML(node) + '</' + node.nodeName + '>';
      break;

   // 2 is an attribute.

   // Just some text..
   case 3:
      str += node.nodeValue;
      break;

   // A CDATA section.
   case 4:
      str += '<![CDATA' + '[' + node.nodeValue + ']' + ']>';
      break;

   // Entity reference..
   case 5:
      str += '&' + node.nodeName + ';';
      break;

   // 6 is an actual entity, 7 is a PI.

   // Comment.
   case 8:
      str += '';
      break;
   }

   return str;
}

// Checks for variable in theArray.
function in_array(variable, theArray)
{
   for (var i = 0; i < theArray.length; i++)
   {
      if (theArray == variable)
         return true;
   }
   return false;
}

// Find a specific radio button in its group and select it.
function selectRadioByName(radioGroup, name)
{
   if (typeof(radioGroup.length) == "undefined")
      return radioGroup.checked = true;

   for (var i = 0; i < radioGroup.length; i++)
   {
      if (radioGroup.value == name)
         return radioGroup.checked = true;
   }

   return false;
}

// Invert all checkboxes at once by clicking a single checkbox.
function invertAll(headerfield, checkform, mask)
{
   for (var i = 0; i < checkform.length; i++)
   {
      if (typeof(checkform.name) == "undefined" || (typeof(mask) != "undefined" && checkform.name.substr(0, mask.length) != mask))
         continue;

      if (!checkform.disabled)
         checkform.checked = headerfield.checked;
   }
}

// Keep the session alive - always!
var lastKeepAliveCheck = new Date().getTime();
function smf_sessionKeepAlive()
{
   var curTime = new Date().getTime();

   // Prevent a Firefox bug from hammering the server.
   if (smf_scripturl && curTime - lastKeepAliveCheck > 900000)
   {
      var tempImage = new Image();
      tempImage.src = smf_scripturl + (smf_scripturl.indexOf("?") == -1 ? "?" : "&") + "action=keepalive;" + curTime;
      lastKeepAliveCheck = curTime;
   }

   window.setTimeout("smf_sessionKeepAlive();", 1200000);
}
window.setTimeout("smf_sessionKeepAlive();", 1200000);

// Set a theme option through javascript.
function smf_setThemeOption(option, value, theme, cur_session_id)
{
   // Compatibility.
   if (cur_session_id == null)
      cur_session_id = smf_session_id;

   var tempImage = new Image();
   tempImage.src = smf_scripturl + (smf_scripturl.indexOf("?") == -1 ? "?" : "&") + "action=jsoption;var=" + option + ";val=" + value + ";sesc=" + cur_session_id + (theme == null ? "" : "&id=" + theme) + ";" + (new Date().getTime());
}

function smf_avatarResize()
{
   var possibleAvatars = document.getElementsByTagName ? document.getElementsByTagName("img") : document.all.tags("img");

   for (var i = 0; i < possibleAvatars.length; i++)
   {
      if (possibleAvatars.className != "avatar")
         continue;

      var tempAvatar = new Image();
      tempAvatar.src = possibleAvatars.src;

      if (smf_avatarMaxWidth != 0 && tempAvatar.width > smf_avatarMaxWidth)
      {
         possibleAvatars.height = (smf_avatarMaxWidth * tempAvatar.height) / tempAvatar.width;
         possibleAvatars.width = smf_avatarMaxWidth;
      }
      else if (smf_avatarMaxHeight != 0 && tempAvatar.height > smf_avatarMaxHeight)
      {
         possibleAvatars.width = (smf_avatarMaxHeight * tempAvatar.width) / tempAvatar.height;
         possibleAvatars.height = smf_avatarMaxHeight;
      }
      else
      {
         possibleAvatars.width = tempAvatar.width;
         possibleAvatars.height = tempAvatar.height;
      }
   }

   if (typeof(window_oldAvatarOnload) != "undefined" && window_oldAvatarOnload)
   {
      window_oldAvatarOnload();
      window_oldAvatarOnload = null;
   }
}

function hashLoginPassword(doForm, cur_session_id)
{
   // Compatibility.
   if (cur_session_id == null)
      cur_session_id = smf_session_id;

   if (typeof(hex_sha1) == "undefined")
      return;
   // Are they using an email address?
   if (doForm.user.value.indexOf("@") != -1)
      return;

   // Unless the browser is Opera, the password will not save properly.
   if (typeof(window.opera) == "undefined")
      doForm.passwrd.autocomplete = "off";

   doForm.hash_passwrd.value = hex_sha1(hex_sha1(doForm.user.value.php_to8bit().php_strtolower() + doForm.passwrd.value.php_to8bit()) + cur_session_id);

   // It looks nicer to fill it with asterisks, but Firefox will try to save that.
   if (navigator.userAgent.indexOf("Firefox/") != -1)
      doForm.passwrd.value = "";
   else
      doForm.passwrd.value = doForm.passwrd.value.replace(/./g, "*");
}

function hashAdminPassword(doForm, username, cur_session_id)
{
   // Compatibility.
   if (cur_session_id == null)
      cur_session_id = smf_session_id;

   if (typeof(hex_sha1) == "undefined")
      return;

   doForm.admin_hash_pass.value = hex_sha1(hex_sha1(username.toLowerCase() + doForm.admin_pass.value) + cur_session_id);
   doForm.admin_pass.value = doForm.admin_pass.value.replace(/./g, "*");
}

function ajax_indicator(turn_on)
{
   var indicator = document.getElementById("ajax_in_progress");
   if (indicator != null)
   {
      if (navigator.appName == "Microsoft Internet Explorer" && navigator.userAgent.indexOf("MSIE 7") == -1)
      {
         indicator.style.top = document.documentElement.scrollTop;
      }
      indicator.style.display = turn_on ? "block" : "none";

dirtydog · « **Reply #2 on:** May 06, 2011, 09:39:35 PM »

Old trojan insert for smf, they would need server access (FTP) to exploit it, plus its so old I shouldn't imagine it will work anymore.

Johnnie F. · « **Reply #3 on:** May 07, 2011, 06:01:21 AM »

Very illuminating post, Jazz! What makes you think that: "Unfriendly visitor from Malaysia?"?

Jazz · « **Reply #4 on:** May 07, 2011, 10:36:41 AM »

The same way as you know I'm not posting this from Malaysia.
My forum has had regular visits from Malaysia, 2 or 3 times a day, most days. Malaysia is number 3 in frequency of visits to the forum but most visits seem to be from the same person.

Johnnie F. · « **Reply #5 on:** May 07, 2011, 11:04:25 AM »

Probably we're thinking about the same person. Maybe he just keeps checking how much value his "merchandise" keeps loosing by the hour.

KoratFart.com - Nakhon Ratchasima and Isaan Forum for Art, News & Culture

News:

Author Topic: Unfriendly visitor ? (Read 675 times)

Jazz

Unfriendly visitor ?

Jazz

Re: Unfriendly visitor from Malaysia?

dirtydog

Re: Unfriendly visitor ?

Johnnie F.

Re: Unfriendly visitor ?

Jazz

Re: Unfriendly visitor ?

Johnnie F.

Re: Unfriendly visitor ?