11 Replies - 676 Views - Last Post: 11 March 2009 - 12:59 PM

#1 chswebteam  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 11-March 09

HELP! Virus on my site?!?

Posted 11 March 2009 - 07:57 AM

I am a member of my High Schools web team and we maintain our high schools web site. add new pages/links/fix problems/ect. Recently we found this code in one of our pages. We dont know how it got there or who put it there. we also are not 100% sure what it does. If anyone can understand this and help us figure out what it does it would be a great help. we think it has some sort of virus/trojan downloader via the ip address at the bottom, however we could be completely wrong. Please help us figure out what this is. Thanks. CHS webteam


** Code Removed **

Is This A Good Question/Topic? 0
  • +

Replies To: HELP! Virus on my site?!?

#2 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3030
  • Posts: 10,569
  • Joined: 08-August 08

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 08:17 AM

Whatever it is, it appears to have at least one bug, rendering it harmless.
Was This Post Helpful? 0
  • +
  • -

#3 chswebteam  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 11-March 09

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 08:22 AM

View PostCTphpnwb, on 11 Mar, 2009 - 07:17 AM, said:

Whatever it is, it appears to have at least one bug, rendering it harmless.

where do you see a bug? We dont know to much about java script so we are kinda flying blind. thanks
Was This Post Helpful? 0
  • +
  • -

#4 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3030
  • Posts: 10,569
  • Joined: 08-August 08

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 08:35 AM

Since it appears to be nefarious, I'm a little leery about posting information on the web that might help in making it work. Let's just say that they got a little sloppy with their braces.
Was This Post Helpful? 0
  • +
  • -

#5 thehat  Icon User is offline

  • awake ? web();
  • member icon

Reputation: 106
  • View blog
  • Posts: 951
  • Joined: 28-February 08

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 08:49 AM

It seems to me that it doesn't do a great deal, but if you think it's inappropriate to discuss here I'd be interested to compare findings on IM.
Was This Post Helpful? 0
  • +
  • -

#6 CTphpnwb  Icon User is online

  • D.I.C Lover
  • member icon

Reputation: 3030
  • Posts: 10,569
  • Joined: 08-August 08

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 09:05 AM

I'm basing my conclusion that it might be doing something bad off of the facts that no one appears to know why it is on the server, what it does, who put it there, and the fact that information in it appears to be encoded specifically to make it difficult to determine what it's doing. That's enough for me, since I don't need to use the code and it doesn't appear interesting enough to dig further.
Was This Post Helpful? 0
  • +
  • -

#7 mocker  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 50
  • View blog
  • Posts: 466
  • Joined: 14-October 07

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 09:17 AM

If you want to see what it's trying to do, without running it, replace
eval(r);



with
alert(r);


or have it print r to a preformatted div on the page. It is a very common example of a hacked page that is left alone except for a small piece of javascript, which can often be used to send back information about who is viewing the page, display ads, or display pages that use a browser exploit to try to infect the person viewing the page.
Was This Post Helpful? 0
  • +
  • -

#8 thehat  Icon User is offline

  • awake ? web();
  • member icon

Reputation: 106
  • View blog
  • Posts: 951
  • Joined: 28-February 08

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 09:23 AM

Ah, so is it's document.write actually empty then? I wondered if I wasn't getting all the info out of it.
Was This Post Helpful? 0
  • +
  • -

#9 Nykc  Icon User is offline

  • Gentleman of Leisure
  • member icon

Reputation: 731
  • View blog
  • Posts: 8,644
  • Joined: 14-September 07

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 09:26 AM

Avast doesn't like the script.

But I would say it is harmless for the most part.
Was This Post Helpful? 0
  • +
  • -

#10 AdamSpeight2008  Icon User is offline

  • MrCupOfT
  • member icon


Reputation: 2267
  • View blog
  • Posts: 9,480
  • Joined: 29-May 08

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 10:02 AM

My research suggest its doing a base64 decode of an encoded php string.
To do something dodgy on the server.
Was This Post Helpful? 0
  • +
  • -

#11 chswebteam  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 11-March 09

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 12:52 PM

View PostAdamSpeight2008, on 11 Mar, 2009 - 09:02 AM, said:

My research suggest its doing a base64 decode of an encoded php string.
To do something dodgy on the server.

is there any way to figure out what the PHP script is? How can this program be run/compiled on a system so that we can see wht it is doing? Thanks
Was This Post Helpful? 0
  • +
  • -

#12 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5363
  • View blog
  • Posts: 27,325
  • Joined: 10-May 07

Re: HELP! Virus on my site?!?

Posted 11 March 2009 - 12:59 PM

View PostCTphpnwb, on 11 Mar, 2009 - 10:05 AM, said:

I'm basing my conclusion that it might be doing something bad off of the facts that no one appears to know why it is on the server, what it does, who put it there,

& this is exactly why I removed the code.

If you know it's potentially malicious, & possibly harmful, yet you don't know what it is or where it came from, then it really has no merit being posted here. If you want help w/ securing your site or possibly figuring out how it got there, that's one thing.

Please don't post that code again.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1