contained a script pulled from inforaf.vot.pl
that turned out to be malicious.
Another good clue is the location of the script tag on the page. The attackers might be lazy and put the script tag at the very top or very bottom of the page. Always look at scripts placed before the opening HTML tag, or after the ending BODY tag.
There are other places where a SCRIPT tag should not be found, for example, inside a TITLE tag.
When I analyze a page, I also look for different coding styles. For example, if a webmaster uses double quotes around tag attributes, I would then look for a SCRIPT tag with single quotes, or no quotes at all. Similarly, the webmaster might use the type
attributes. Any SCRIPT tag that uses a different coding style would raise a red flag.
|Malicious code appended to AC_RunActiveContent.js|
These techniques are even combined with other tricks to deliver code directed only at specific users, such as IP denylisting
to block security scanners, cookies to prevent viewing the page twice, looking at the Referer
tag to show the malicious code to users from specific sites, etc. The same page often has to be accessed in many different ways by security scanners to ensure that it is safe.