Portal Home > Knowledgebase > Articles Database > "JS:Bulered" obfuscated malware code
"JS:Bulered" obfuscated malware code
| Posted by Bashaar, 07-23-2009, 09:06 AM |
| Avast started giving out warnings when people viewed my site saying a trojan horse was detected called "JS:Bulered".
I looked through the page and noticed a chunk of code added at the end of the page:
I cleared it then noticed it was also added to random files on my Invision Power Board forum and Coppermine gallery so I cleared it from there as well (just replaced the files from a backup I had).
I'm currently on a dedicated server with SoftLayer and I have a few other sites and when checking them I noticed the code was added to pages on those sites as well!
Right now I'm just concentrating on my main site I've cleared all the code, changed the password, ftp password, root password for the server. But after several hours the code was added again..
I read somewhere that it could be an infection on my computer that is using the ftp connection I make to inject the code to my site so I've changed the ftp password again and I've stopped using ftp. It's been a couple of hours and the code hasn't been added back yet but there's a good chance it'll be back soon.
Really need help here, not sure how to get rid of this :/
|
| Posted by Bashaar, 07-23-2009, 01:09 PM |
| Anyone at least know some kind of server tech company that could help me find the source of this?
|
| Posted by PTWS, 07-23-2009, 01:26 PM |
| Have you checked you PC for viruses and malware? It sounds like the well known FTP password stealer virus.
|
| Posted by Bashaar, 07-23-2009, 01:33 PM |
| I've checked it with McAfee and some malware scanners and nothing came up
|
| Posted by Bashaar, 07-29-2009, 04:54 PM |
| I disabled ftp and the malicious code seemed to stop being added for several days. I started using sftp instead, and today somehow the code was added again. Restored all the files, changed passes again and I'm gonna stop using any file upload program. Anyone have any ideas about this how they're doing this?
|
| Posted by Bashaar, 08-01-2009, 08:52 PM |
| Any help..?
|
| Posted by Mustafa Albazy, 08-02-2009, 05:24 AM |
| hi BashaarAweid
download avast AV free one, and make full scan to your pc,
search your site files for image.php or img***.php and delete
enable open_basedir
if you speak arabic! this url will helpful
isecur1ty.org/articles/webapps-security/60-websites-virus.html
|
| Posted by sam0, 08-02-2009, 02:41 PM |
| I've deobfuscated the javascript (and censored http://):
So it creates a hidden iframe, if you google the iframe url there are lots of other sites with similar problems.
It is possible you've been trojaned/keylogged but IMO unlikely, you're probably running an outdated version of IPB or Copermine, make sure both scripts and any other scripts you're running are up to date. Then you will need to make sure there aren't any php shells that have been uploaded, check your kernel isnt rootable, and secure the server to help prevent this from happening again. This is quite a long task so it would be best to hire someone who knows what theyre doing to make it thorough.
That wont help.
|
Add to Favourites 
Print this Article
Also Read
Cpanel Demo? (Views: 529)