SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. malware-entry-mwjsdepack

malware-entry-mwjsdepack

Description:Encoded javascript using a packer by Dean Edwards. This packer can be used on legitimate applications, but is often deployed by attackers to hide their scripts.

 
In this case we found it to hide remote javascript/iframe calls to malicious web sites (very common on WordPress sites compromised via the timthumb.php vulnerability).

 

Domains distributing malware:


http://ydodur.ddns.us/main.php?page=2701c6e26dca8a78
http://pixlygxe.qpoe.com/index.php?go=1
(and many more)...

Affecting: Any web site (no specific target).

 

Malware dump: