Search code examples
bashcgicode-injection

Is this a variable injection attempt?

so I've monitored a malicious packet that was captured by Sourcefire going towards my server.

Packet text:

.PV..4.
I.....E....I@.....BF..
 ...s.P......rTP.F..l..lytics.com/analytics.js','ga');

  ga('create', 'UA-86400685-1', 'auto');
  ga('send', 'pageview');

</script>
        <script type="text/javascript">
          var MTUserId='8a71716c-e741-4c82-a6df-f0074c7c3472';
            var MTFontIds = new Array();

            MTFontIds.push("1075556"); // Avenir.. Next W01 Rounded Regular 
            MTFontIds.push("1075562"); // Avenir.. Next W01 Rounded Medium 
            (function() {
                var mtTracking = document.createElement('script');
                mtTracking.type='text/javascript';
                mtTracking.async='true';
                mtTracking.src='mtiFontTrackingCode.js';

                (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(mtTracking);
            })();

            eval(function (p, a, c, k, e, d) { e = function (c) { return c.toString(36) }; if (!''.replace(/^/, String)) { while (c--) { d[c.toString(a)] = k[c] || c.toString(a) } k = [function (e) { return d[e] }]; e = function () { return '\\w+' }; c = 1 }; while (c--) { if (k[c]) { p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]) } } return p }('4 8=9.f;4 6=9.k.m(",");4 2=3.j(\'l\');2.h=\'g/5\';2.d=\'b\';2.e=(\'7:\'==3.i.s?\'7:\':\'u:\')+\'//v.n.w/x/1.5?t=5&c=\'+8+\'&o=\'+6;(3.a(\'p\')[0]||3.a(\'q\')[0]).r(2);', 34, 34, '||mtTracking|document|var|css|pf|https|userId|window|getElementsByTagName|stylesheet||rel|href|MTUserId

Is this considered a Bash CGI environment variable injection attempt ? Can someone explain the anatomy of this attack and this code in particular ?

Thank you in advance. G

Solution

  • Not as far as I can tell, you can trivially use an online javascript unpacker to unpack the last line and find some simple tracker code. I wouldn't call privacy invasion 'benign' but this doesn't look like injection at all.

    var userId=window.MTUserId;
var pf=window.k.m(",");
var mtTracking=document.j('l');
mtTracking.h='g/css';
mtTracking.rel='stylesheet';
mtTracking.href=('https:'==document.i.s?'https:':'u:')+'//v.n.w/x/1.css?t=css&c='+userId+'&o='+pf;
(document.getElementsByTagName('p')[0]||document.getElementsByTagName('q')[0]).r(mtTracking);