SiteCheck Signatures

  1. Home
  2. Signatures
  3. SiteCheck Signatures
  4. mwjs-packer-runforest3

mwjs-packer-runforest3

Description: Our scanners identified a packed (encoded) javascript block related to the "runforestrun" malware botnet that has been compromising Plesk-powered servers.

This is a very common malware infecting thousands of sites (Jul 2012). Some of the domains being used:


*.qxpmhnrvrkqewurq.waw.pl
*.keefqnfsgqxrzlru.waw.pl
*.ekkugeunekaxqolz.waw.pl
*.svndeqsqughepaye.waw.pl
.. more random domains ..

Those links lead to multiple exploit kits affecting desktop (Windows) users. Additional details here: http://blog.unmaskparasites.com/2012/07/26/runforestrun-now-encrypts-legitimate-js-files/.

Affecting: Sites with Plesk outdated.

Clean up: Malware is hidden at the javascript files.

Malware dump: