Page 1 of 1

INFECTION!!!

Posted: Tue Sep 17, 2013 4:08 pm
by Tata
Almost all websites on my domain were infected agsain. I don't know how is it possible.
Infected files are:

FS JavaScript Popup Date Selector
root/index.php
login.php
content.htm

Also other index.php files and htm, html files are infected.

Infecting code starts and ends with commented "a9a007" and is written in two very long lines of encrypted script.

It is placed on various places, bud mostly corrupts files.

Re: INFECTION!!!

Posted: Tue Sep 17, 2013 6:33 pm
by Tata
here is the infecting code

http://prntscr.com/1rvh2n

Re: INFECTION!!!

Posted: Tue Sep 17, 2013 6:49 pm
by cmb
Tata wrote:I don't know how is it possible.
It's hard to say. However, it might be useful to find it out. Maybe you have some success finding out more about this particular infection by googling for parts of the injected scripts. Searching for "infection a9a007" only brought up this: http://www.webhostingtalk.com/showthrea ... &p=8841808.
Tata wrote:Infected files are:
[...]
root/index.php
[...]
Has the file been writable by the webserver? If not, the attack probably had happened via FTP. :evil:

Ah, I've just seen the link you've posted. Can you please send me the code by email in a textual format (save as .txt and zip it, or so).

Re: INFECTION!!!

Posted: Tue Sep 17, 2013 8:27 pm
by cmb
Well, I have quickly analysed the code, and it is a typical IFRAME insertion attack. The IFRAMES src attribute points to a PHP script, which seems to redirect to different sites/scripts depending on whatever (the USER_AGENT seems to play a role at least). So what actually may happen if someone visits an infected site, is not clear. In the worst case they might try to exploit a vulnerability of the browser or a browser plugin.

Further googling brought up not much more info. The only thing was an entry on http://sitecheck.sucuri.net/results/ber ... ncescan.nl, which list basically identical malware, and http://ninjafirewall.com/malware/index. ... 3-06-18.01 which is a close variation.

Re: INFECTION!!!

Posted: Tue Sep 17, 2013 8:50 pm
by Tata
I can ask my ISP to restore the whole domain from the server backup .I made no changes a couple of days back, so there is a chance to have everythin fine. Now I found that all infected files have the same date of last change - 17/092013 14:00 - 14:50. So this was the attack time. Anyway, I load the antire doman to my MAC and will clean all files. Will see what happens tomorrow.

Re: INFECTION!!!

Posted: Fri Jul 18, 2014 6:09 am
by Tata
mariashina wrote:scripts are often thought as a virus.
Well, I would say VIRUSES ARE SCRIPTS. Anyway, if such script - which doesn't belong to your CMS - occures in it, it is always that somebody tries to make something on/by/due/with your website thta is sure out of oyur intention.